Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Known issues

This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.

Universal forwarder issues

Date filed Issue number Description
2023-07-04 SPL-241733, SPL-252591 Splunk-winevtlog.exe is exhausting all the memory on Domain Controller
2023-02-22 SPL-236429 Universal forwarder download for PPCLE kernel 3.0+ is unavailable for version 9.0.2, 9.0.3, 9.0.4
2022-10-25 SPL-232028, SPL-236165, SPL-236166 Windows Defender logs stop being forwarded but other Winevent logs continue to forward until UF is restarted

Workaround:
Restart the UF
2022-08-17 SPL-228646, SPL-228645 Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-06-06 SPL-225379 Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd

Workaround:
When changing UF user, manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start.
2022-05-16 SPL-224264, SPL-224265 Splunk UF not starting on Debian 11 (x86_64 and arm64)
2020-11-09 SPL-197140, SPL-234386 UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found"

Workaround:
1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3

OR 2. Upgrade to Solaris 11.4

Last modified on 10 February, 2025
Troubleshoot the universal forwarder   Fixed issues

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.0.4

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters