Getting Data In

"Splunk could not get the description for this event" - SplunkUniversalForwarders, versions 4.2 thru 5.0.1

rgcox1
Communicator

I am getting a high incidence rate of "Splunk could not get the description for this event."
All forwarders are SplunkUniversalForwarders, versions 4.2 thru 5.0.1.
Yesterday I got these results from my Linux 4.3.2 indexer:

                                Servers with
Splunk Universal  Servers with  "Splunk Could   
Forwarder Ver.    WinEvents OK  not get desc"  Total
   4.2                 27           21           48
   4.2.2                4            2            6
   4.3.1                1            -            1
   4.3.2                4            8           12
   5.0.1              172           40          212
Total                 208           71          279

Since the results were so scattered among the forwarder versions, I upgraded the indexer to 5.0.2.

As the indexer is a Linux box, and I know the event descriptions are extracted from the DLL’s on the clients, I really didn’t expect to see a change. However, since the change I now have 151 servers with “could not get” — over twice what I had yesterday before upgrading the indexer. Now over 75% of my windows events contain “Splunk could not get the description for this event.”

The majority of the events are from the security logs, but there is also a significant number of events from the system and application event logs.

Descriptions are present when viewed via event viewer on servers in most cases. In a few cases applications do not put descriptions into the application log.

A spotcheck of some of the affected servers shows that msaudite.dll file and the security subkey under hklm\system\currentcontrolset\services\eventlog\security are present.

Operating systems are also a mix — 78 of the effected machines are Server 2008, the rest 2003.

Any help would be greatly appreciated.

Tags (1)
0 Karma

AaronMoorcroft
Communicator

I had this same issue, it came down to being the version of the forwarder 4.3.2

4.3.2 has a known bug and can cause this issue, to resolve this I had to upgrade all my forwarders from this version to 5.0.1

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...