Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Known issues

This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.

Universal forwarder issues

Date filed Issue number Description
2023-12-14 SPL-248479, SPL-253092 Forwarders enter a state of constant blocking, and Splunk Cloud indexers might fail to process events. This can result in the events being sent to a non-searchable queue, the Dead Letter Queue (DLQ), due to a Persistent Queue issue with the S2S protocol
2023-10-17 SPL-245807, SPL-246456, SPL-246545, SPL-246546 Splunk AIX UF crashing when failed to connect to indexers
2023-09-08 SPL-244414 Crashing in TcpOutEloop thread after upgrade from 9.1.x
2022-08-17 SPL-228646, SPL-228645 Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-06-06 SPL-225379 Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd

Workaround:
When changing UF user, manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start.
2022-03-23 SPL-221239 System Introspect App fails when universal forwarder is installed at non-admin user
2017-03-14 SPL-138731 New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled

Workaround:
Users can do any of the following:

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

Last modified on 27 March, 2025
Troubleshoot the universal forwarder   Fixed issues

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters