Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

This documentation does not apply to the most recent version of Forwarder. Click here for the latest version.
Download topic as PDF

Known issues

This topic lists known issues that are specific to the universal forwarder.

Publication date Defect number Description
2016-07-05 SPL-123781
Dropped events messages in splunkd are INFO; should be WARN.
2015-7-7 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day. To workaround, in limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2015-7-7 SPL-99796 Universal Forwarder Crashing thread: Main Thread - Access violation, cannot read at address. The workaround is to remove the migrated script input: [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
2014-10-28 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI.

Workaround: Create a server class, where you can see the client name, and use that group when you add data.

2014-10-28 SPL-92303 Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
2015-7-7 SPL-99687 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. To mitigate this, edit the following stanza in inputs.conf:

[WinEventLog://Security] evt_resolve_ad_obj = 0

Pre-6.2 SPL-74427 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.
Last modified on 17 August, 2016
Troubleshoot the universal forwarder with Splunk Enterprise
Fixed issues

This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.1, 6.4.2

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters