https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616214#M106471 <P>The UF service failed to start after a reboot on a Windows Server.&nbsp;&nbsp; I've addressed that issue, but there are logs that were generated during the downtime that are not being forwarded.&nbsp; Is there any way to force the entries up?</P> Thu, 06 Oct 2022 18:15:32 GMT JayX 2022-10-06T18:15:32Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616214#M106471 <P>The UF service failed to start after a reboot on a Windows Server.&nbsp;&nbsp; I've addressed that issue, but there are logs that were generated during the downtime that are not being forwarded.&nbsp; Is there any way to force the entries up?</P> Thu, 06 Oct 2022 18:15:32 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616214#M106471 JayX 2022-10-06T18:15:32Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616218#M106472 <P>The UF is supposed to pick up where it left off when monitoring files or the Windows event log.&nbsp; If files were rotated while the UF was down then it's possible the forwarder no longer sees the file.&nbsp; In that case, you may have to perform a one-shot upload of that file.</P> Thu, 06 Oct 2022 19:03:50 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616218#M106472 richgalloway 2022-10-06T19:03:50Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616228#M106475 <P>That was what I'd assumed would happen, but the forwarder did not pick up any of the events that were logged into the DNS debug log while the forwarder was down.&nbsp; There are events all the way back to last week in that log, but only the events that have been added since the forwarder was brought back up are being forwarded.</P><P>&nbsp;</P><P>How do I perform a one-shot?</P> Thu, 06 Oct 2022 20:46:24 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616228#M106475 JayX 2022-10-06T20:46:24Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616352#M106489 <P>A one-shot upload is for ingesting a file that was skipped entirely and is not suitable for files that were only partially ingested.&nbsp; You could use it anyway, but you'll end up with duplicate data.</P><P>To do a one-shot upload, run <FONT face="courier new,courier">splunk add oneshot -source &lt;&lt;filename&gt;&gt; -index foo -sourcetype bar</FONT>.&nbsp; Run <FONT face="courier new,courier">splunk help add oneshot</FONT> for details.</P> Fri, 07 Oct 2022 17:00:12 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616352#M106489 richgalloway 2022-10-07T17:00:12Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616362#M106494 <P>Thank you--I may manually extract the gap information and one-shot it from a separate file.</P><P><BR />I have also discovered that the forwarder did not fail to start with Windows; it seems to have crashed a couple of days later, so I'm guessing the issue is that the data was still being read by some process on the system, but not being forwarded.</P> Fri, 07 Oct 2022 18:15:24 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-failed-to-start-how-do-I-get-it-to-ingest/m-p/616362#M106494 JayX 2022-10-07T18:15:24Z