None of the lookups associated with the Splunk App for Windows Infrastructure are being populated with data. I confirmed the jobs are running and do return data. The issue is surrounding the key value and the output lookup. The search.log file is reporting the following:
11-05-2015 12:35:33.974 WARN RetryManager - Peer: not found in offset map.
11-05-2015 12:35:34.662 INFO SearchParser - PARSING: outputlookup windows_event_system append=true
11-05-2015 12:40:40.275 ERROR KVStorageProvider - An error occurred during the last operation ('saveBatchData', domain: '2', code: '4'): Failed to read 4 bytes from socket within 300000 milliseconds.
11-05-2015 12:40:40.331 ERROR KVStoreLookup - KV Store output failed with code -1 and message ''
11-05-2015 12:40:40.331 ERROR SearchResults - An error occurred while saving to the KV Store. Look at search.log for more information.
11-05-2015 12:40:40.331 ERROR outputcsv - sid:1446752129.45933_A7755212-4D40-46D1-8736-3366BD60ADF9 Could not append to collection 'windows_event_system_collection': An error occurred while saving to the KV Store. Look at search.log for more information..
↧