I too, was seeing a similar message, with the GUID and IP of the UF that was supposedly having an issue. Accompanying that, I was getting an email from an alert I'd set up for "UFs no longer sending logs", and my monitoring console also showed it was missing. However, if I did a query for it on a search head, I was definitely still seeing current events coming in, and my deployment server said it was still checking in. This is in a mixed environment of the architectural Splunk components (MC, CM, DSLM, SHs, HFs, IDXs) running on Linux, and the majority if UFs running on Windows. Due to my department, I do not have OS access to those Windows servers. As an experiment, I created a simple text file on the DS, set it to restart Splunkd, added it to new server class, and assigned only the problem UF client to it. As expected, once the client got the file, the UF restarted and the symptoms went away. @PickleRickWould removing the tracker.log have solved the issue as well? I had the admin, who had OS access to it, restart the UF, but it did not solve the issue. Maybe him just restarting the UF wouldn't have been enough and would have just come back up using the same tracker.log?
... View more