Can you help me with the following error on my uni...

vulnfree · ‎02-06-2019

I am receiving the following errors from my universal forwarder: "Monotonic time source didn't increase; is it stuck?"

How do I resolve this?

stefanghita · ‎02-03-2020

I had the same question and I opened a Splunk case. This is the response:

"This is an error we have come across with some of our Windows customers, and seems more common of virtualized instances. The splunk process will periodically check the time of the OS system and will show this error if there is a difference (~15 ms) as an indication of the time progress internally. This is really an internal ERROR that should not be reported.

Reference: GetTickCount64 function https://docs.microsoft.com/en-gb/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount64

This issue is currently fixed in version 8.0.0, and if you would like to stop this error from occurring, you will need to look into upgrading to 8.0, otherwise, you can ignore this error message."

chrisyounger · ‎02-06-2019

Not sure sorry. You might need to raise a ticket with Splunk.

Are your UFs running on an VMware or virtualisation stack and maybe they aren't getting enough CPU time? Alternatively, did the system clock change or did a timezone change occur?

Good luck

Can you help me with the following error on my universal forwarder: "Monotonic time source didn't increase; is it stuck?"

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!