Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.


Date filed Issue number Description
2023-03-28 SOLNESS-35291 Threat Intelligence Framework is not passing the weights of Indicators of Compromise (IOCs).
2022-02-25 SOLNESS-30127 Required admin role capabilities clarified for Splunk Enterprise Security.
2021-03-24 SOLNESS-26297 Poor error handling on invalid identity_manager stanzas

Workaround:
This error means that one of your identity_manager stanzas in inputs.conf is missing a url setting. You'll need to determine which stanza is missing the required setting and either add the url in or remove it altogether.
2020-07-30 SOLNESS-23521 Identity Management: Only transforms from specific apps are being displayed on "New Asset" modal
2020-07-14 SOLNESS-23451 Notable Event Framework: Searches converted from XS to MLTK did not have their tokens updated

Workaround:
Update the rule_description for the following searches. 


[Network - Unusual Volume of Network Activity - Rule]
action.notable.param.rule_description = An unusual volume of network activity was detected. $src_count$ unique sources have generated network traffic in the past 15 minutes and $total_count$ network events have been observed in the same time period.




[Network - Substantial Increase in Port Activity (By Destination) - Rule]
action.notable.param.rule_description = A statistically significant increase in the volume of activity on port $dest_port$ was noted. Today's value is $dest_port_traffic_count$.




[Network - Substantial Increase in an Event - Rule] 
action.notable.param.rule_description = A statistically significant increase in the volume of $signature$ events was noted. Today's value is $ids_attacks$.
2020-05-15 SOLNESS-22864, SOLNESS-22834 Glass table editor navigation is missing with Splunk Enterprise 8.0.x in on-prem environments
2020-05-13 SOLNESS-22828 Notable event status or owner sometimes are wrong because of size of incident_review collection

Workaround:
Set max_rows_per_query in limits.conf to a size greater than the size of the incident_review_lookup collection and restart Splunk.

To check this: 

index=_introspection host+<ES SH> sourcetype=kvstore "data.ns"="SA-ThreatIntelligence.incident_review" | stats max(data.count) AS count

And if this count is bigger than the max_rows_per_query limit in limits.conf, increase it on the search head(s): 

limits.conf:
[kvstore]
max_rows_per_query = <something bigger than the count above>

and restart Splunk afterwards.

2020-05-11 SOLNESS-22809 CustomSearchBuilder: Retention component for kvstore backed search-driven-lookup not working
2020-04-02 SOLNESS-22269, SOLNESS-21618 CSB build request includes query string + lookup count exceed
2019-03-15 SOLNESS-18377, SPL-167855 Workbench: custom visualizations don't work in workbench
Last modified on 28 August, 2023
PREVIOUS
Fixed Issues for Splunk Enterprise Security 		  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters