Re: Why does Splunk UF stop sending data a few min...

jg91 · ‎09-19-2022

Hi, in a Linux server, a UF is configured to monitor a log directory, and it stops sending data to the indexer after about 2 minutes. When I restart the UF from the deployment server, it will start sending data and then stop sending.
Other inputs configuration like running scripts are working fine, and there is no error or warning in the _internal index about this host.
Do you have any idea about this problem?

isoutamo · ‎10-04-2022

Can you share some more information about this:

It succeed to send events like 2min then it stops? This happen every time when you are restarting it?
Linux version / os
Splunk UF versio + indexer version (is there HF between UF and IDX)?
Is DS in use or how those UFs' are configured
Your inputs.conf
Check with btool that this is correct and no additions to another TA/apps
Are another inputs working (file/directory based)?
Has this ever working?
In which user splunkd is running and who own those log files?

r. Ismo

Why does Splunk UF stop sending data a few minutes after the start?

inputs.conf

monitor

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation