Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Troubleshooting search

So76
Explorer
‎04-26-2022 03:54 PM

I ran this search on splunk cloud web and I got the results below. Can anyone help on how to resolve

 

index=_internal source=*/splunkforwarder/var/log/splunk/splunkd.log OR source=*SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log log_level=ERROR | transaction host component

 

1) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=1031 msec 04-26-2022 13:27:27.959 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.090 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.715 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722)

 

2) 04-26-2022 09:38:13.402 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:38:43.312 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:43.118 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:40:12.952 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed

3) 04-26-2022 08:27:54.691 -0700 ERROR PipelineComponent [6004 CallbackRunnerThread] - Monotonic time source didn't increase; is it stuck?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 06:21 AM

Short answer is - find the cause of the failures.

Long answer is - with the first error - the Windows Event Log modular input tries to connect to your domain controller and cannot.

Why it wants to connect? Possibly because you're using

evt_resolve_ad_obj=true

Why it fails? Because the user running the splunk forwarder has no permissions to connect. Most typically - this happens when the forwarder process is run with local account (usually Local System) instead of a domain account.

Second one - well, that's google for you. https://community.splunk.com/t5/Monitoring-Splunk/Has-anyone-seen-this-Error-message-Monotonic-time-...

Third one - the forwarder tried to connect to indexer and failed. Why? You'd have to verify the connectivity and possibly check other log lines surrounding that one. Maybe some SSL issues (if you're using SSL), maybe firewall issues. Hard to tell.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

So76
Explorer
‎04-27-2022 05:53 AM

How do I resolve these issues below?

 

c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed

ERROR PipelineComponent [6004 CallbackRunnerThread- Monotonic time source didn't increaseis it stuck?

Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] 

 

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 06:21 AM

Short answer is - find the cause of the failures.

Long answer is - with the first error - the Windows Event Log modular input tries to connect to your domain controller and cannot.

Why it wants to connect? Possibly because you're using

evt_resolve_ad_obj=true

Why it fails? Because the user running the splunk forwarder has no permissions to connect. Most typically - this happens when the forwarder process is run with local account (usually Local System) instead of a domain account.

Second one - well, that's google for you. https://community.splunk.com/t5/Monitoring-Splunk/Has-anyone-seen-this-Error-message-Monotonic-time-...

Third one - the forwarder tried to connect to indexer and failed. Why? You'd have to verify the connectivity and possibly check other log lines surrounding that one. Maybe some SSL issues (if you're using SSL), maybe firewall issues. Hard to tell.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-26-2022 04:47 PM

What needs to be resolved?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...