Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Troubleshooting search

So76
Explorer
‎04-26-2022 03:54 PM

I ran this search on splunk cloud web and I got the results below. Can anyone help on how to resolve

 

index=_internal source=*/splunkforwarder/var/log/splunk/splunkd.log OR source=*SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log log_level=ERROR | transaction host component

 

1) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=1031 msec 04-26-2022 13:27:27.959 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.090 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.715 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722)

 

2) 04-26-2022 09:38:13.402 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:38:43.312 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:43.118 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:40:12.952 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed

3) 04-26-2022 08:27:54.691 -0700 ERROR PipelineComponent [6004 CallbackRunnerThread] - Monotonic time source didn't increase; is it stuck?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 06:21 AM

Short answer is - find the cause of the failures.

Long answer is - with the first error - the Windows Event Log modular input tries to connect to your domain controller and cannot.

Why it wants to connect? Possibly because you're using

evt_resolve_ad_obj=true

Why it fails? Because the user running the splunk forwarder has no permissions to connect. Most typically - this happens when the forwarder process is run with local account (usually Local System) instead of a domain account.

Second one - well, that's google for you. https://community.splunk.com/t5/Monitoring-Splunk/Has-anyone-seen-this-Error-message-Monotonic-time-...

Third one - the forwarder tried to connect to indexer and failed. Why? You'd have to verify the connectivity and possibly check other log lines surrounding that one. Maybe some SSL issues (if you're using SSL), maybe firewall issues. Hard to tell.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

So76
Explorer
‎04-27-2022 05:53 AM

How do I resolve these issues below?

 

c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed

ERROR PipelineComponent [6004 CallbackRunnerThread- Monotonic time source didn't increaseis it stuck?

Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] 

 

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 06:21 AM

Short answer is - find the cause of the failures.

Long answer is - with the first error - the Windows Event Log modular input tries to connect to your domain controller and cannot.

Why it wants to connect? Possibly because you're using

evt_resolve_ad_obj=true

Why it fails? Because the user running the splunk forwarder has no permissions to connect. Most typically - this happens when the forwarder process is run with local account (usually Local System) instead of a domain account.

Second one - well, that's google for you. https://community.splunk.com/t5/Monitoring-Splunk/Has-anyone-seen-this-Error-message-Monotonic-time-...

Third one - the forwarder tried to connect to indexer and failed. Why? You'd have to verify the connectivity and possibly check other log lines surrounding that one. Maybe some SSL issues (if you're using SSL), maybe firewall issues. Hard to tell.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-26-2022 04:47 PM

What needs to be resolved?

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...