Re: splunkd.log error : GetInt64Val: ldap_get_valu...

CSabhaya · ‎03-17-2014

I am constantly getting the following message from splunk forwarder splunkd.log

03-17-2014 11:38:28.245 -0700 WARN ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - SysmonMigrator::read - 'sysmon.conf' was not found, no migration is required.
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:01:17.610 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:01:17.610 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:12:15.646 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:12:15.646 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:16:33.793 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:16:33.793 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:20:46.566 -0700 INFO WatchedFile - Logfile truncated while open, original pathname file='C:\Users\rq113d\Desktop\test1\IVTRUpdateLog_2014-03-16 20-101.txt', will begin reading from start.
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:39:50.170 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap_get_values error

Is anyone having similar issue? what this error indicates. Any suggestions?

e2eadmin · ‎01-07-2015

Was there ever an answer to this? I am having the same problem. Thanks.

ccraft_splunk · ‎06-20-2016

Has there been answer found out for this? I am having the same problem?

stefan1988 · ‎02-02-2017

I'm getting the same message

davidboose · ‎02-03-2017

bump

we are too

adhoke_splunk · ‎02-03-2017

can you check inputs.conf and admon.conf to see that stanzas not configured by you are set to 'disabled=1'

This error shows up because Active Directory query is not returning required values.

ankeetashet · ‎10-09-2014

We are facing a similar issue as well. We are trying to read windows event logs from a machine which has a Splunk forwarder installed version 5.0.1. The inputs.conf file is as below:

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
index = mag_nprod
start_from = oldest

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
index = mag_nprod
start_from = oldest

The following error message is present in the Splunkd logs:

10-09-2014 15:47:22.660 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:47:22.660 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:47:19.034 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:47:18.409 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:46:51.783 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:46:27.158 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.

Any suggestions please?

season88481 · ‎02-27-2017

I got this error as well:

10-09-2014 15:46:27.158 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.

Had checked the \bin directory, the splunk-admon.exe is not missing.

Not sure what to do next though.

splunkd.log error : GetInt64Val: ldap_get_values error

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life