Known issues

This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.

Universal forwarder issues

Date filed	Issue number	Description
2023-07-04	SPL-241733, SPL-252591	Splunk-winevtlog.exe is exhausting all the memory on Domain Controller
2023-02-22	SPL-236429	Universal forwarder download for PPCLE kernel 3.0+ is unavailable for version 9.0.2, 9.0.3, 9.0.4
2022-10-25	SPL-232028, SPL-236165, SPL-236166	Windows Defender logs stop being forwarded but other Winevent logs continue to forward until UF is restarted Workaround: Restart the UF
2022-08-17	SPL-228646, SPL-228645	Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-06-23	SPL-226019	Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-06-06	SPL-225379	Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd Workaround: When changing UF user, manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start.
2022-05-16	SPL-224264, SPL-224265	Splunk UF not starting on Debian 11 (x86_64 and arm64)
2020-11-09	SPL-197140, SPL-234386	UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found" Workaround: 1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3 OR 2. Upgrade to Solaris 11.4