Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Forwarder. Click here for the latest version.
Acrobat logo Download topic as PDF

Known issues

This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.

Universal forwarder issues

Date filed Issue number Description
2021-04-23 SPL-204658 Centos/RedHat 8 - Splunk cannot be started with default systemd config (enable boot-start -systemd-managed 1) with systemctl: Job for Splunkd/SplunkForwarder.service failed because the control process exited with error code

Centos/Redhat 8 - update the ExecStartPost cgroup paths in the Splunkd/SplunkForwarder.service file, to point to the proper cgroup location.

Change to:




Example ExecStartPost settings in [service] stanza, after applying the change:

ExecStartPost=/bin/bash -c "chown -R 2024:2024 /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R 2024:2024 /sys/fs/cgroup/memory/system.slice/%n"
2019-05-28 SPL-171178, SPL-167307, SPL-202078 Indexer Acknowledgement causes metric index events that do not have "_raw" fields to be duplicated

Indexer acknowledgement is a feature that helps prevent loss of data when forwarders send data to an indexer. Indexer acknowledgement is controlled by the Boolean useACK setting in inputs.conf and outputs.conf.

Indexer acknowledgement uses the _raw field to track completeness of delivery for each event. In some cases, when an event does not contain a valid _raw field, Splunk servers fail to determine whether the event is completely delivered and do not return acknowledgement for it, even when the event is processed successfully. As a result, the forwarder sends the same event again, leading to duplication of indexed data. This can affect metric indexes, where events with the JSON source type will not have _raw fields.

When this issue occurs, the workaround is to set useACK=false to disable indexer acknowledgement. You may want to set up multiple forwarding/HEC channels or ports with two useACK settings, to meet the needs of both kinds of source events: those that contain the _raw field and those that do not.

2018-04-10 SPL-153251 Universal Forwarder txz package cannot be installed on FreeBSD 11.1

1. Use pkg install instead of pkg add

OR 2. Install package by untarring tgz file to /opt/splunkforwarder

2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Create a server class, where you can see the client name, and use that group when you add data.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

To work around this issue, create a splunk user on your system before attempting to run the installer.
Last modified on 07 September, 2021
Troubleshoot the universal forwarder with Splunk Enterprise
Fixed issues

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.3.9

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters