This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.
Universal forwarder issues
|Date filed||Issue number||Description|
|2020-03-27||SPL-185540, SPL-183953||Batch Stanza deleting file upon restart/read completion|
|2019-01-28||SPL-165635, SPL-191773, SPL-189789||splunk not reading file after log rotation|
|2018-04-10||SPL-153251||Universal Forwarder txz package cannot be installed on FreeBSD 11.1|
1. Use pkg install instead of pkg add
2. Install package by untarring tgz file to /opt/splunkforwarder
|2015-04-14||SPL-99687, SPL-129637||Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.|
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
|2015-04-07||SPL-99316||Universal Forwarders stop sending data repeatedly throughout the day|
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
|2014-08-05||SPL-88396||After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI|
Create a server class, where you can see the client name, and use that group when you add data.
Troubleshoot the universal forwarder with Splunk Enterprise
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.0.1, 8.0.2, 8.0.3