Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Known issues

This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.

Universal forwarder issues

Date filed Issue number Description
2023-12-14 SPL-248479, SPL-253092 9.1.1 HF enters state of constant blocking due to broken S2S protocol

Workaround:
To fix the issue, customers will have to add queueSize on the Splunk HF/IHF instance where persistent queue is enabled, in inputs.conf under the same stanza where persistentQueueSize is set.

inputs.conf [<input stanza>] persistentQueueSize=<no change. keep existing value> queueSize=<100MB or 1% of total system memory(whichever is less)>

2023-10-17 SPL-245807, SPL-246456, SPL-246545, SPL-246546 Splunk AIX UF crashing when failed to connect to indexers
2023-09-08 SPL-244414 Crashing in TcpOutEloop thread after upgrade from 9.1.x
2022-08-17 SPL-228646, SPL-228645 Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-06-06 SPL-225379 Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd

Workaround:
When changing UF user, manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start.
2022-03-23 SPL-221239 System Introspect App fails when universal forwarder is installed at non-admin user
2017-03-14 SPL-138731 New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled

Workaround:
Users can do any of the following:

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

Last modified on 10 December, 2024
Troubleshoot the universal forwarder   Fixed issues

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters