Splunk Dev

Message = Splunk could not get the description for this event.


Hello. Im searching for events from two different sources: WinEventLog:ForwardedEvents and WinEventLog:Application.

The events found in the ForwardedEvents log contain the following:

Message = Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error: The locale specific resource for the desired message is not present.

I've checked out some similar questions regarding this message. In each case it seems the problem is with a perticular version of the universal forwarder. Im not using any forwarders so that cant be the cause.

I checked Event Viewer and the events in both logs are formatted identically. I've also ensured everything I need is installed correctly.

Any ideas as to why Splunk only displays WinEventLog:Application events correctly and events in WinEventLog:ForwardedEvents displays that message?

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

I just ran into the same issue on events I was trying to process from exported EVTX files because I did not have the component (StorSimple) installed on my machine. This technique should work for any EVTX export where you do not have the component installed but need to splunk the EVTX data and want to capture all the details of the events. After following this recipe I was able to see all the details of the events in Splunk.

My recipe was as follows:

Create list of evtx files to convert
On Linux or mac machine run the following:

find /<path> -type f > filestoconvert.txt
find /Temp/evtx -type f > /Temp/filestoconvert.txt

Clean out the trash created by find command with Regex find replace in Sublime or equivalent text editor

Find “^.*/.DS_Store” (less the quotes) and replace with nothing

Using same find / replace technique, change format to correspond to where you copy the files on the windows host
IE C:\Temp\evtx\

Create list of commands for script in Excel using concatenation function. ... Sample of command: 

wevtutil qe /lf <fullpath.evtx> > <fullpath.xml>
wevtutil qe /lf C:\Temp\evtx\etw\iSCSITarget.evtx > C:\Temp\evtx\etw\iSCSITarget.xml

Loop through commands iteratively by wrapping them in PowerShell script below: 

foreach ($command in Get-Content C:\Temp\Convert.txt) {   
Invoke-Expression $command  

Run the script on a Windows 2008+ machine to export the evtx files to XML and expose all the data in the logs.

Ingest the XML into Splunk with a stanza similar to the one below in the props.conf of whatever app you want this to live in ... The things of note here are the BREAK_ONLY_BEFORE, TIME_PREFIX, KV_MODE, CHARSET & MAX_EVENTS (assuming you have a lot of events)

TIME_PREFIX = <TimeCreated SystemTime='
category = Custom
pulldown_type = true
KV_MODE = xml
MAX_EVENTS = 100000000

Again, this approach allowed me to ingest all the data from the evtx files as seen in the UI of the event viewer when looking at the event details in XML view. Had a forwarder been installed in the first place on the source system and configured to send these logs this would not have been necessary but I wanted to share this because sometimes you have to look at EVTX logs in hindsight before a forwarder is installed.

0 Karma



In case it helps anyone else, I had a similar problem with the ForwardedEvents log. My setup is a 2008R2 server setup as an Event Log collector using a source initiated subscription. Servers on my test domain were configured via Group Policy to use the collector. They then download the settings that determine which of their events to send to the collector. The Universal Forwarder is installed on the collector for onward forwarding to Splunk. I had two problems with the following solutions.

  1. Events were not rendering correctly within the Forwarded Event event log on the collector server. This is apparently a known bug on 2008R2 and changing the servers regional settings to English (United States) fixed that issue.

  2. Once the first issue was resolved, events sent to Splunk were showing the message listed by the original poster. The resolution to this was to alter the format of events for the Event Subscription on the collector. This needs to be done from the command line rather than the Event Viewer. "wecutil ss <SUBSCRIPTION NAME> /cf:events". The default is RenderedText. When I switched the format to Events, messages started displaying in Splunk correctly (I did have to reboot the source server first to force it to check for an updated subscription policy). I have read this can place additional load on the source if there are a lot of events, so be warned.

It's still early days for my testing, so I can't promise no other problems further down the road, but the above has fixed my immediate ones.


Ultra Champion

This probably has to do with a bug (SPL-51312) - which I think only existed in 4.3.2. It was fixed in 4.3.3

OR you are importing the .evt files from a windows box to a machine that does not have the ability to look up the symbols in the evt file.

Could that be it?


Ultra Champion

Is this from windows splunk installation, reading local event logs through the API? (you either set it up during the installation wizard, or you've edited your inputs.conf to look like this);


In that case you should probably file a support case. I'm not good enough at windows to troubleshoot that. Though I have not used the ForwardedEvents log source, so I don't know if there are any particular things to know about.

0 Karma


Hi Kristian. Thanks for answering 🙂

It can’t be SPL-51312 as I’m using Splunk 5.

Also, my machine can read the evt file in Event Viewer so I don't think that is the problem either :S

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...