I am getting a high incidence rate of "Splunk could not get the description for this event."
All forwarders are SplunkUniversalForwarders, versions 4.2 thru 5.0.1.
Yesterday I got these results from my Linux 4.3.2 indexer:
Servers with
Splunk Universal Servers with "Splunk Could
Forwarder Ver. WinEvents OK not get desc" Total
4.2 27 21 48
4.2.2 4 2 6
4.3.1 1 - 1
4.3.2 4 8 12
5.0.1 172 40 212
Total 208 71 279
Since the results were so scattered among the forwarder versions, I upgraded the indexer to 5.0.2.
As the indexer is a Linux box, and I know the event descriptions are extracted from the DLL’s on the clients, I really didn’t expect to see a change. However, since the change I now have 151 servers with “could not get” — over twice what I had yesterday before upgrading the indexer. Now over 75% of my windows events contain “Splunk could not get the description for this event.”
The majority of the events are from the security logs, but there is also a significant number of events from the system and application event logs.
Descriptions are present when viewed via event viewer on servers in most cases. In a few cases applications do not put descriptions into the application log.
A spotcheck of some of the affected servers shows that msaudite.dll file and the security subkey under hklm\system\currentcontrolset\services\eventlog\security are present.
Operating systems are also a mix — 78 of the effected machines are Server 2008, the rest 2003.
Any help would be greatly appreciated.
I had this same issue, it came down to being the version of the forwarder 4.3.2
4.3.2 has a known bug and can cause this issue, to resolve this I had to upgrade all my forwarders from this version to 5.0.1