Getting Data In
Highlighted

splunkd.log error : GetInt64Val: ldap_get_values error

Engager

I am constantly getting the following message from splunk forwarder splunkd.log

03-17-2014 11:38:28.245 -0700 WARN ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - SysmonMigrator::read - 'sysmon.conf' was not found, no migration is required.
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 11:58:32.247 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:01:17.610 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:01:17.610 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:12:15.646 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:12:15.646 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:15:01.594 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:16:33.793 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:16:33.793 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldapgetvalues error
03-17-2014 12:18:02.373 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:20:46.566 -0700 INFO WatchedFile - Logfile truncated while open, original pathname file='C:\Users\rq113d\Desktop\test1\IVTRUpdateLog2014-03-16 20-101.txt', will begin reading from start.
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap
getvalues error
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap
getvalues error
03-17-2014 12:24:25.501 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
03-17-2014 12:39:50.170 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::GetInt64Val: ldap
get_values error

Is anyone having similar issue? what this error indicates. Any suggestions?

Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Engager

We are facing a similar issue as well. We are trying to read windows event logs from a machine which has a Splunk forwarder installed version 5.0.1. The inputs.conf file is as below:

[WinEventLog://Application]
checkpointInterval = 5
currentonly = 0
disabled = 0
index = mag
nprod
start_from = oldest

[WinEventLog://System]
checkpointInterval = 5
currentonly = 0
disabled = 0
index = mag
nprod
start_from = oldest

The following error message is present in the Splunkd logs:

10-09-2014 15:47:22.660 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:47:22.660 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:47:19.034 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:47:18.409 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:46:51.783 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.
10-09-2014 15:46:27.158 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.

Any suggestions please?

Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Communicator

I got this error as well:

10-09-2014 15:46:27.158 +0100 ERROR ExecProcessor - message from "E:\tools\SplunkForwarder\bin\splunk-admon.exe" splunk-admon - AdQuery::ProcessMessage: Cannot get uSNChanged from message.

Had checked the \bin directory, the splunk-admon.exe is not missing.

Not sure what to do next though.

0 Karma
Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Explorer

Was there ever an answer to this? I am having the same problem. Thanks.

0 Karma
Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Splunk Employee
Splunk Employee

Has there been answer found out for this? I am having the same problem?

0 Karma
Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Path Finder

I'm getting the same message

0 Karma
Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Engager

bump

we are too

0 Karma
Highlighted

Re: splunkd.log error : GetInt64Val: ldap_get_values error

Splunk Employee
Splunk Employee

can you check inputs.conf and admon.conf to see that stanzas not configured by you are set to 'disabled=1'

This error shows up because Active Directory query is not returning required values.

0 Karma