Getting Data In

Can you help me with the following error on my universal forwarder: "Monotonic time source didn't increase; is it stuck?"

vulnfree
Explorer

I am receiving the following errors from my universal forwarder: "Monotonic time source didn't increase; is it stuck?"

How do I resolve this?

0 Karma

stefanghita
Engager

I had the same question and I opened a Splunk case. This is the response:

"This is an error we have come across with some of our Windows customers, and seems more common of virtualized instances. The splunk process will periodically check the time of the OS system and will show this error if there is a difference (~15 ms) as an indication of the time progress internally. This is really an internal ERROR that should not be reported.

Reference: GetTickCount64 function https://docs.microsoft.com/en-gb/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount64

This issue is currently fixed in version 8.0.0, and if you would like to stop this error from occurring, you will need to look into upgrading to 8.0, otherwise, you can ignore this error message.​"

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Not sure sorry. You might need to raise a ticket with Splunk.

Are your UFs running on an VMware or virtualisation stack and maybe they aren't getting enough CPU time? Alternatively, did the system clock change or did a timezone change occur?

Good luck

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...