Splunk Search

Troubleshooting search

So76
Explorer

I ran this search on splunk cloud web and I got the results below. Can anyone help on how to resolve

 

index=_internal source=*/splunkforwarder/var/log/splunk/splunkd.log OR source=*SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log log_level=ERROR | transaction host component

 

1) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:26.944 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=1031 msec 04-26-2022 13:27:27.959 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.090 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722) 04-26-2022 13:27:29.715 -0700 ERROR ExecProcessor [4000 ExecProcessor] - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed: (1722)

 

2) 04-26-2022 09:38:13.402 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:38:43.312 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:43.118 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed 04-26-2022 09:40:12.952 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] - Connection to host=1*******0.146:9997 failed

3) 04-26-2022 08:27:54.691 -0700 ERROR PipelineComponent [6004 CallbackRunnerThread] - Monotonic time source didn't increase; is it stuck?

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Short answer is - find the cause of the failures.

Long answer is - with the first error - the Windows Event Log modular input tries to connect to your domain controller and cannot.

Why it wants to connect? Possibly because you're using

evt_resolve_ad_obj=true

Why it fails? Because the user running the splunk forwarder has no permissions to connect. Most typically - this happens when the forwarder process is run with local account (usually Local System) instead of a domain account.

Second one - well, that's google for you. https://community.splunk.com/t5/Monitoring-Splunk/Has-anyone-seen-this-Error-message-Monotonic-time-...

Third one - the forwarder tried to connect to indexer and failed. Why? You'd have to verify the connectivity and possibly check other log lines surrounding that one. Maybe some SSL issues (if you're using SSL), maybe firewall issues. Hard to tell.

View solution in original post

0 Karma

So76
Explorer

How do I resolve these issues below?

 

c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - EvtDC::connectToDC: DsBind failed

ERROR PipelineComponent [6004 CallbackRunnerThread- Monotonic time source didn't increaseis it stuck?

Connection to host=1*******0.146:9997 failed 04-26-2022 09:39:13.173 -0700 ERROR TcpOutputFd [5228 TcpOutEloop] 

 

Thanks

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Short answer is - find the cause of the failures.

Long answer is - with the first error - the Windows Event Log modular input tries to connect to your domain controller and cannot.

Why it wants to connect? Possibly because you're using

evt_resolve_ad_obj=true

Why it fails? Because the user running the splunk forwarder has no permissions to connect. Most typically - this happens when the forwarder process is run with local account (usually Local System) instead of a domain account.

Second one - well, that's google for you. https://community.splunk.com/t5/Monitoring-Splunk/Has-anyone-seen-this-Error-message-Monotonic-time-...

Third one - the forwarder tried to connect to indexer and failed. Why? You'd have to verify the connectivity and possibly check other log lines surrounding that one. Maybe some SSL issues (if you're using SSL), maybe firewall issues. Hard to tell.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What needs to be resolved?

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...