Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

This documentation does not apply to the most recent version of Forwarder. Click here for the latest version.
Download topic as PDF

Known issues

This topic lists known issues that are specific to the universal forwarder.

Date filed Issue number Description
2019-11-25 SPL-171961 Unpatched universal forwarders that process structured data, process data locally, or encounter unknown file types with a monitor input experience problems with timestamp extraction beginning on January 1, 2020. See Timestamp recognition of dates with two-digit years fails beginning January 1, 2020 for information and solutions.
2018-04-10 SPL-153251 Universal Forwarder txz package cannot be installed on FreeBSD 11.1

Workaround:
1. Use pkg install instead of pkg add

OR 2. Install package by untarring tgz file to /opt/splunkforwarder

2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

Workaround:
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
Last modified on 04 December, 2019
PREVIOUS
Troubleshoot the universal forwarder with Splunk Enterprise
  NEXT
Fixed issues

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters