Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal forwarder version 10 memory leak

Ixionz
New Member
‎08-21-2025 09:19 AM

I am currently in the testing phase of getting our universal forwarders to a more standardized version (either 9.4.4 or version 10), however when I roll out the new version to any VM's splunkforwarder chews up over 80% of memory which causes overall memory utilization to be around 100%  constantly which I am forced to rollback to version 9.4.4

Nothing has been changed at all except the version. 

 

Is anyone else experiencing similar behavior when they upgrade to version 10 or even do a new install, or has anyone else seen this behavior out there (not necessarily VM's but maybe physical boxes) as i don't want to roll something out to our environment and causes more problems than solutions.

 

 

0 Karma
Reply

darren
Observer
2 weeks ago

I see this article: https://splunk.my.site.com/customer/s/article/High-CPU-and-Memory-Usage-After-Splunk-UF-10-Upgrade

 

I've just tested out 9.4.5.0, and having same issue with it crashing servers. 

9.4.4.0 seems to be safe for us.

 

So far we've seen these crashes on Windows 2016, not sure if it affects other OS versions or not.

0 Karma
Reply

darren
Observer
‎08-25-2025 06:43 AM

I was told to try the fix in:

https://community.splunk.com/t5/Splunk-Enterprise/URGENT-All-splunk-forwarders-upgraded-to-10-0-vers...

"Disabled the

evt_resolve_ad_obj = 0

in Splunk_TA_windows app , logs have now ceased. "

 

For reference, this is the ticket I made.  Luckily, we were able to catch this issue in dev before deploying 10.0.0.0 to prod.

https://community.splunk.com/t5/Splunk-Enterprise/In-UniversalForwarder-10-0-0-0-splunk-winevtlog-ex...

0 Karma
Reply

darren
Observer
‎08-25-2025 06:55 AM

However, if we do the below "fix", then AD SID and AD GUID strings won't be resolved to the actual AD names, which would be really annoying.  I think we're going to hold off on 10.0.0.0 until the evt_resolve_ad_obj feature is fixed and working again without crashing our servers.

 

[WinEventLog://Security] stanzas inside of inputs.conf:

evt_resolve_ad_obj = 0

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-22-2025 05:14 AM

Please create a support ticket.

Anyhow it's best practice to wait something like X.0.3 or even X.1.2 or similar before go into production. There have been almost every time when a new version has launched more or less nasty and critical bugs.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-22-2025 01:56 AM

Hi @Ixionz 

Are you able to confirm please the name of the process(es) running which consume this amount of memory? And also the total amount of memory on these VMs?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...