Can you help me with the following error on my uni...

vulnfree · ‎02-06-2019

I am receiving the following errors from my universal forwarder: "Monotonic time source didn't increase; is it stuck?"

How do I resolve this?

stefanghita · ‎02-03-2020

I had the same question and I opened a Splunk case. This is the response:

"This is an error we have come across with some of our Windows customers, and seems more common of virtualized instances. The splunk process will periodically check the time of the OS system and will show this error if there is a difference (~15 ms) as an indication of the time progress internally. This is really an internal ERROR that should not be reported.

Reference: GetTickCount64 function https://docs.microsoft.com/en-gb/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount64

This issue is currently fixed in version 8.0.0, and if you would like to stop this error from occurring, you will need to look into upgrading to 8.0, otherwise, you can ignore this error message."

chrisyounger · ‎02-06-2019

Not sure sorry. You might need to raise a ticket with Splunk.

Are your UFs running on an VMware or virtualisation stack and maybe they aren't getting enough CPU time? Alternatively, did the system clock change or did a timezone change occur?

Good luck

Can you help me with the following error on my universal forwarder: "Monotonic time source didn't increase; is it stuck?"

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!