Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues with Splunk Universal Forwarder Sending Security Logs After Upgrade to 10.0

telvinwells08
New Member
2 weeks ago

Hi Splunk Community,

I recently upgraded my Splunk Universal Forwarders from version 9.4.3 to 10.0, and since the upgrade, I’ve been experiencing issues with the forwarders sending security logs to my Splunk Enterprise instance (which is also running version 10.0).

Here are some specific details:

  • Pre-upgrade, everything was working fine, and security logs were being ingested without any issues.
  • After the upgrade, I noticed that security logs are either not getting sent or are being delayed significantly.
  • I've verified that the forwarders are still forwarding some logs, but the security-related ones aren't appearing in the index as expected.
  • The configuration files (inputs.conf, outputs.conf, etc.) on the forwarders haven’t been changed since the upgrade.

I’ve tried restarting the forwarders and re-checking the connectivity to the Splunk Enterprise instance, but the issue persists.

Has anyone else encountered similar problems after upgrading to 10.0? Could it be an issue with compatibility, or is there something specific I should look into? Any advice or troubleshooting tips would be greatly appreciated!

Thanks in advance for your help!

Labels (1)
Labels
0 Karma
Reply

SDSplQuestion
Loves-to-Learn Lots
2 weeks ago

Hi TelvinWell08,

I've had a similar issue recently, did you end up finding out a resolution to this one? Can't seem to get them to send data again?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @telvinwells08 

From my experience there shouldnt be anything that would cause this issue, however Im wondering if there is something else causing these delayed/missed logs. 

Have you been able to check $SPLUNK_HOME/var/log/splunk/splunkd.log ? Are there any errors or specific logs relating to security or sending of data which might indicate the cause of the delay? Feel free to share any errors here and we can look into the for you.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...