Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Message = Splunk could not get the description for this event.

Jack_Davenport
Explorer
‎12-06-2012 08:23 AM

Hello. Im searching for events from two different sources: WinEventLog:ForwardedEvents and WinEventLog:Application.

The events found in the ForwardedEvents log contain the following:

Message = Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error: The locale specific resource for the desired message is not present.

I've checked out some similar questions regarding this message. In each case it seems the problem is with a perticular version of the universal forwarder. Im not using any forwarders so that cant be the cause.

I checked Event Viewer and the events in both logs are formatted identically. I've also ensured everything I need is installed correctly.

Any ideas as to why Splunk only displays WinEventLog:Application events correctly and events in WinEventLog:ForwardedEvents displays that message?

Tags (3)
0 Karma
Reply

tnesavich_splun
Splunk Employee
Splunk Employee
‎03-28-2017 09:12 PM

I just ran into the same issue on events I was trying to process from exported EVTX files because I did not have the component (StorSimple) installed on my machine. This technique should work for any EVTX export where you do not have the component installed but need to splunk the EVTX data and want to capture all the details of the events. After following this recipe I was able to see all the details of the events in Splunk.

My recipe was as follows:

Create list of evtx files to convert
On Linux or mac machine run the following:

find /<path> -type f > filestoconvert.txt
EXAMPLE
find /Temp/evtx -type f > /Temp/filestoconvert.txt

Clean out the trash created by find command with Regex find replace in Sublime or equivalent text editor

^.*/.DS_Store
EXAMPLE
Find “^.*/.DS_Store” (less the quotes) and replace with nothing

Using same find / replace technique, change format to correspond to where you copy the files on the windows host
IE C:\Temp\evtx\

Create list of commands for script in Excel using concatenation function. ... Sample of command: 

wevtutil qe /lf <fullpath.evtx> > <fullpath.xml>
EXAMPLE
wevtutil qe /lf C:\Temp\evtx\etw\iSCSITarget.evtx > C:\Temp\evtx\etw\iSCSITarget.xml

Loop through commands iteratively by wrapping them in PowerShell script below: 

foreach ($command in Get-Content C:\Temp\Convert.txt) {   
Invoke-Expression $command  
}

Run the script on a Windows 2008+ machine to export the evtx files to XML and expose all the data in the logs.

Ingest the XML into Splunk with a stanza similar to the one below in the props.conf of whatever app you want this to live in ... The things of note here are the BREAK_ONLY_BEFORE, TIME_PREFIX, KV_MODE, CHARSET & MAX_EVENTS (assuming you have a lot of events)

[StorSimple_XML]
BREAK_ONLY_BEFORE = </Event>
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
TIME_PREFIX = <TimeCreated SystemTime='
category = Custom
pulldown_type = true
KV_MODE = xml
CHARSET = UTF-16LE
TRUNCATE = 0
MAX_EVENTS = 100000000

Again, this approach allowed me to ingest all the data from the evtx files as seen in the UI of the event viewer when looking at the event details in XML view. Had a forwarder been installed in the first place on the source system and configured to send these logs this would not have been necessary but I wanted to share this because sometimes you have to look at EVTX logs in hindsight before a forwarder is installed.

0 Karma
Reply

sjfairey
Engager
‎07-22-2013 04:59 AM

Hi,

In case it helps anyone else, I had a similar problem with the ForwardedEvents log. My setup is a 2008R2 server setup as an Event Log collector using a source initiated subscription. Servers on my test domain were configured via Group Policy to use the collector. They then download the settings that determine which of their events to send to the collector. The Universal Forwarder is installed on the collector for onward forwarding to Splunk. I had two problems with the following solutions.

  1. Events were not rendering correctly within the Forwarded Event event log on the collector server. This is apparently a known bug on 2008R2 and changing the servers regional settings to English (United States) fixed that issue.

  2. Once the first issue was resolved, events sent to Splunk were showing the message listed by the original poster. The resolution to this was to alter the format of events for the Event Subscription on the collector. This needs to be done from the command line rather than the Event Viewer. "wecutil ss <SUBSCRIPTION NAME> /cf:events". The default is RenderedText. When I switched the format to Events, messages started displaying in Splunk correctly (I did have to reboot the source server first to force it to check for an updated subscription policy). I have read this can place additional load on the source if there are a lot of events, so be warned.

It's still early days for my testing, so I can't promise no other problems further down the road, but the above has fixed my immediate ones.

Simon

Reply

kristian_kolb
Ultra Champion
‎12-06-2012 12:04 PM

This probably has to do with a bug (SPL-51312) - which I think only existed in 4.3.2. It was fixed in 4.3.3

OR you are importing the .evt files from a windows box to a machine that does not have the ability to look up the symbols in the evt file.

Could that be it?

/kristian

Reply

kristian_kolb
Ultra Champion
‎12-07-2012 01:48 AM

Is this from windows splunk installation, reading local event logs through the API? (you either set it up during the installation wizard, or you've edited your inputs.conf to look like this);

[WinEventLog:ForwardedEvents]
index=blah
disabled=0

In that case you should probably file a support case. I'm not good enough at windows to troubleshoot that. Though I have not used the ForwardedEvents log source, so I don't know if there are any particular things to know about.

0 Karma
Reply

Jack_Davenport
Explorer
‎12-07-2012 01:31 AM

Hi Kristian. Thanks for answering 🙂

It can’t be SPL-51312 as I’m using Splunk 5.

Also, my machine can read the evt file in Event Viewer so I don't think that is the problem either :S

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...