Known issues for Splunk Enterprise Security
Splunk Enterprise Security 7.3.0 was released on December 19, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
This release includes the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2024-04-16 | SOLNESS-43255 | Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events". Workaround: customer haven't provided any workaround. |
| 2024-02-28 | SOLNESS-41634 | IR not applying notable_xref filter from generated URL on ES 7.3 |
| 2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
| 2024-01-23 | SOLNESS-40719 | Time range settings are not saved successfully on the Incident Review page, irrespective of whether the time range is valid or not. |
| 2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. Workaround: No workaround |
| 2023-12-05 | SOLNESS-40127, SOLNESS-40436 | Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored. Workaround: Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list. |
| 2023-11-30 | SOLNESS-40082 | Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher. |
| 2023-11-29 | SOLNESS-40066 | The dialog for suppressing notable events does not open after the first suppression is added on the Incident Review page. Workaround: Refresh the Incident Review page so that you can add more suppression rules for notables. |
| 2023-10-02 | SOLNESS-38795 | Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.Workaround: Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro: {noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat} Recommended resolution |
| 2023-08-30 | SOLNESS-37237 | Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error. |
| 2023-08-16 | SOLNESS-36952 | Risk Analysis 'Source' drop-down list results truncated Workaround: Searches appear in alphabetical order. To move important searches to the top of the list, rename them to appear earlier in the alphabet. For example, add "AAA -" to the beginning of the search name. |
| 2023-08-08 | SOLNESS-36864 | Timeline on Incident Review page: Cannot zoom in by double clicking |
| 2023-07-27 | SOLNESS-36731 | Timeline on Incident Review page: Cannot activate or deactivate timeline buttons |
| 2023-07-25 | SOLNESS-36660 | Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute |
| 2023-07-20 | SOLNESS-36590 | The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0. |
| 2023-07-18 | SOLNESS-36563 | Timeline on Incident Review page: cannot select a bar that was previously deselected Workaround: Select, then deselect, a different bar. Then select the bar that you originally wanted to select. |
| 2022-09-14 | SOLNESS-32647 | Saved searches created in the Content Management page with private settings are not displayed. |
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0
Download manual
Feedback submitted, thanks!