This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.
Universal forwarder issues
|Date filed||Issue number||Description|
|2022-11-18||SPL-233100||Splunk UF and Enterprise installations (including upgrades) may fail if the Windows Command Processor (cmd.exe) has an AutoRun script configured|
If you have enabled Windows autorun, Splunk installation might fail when the autorun script is fails. As a workaround, you can use
|2021-11-15||SPL-215146, SPL-213415||Splunk forwarder consuming excessive memory when output group is unavailable|
CVS added time_before_close = 300 for any inputs that were sending to Splunk and third party. This is only temporary until Splunk can release a fix for the bug in a future version of the UF.
|2021-09-24||SPL-212687, SPL-220769, SPL-221322||'MS Defender' Windows Event Logs stop sending several times a day. System logs still send|
|2021-09-09||SPL-211911, SPL-210684||AIX UF not able to ingest json files after upgrade to 8.2.x|
|2020-11-09||SPL-197140, SPL-234386||UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found"|
1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3
2. Upgrade to Solaris 11.4
|2019-05-28||SPL-171178, SPL-167307, SPL-202078||Indexer Acknowledgement causes metric index events that do not have "_raw" fields to be duplicated|
Indexer acknowledgement is a feature that helps prevent loss of data when forwarders send data to an indexer. Indexer acknowledgement is controlled by the Boolean
Indexer acknowledgement uses the
When this issue occurs, the workaround is to set
|2018-04-10||SPL-153251||Universal Forwarder txz package cannot be installed on FreeBSD 11.1|
1. Use pkg install instead of pkg add
2. Install package by untarring tgz file to /opt/splunkforwarder
|2015-04-14||SPL-99687, SPL-129637||Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.|
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
|2015-04-07||SPL-99316||Universal Forwarders stop sending data repeatedly throughout the day|
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
|2014-08-05||SPL-88396||After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI|
Create a server class, where you can see the client name, and use that group when you add data.
Troubleshoot the universal forwarder with Splunk Enterprise
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.2