Known issues
This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.
Universal forwarder issues
| Date filed | Issue number | Description |
|---|---|---|
| 2023-03-23 | SPL-237740, SPL-226003 | When forwarding from an 9.0 instance with useAck enabled, ingestion stops after some time with errors: "Invalid ACK received from indexer=" Workaround: As a workaround, disable useAck in outputs.conf on the forwarder. After disabling, indexers start to ingest data. If you need useACK to prevent data loss, disabling autoBatch in outputs.conf can remediate the issue too, but it impacts throughput - no worse than 8.x, but no improvement for 9.0. |
| 2023-02-22 | SPL-236429 | Universal forwarder download for PPCLE kernel 3.0+ is unavailable for version 9.0.2, 9.0.3, 9.0.4 |
| 2022-11-03 | SPL-232467 | SSL UF v9.x SSL Cert Auto-populates into Windows Certificate Store Workaround: Make the following changes in server.conf: Before upgrading: Save the original setting of [sslConfig] / serverCert if it's set, and then set the following: [sslConfig] serverCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\new_default.pem [kvstore] disabled = 1 The file `C:\Program Files\SplunkUniversalForwarder\etc\auth\new_default.pem` must not exist before the upgrade. After upgrading:
Set serverCert back to the original value and restart the universal forwarder. If it was not set before applying the workaround, it can be left unchanged as the universal forwarder will use the newly generated PEM file. |
| 2022-10-27 | SPL-232147 | Debian package failed to start on armv8 agent `re-pkg-arm64` Workaround: Make the following changes to /etc/systemd/system/SplunkForwarder.service - modify all ExecStartPost= with ExecStartPost=- allowing it to fail if the directory is not found. For instance change, ExecStartPost=/bin/bash to ExecStartPost=-/bin/bash |
| 2022-10-25 | SPL-232028, SPL-236165, SPL-236166 | Windows Defender logs stop being forwarded but other Winevent logs continue to forward until UF is restarted Workaround: Restart the UF |
| 2022-10-20 | SPL-231793 | Crashing in TcpOutEloop thread with assertion_failure="_refCount > 0" Workaround: autoBatch=false |
| 2022-08-17 | SPL-228646, SPL-228645 | Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid |
| 2022-07-30 | SPL-227653, SPL-231927 | UF throws erroneous WARN for KVSTORE SSL misconfiguration on startup - server.conf//sslVerifyServerCert or "Starting migrate-kvstore." Workaround: It's safe to ignore the warning or you can disable the kvstore explicitly with server.conf: [kvstore] disabled = true |
| 2022-06-23 | SPL-226019 | Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality. |
| 2022-06-06 | SPL-225379 | Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd Workaround: When changing UF user, manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start. |
| 2022-05-16 | SPL-224264, SPL-224265 | Splunk UF not starting on Debian 11 (x86_64 and arm64) |
| 2020-11-09 | SPL-197140, SPL-234386 | UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found" Workaround: 1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3 OR
2. Upgrade to Solaris 11.4 |
| Troubleshoot the universal forwarder | Fixed issues |
This documentation applies to the following versions of Splunk® Universal Forwarder: 9.0.2
Download manual
Feedback submitted, thanks!