Thanks,
I looked in settings > lookups > lookup table files > and it doesn't list windows_event_descriptions.csv
I do see the lookup table "windows_event_descriptions" being referenced in Automatic lookups by
Name = "source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)... : LOOKUP-EventCodeDescription_for_windows" and used by the app splunk_app_windows_infrastructure
Since its throwing the same error for 20 individual systems I'm guessing this lookup table is missing from our universal forwarders... ???
... View more