Known issues
This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.
Universal forwarder issues
Date filed | Issue number | Description |
---|---|---|
2020-09-29 | SPL-195635, SPL-202178, SPL-206477, SPL-202163, SPL-206534 | Splunkd increased memory usage over time when monitoring UDP port(s) with in inputs.conf |
2020-03-27 | SPL-185540, SPL-183953 | Batch Stanza deleting file upon restart/read completion |
2019-06-25 | SPL-172452, SPL-177658, SPL-185313 | Endpoint /services/data/outputs/tcp/group/{name} missing important parameters |
2019-05-28 | SPL-171178, SPL-167307, SPL-202078 | Indexer Acknowledgement causes metric index events that do not have "_raw" fields to be duplicated Workaround: Indexer acknowledgement is a feature that helps prevent loss of data when forwarders send data to an indexer. Indexer acknowledgement is controlled by the Boolean useACK setting in inputs.conf and outputs.conf .
Indexer acknowledgement uses the When this issue occurs, the workaround is to set |
2019-01-28 | SPL-165635, SPL-191773, SPL-189789 | splunk not reading file after log rotation |
2018-04-10 | SPL-153251 | Universal Forwarder txz package cannot be installed on FreeBSD 11.1 Workaround: 1. Use pkg install instead of pkg add OR
2. Install package by untarring tgz file to /opt/splunkforwarder |
2017-05-23 | SPL-141961 | Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port. Workaround: This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf: [sslConfig]
|
2017-03-20 | SPL-139019 | Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites Workaround: Users can do either of the following: 1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX: [sslConfig] 2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully. 3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites. |
2017-03-14 | SPL-138731 | New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled Workaround: Users can do any of the following: 1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security. 2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk 3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/ |
2015-06-10 | SPL-103010 | Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets. |
2015-04-14 | SPL-99687, SPL-129637 | Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0. |
2015-04-07 | SPL-99316 | Universal Forwarders stop sending data repeatedly throughout the day Workaround: In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value. |
2015-03-25 | SPL-98594 | Routing events to two different groups not working as expected. Workaround: 1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups. 2 Setup a proxy UF which takes input from the original UF and send input out syslog server.
This solution only requires config change and no patch release is required. |
2014-08-05 | SPL-88396 | After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI Workaround: Create a server class, where you can see the client name, and use that group when you add data. |
Troubleshoot the universal forwarder with Splunk Enterprise | Fixed issues |
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.0.1, 8.0.2, 8.0.3
Feedback submitted, thanks!