Troubleshooting
Verify your Remote Upgrader for Linux Universal Forwarders installation
- Log into the Linux instance where the universal forwarder is running and run the following command to check the Remote Upgrader for Linux Universal Forwarders daemon status:
sudo systemctl status splunk-upgrader
- Check the unit file contents:
sudo cat etc/systemd/system/splunk-upgrader.service
- Run the following command to check that the Remote Upgrader for Linux Universal Forwarders daemon is running:
sudo cat "$SPLUNK_HOME/var/run/splunk/splunkuprader/pid"
- This file contains the pid of the Remote Upgrader for Linux Universal Forwarders daemon. Execute the following command with that pid to check if the pid is still running
sudo ps -p <pid> -o pid=
Stop the Remote Upgrader for Linux Universal Forwarders service
Run this systemd command to stop the service permanently. Please note that this command cannot be issued from the deployment server. You must log into the Linux instance and run it as ROOT or sudo.
sudo systemctl stop splunk-upgrader
Manage Signature validation failure
To mitigate signature validation failure, try the following:
- Make sure the package is downloaded from the Splunk official website.
- Check the upgrade logs for details about the signature validation errors.
- Opt-out the signature validation by updating the VALIDATE_PKG_SIGNATURE_RPM, VALIDATE_PKG_SIGNATURE_DEB or VALIDATE_PKG_SIGNATURE_TGZ in bin/constants.sh.
Review report upgrade details
By default the Remote Upgrader for Linux Universal Forwarders forwards all the upgrade logs to the indexer when the universal forwarder starts. The logs are then available for search.
Issues with reinstalling the universal forwarder manually after the Remote Upgrader for Linux Universal Forwarders is installed
During the Remote Upgrader for Linux Universal Forwarders installation, two important configurations are discovered and written to the local_config file:
<code>SPLUNK_HOME=/opt/splunkforwarder</code>
If you reinstall the universal forwarder and change these settings in the process, or install using another package type, you may have to manually update this file with the latest values in order to notify the Remote Upgrader for Linux Universal Forwarders of the change.
| Requirement | Description | Configurable? | Failure presents as | |
|---|---|---|---|---|
| Installation user (The user that installs the Remote Upgrader for Linux Universal Forwarders) | Must be root or sudo | You must have root access to configure the daemon, user, and sudo permissions. | No | Errors out during installation |
| Free disk space | > 1 GB | This is the minimum free disk space needed for new universal forwarder packages, as well as backups of SPLUNK_HOME and internal logs | No | Fails to start the Remote Upgrader for Linux Universal Forwarders daemon after installation |
| sudo or sudoers.d | sudo command must exist, and /etc/sudoers.d dir must exist | A universal forwarder upgrade requires root or sudo. If sudo is available, the Remote Upgrader for Linux Universal Forwarders installer is able to grant required permissions for the Remote Upgrader for Linux Universal Forwarders daemon. Otherwise the Remote Upgrader for Linux Universal Forwarders requires root access with global highest permissions. | No | Without sudo, the installation must be launched as root, and the Remote Upgrader for Linux Universal Forwarders daemon must run as root, otherwise the installation will fail. |
| Performance benchmarks | Release notes |
This documentation applies to the following versions of Splunk® Universal Forwarder: 1.0.0, 8.2.11, 8.2.12, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Download manual
Feedback submitted, thanks!