Introspecting scheme=WinEventLog: killing process,...

thy666 · ‎11-05-2017

I met an error to start collecting WinEventLog when starting Universal Forwarder 6.6.2 on Windows Server 2008R2(x64). The streamfwd.exe worked well on the same host. Do you have same situation, and idea?

10-29-2017 19:38:05.421 +0900 ERROR ModularInputs - Unable to initialize modular input "WinEventLog" defined in the system context: Introspecting scheme=WinEventLog: script running failed (exited with code 0).
10-29-2017 19:38:05.156 +0900 ERROR ModularInputs - Introspecting scheme=WinEventLog: killing process, because executing it took too long (over 30000 msecs).

mbadhusha_splun · ‎11-27-2018

Disable all other stanzas. Leave only the affected stanza enabled.
Run the input from the command line to see if it can read events. $ splunk cmd splunkd print-modinput-config WinEventLog | splunk-WinEvtLog.exe
Remove the checkpoint file (make a copy of it first) and restart Splunk service.
Run the input again to see if it can read events.

If this is because of the checkpoint file, step 2 will not produce events. Step 4 should produce events.

On the UF, run command prompt as administrator
Navigate to $SPLUNK_HOME\bin
Run the below two commands,

$ set SPLUNK_HOME="c:\program files\SplunkUniversalForwarder"

$ splunk cmd splunkd print-modinput-config WinEventLog

You can consider upgrading the affected Splunk UF's as well.

Cheers!

Introspecting scheme=WinEventLog: killing process, because executing it took too long

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms