Splunk® App for PCI Compliance

Release Notes

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Known Issues

The following are known issues and workarounds for this version of the Splunk App for PCI Compliance.

Installation

  • The Splunk App for PCI Compliance requires installation of Sideview Utils. If Sideview Utils has not been installed before the Splunk App for PCI Compliance, the installer will provide a link to download the app. The link is incorrect. The link can be found in the Installation and Configuration Manual "here".

Hardware prerequisites

Important: See "Prerequisites" in the Splunk App for PCI Compliance Installation and Configuration Manual for specific hardware requirement information.

  • Running Splunk Enterprise on a combination of virtualized hardware and Windows Server may cause the Splunk App for PCI Compliance setup to fail. If the virtualized system is properly provisioned to Splunk Enterprise specifications and setup is unable to complete, increase the splunkdConnectionTimeout setting in the web.conf to 120 seconds or more until the setup process is complete. (SOLNPCI-1156) (SPL-82837)

General

  • Some Splunk App for PCI Compliance dashboard panels are populated by saved searches or time-independent searches. For informational purposes, these panels ignore top-level filters. This is intended behavior. (SOLNESS-353)
  • Network connection error message: After editing events on the Incident Review dashboard, the following error message is displayed at the top of the screen:
   "Your network connection may have been lost or Splunk Web may be down."
This is a known issue. It indicates that the browser lost connection to Splunk Web for a brief period of time. See this Splunk answer for more information. (SOLNESS-2186)
  • This version relies on the deprecated eventHashing and data block signing features in the Data Protection dashboard. These two features are deprecated as of Splunk 5.0.0. Upgrade to Splunk App for PCI Compliance version 3.x or later to avoid relying on a deprecated feature.

Cancel button

The Cancel button on the Splunk App for PCI Compliance requirement does not work when you link to the Splunk Manager using the App Settings configuration . The Save button saves changes and takes user to the list of searches and reports, but the Cancel button does not function. (SOLNPCI-353)

Dashboard drilldown produces incorrect counts

When drilling down from charts with data plotted over time, the number of events presented in the drilldown may not match the chart. This is a result of drilling down from data in a summary time window into actual raw data. Occasionally the time windows do not line up exactly and the counts may be different. (SOLNESS-1096)

Incident Review dashboard

  • The Incident Review dashboard feature does not work on the Solaris operating system. (SOLNESS-2508)
  • Drilldowns to "Contributing Events" from any notable event in the Incident Review dashboard will default to "All Time" and may take a long time to return results. (SOLNESS-1784)
  • When the Incident Review dashboard is being used to manage notable events, all updates will restart searches. If using a real-time search, the search will need to be finalized for more information). (SOLNESS-959)

Charting

  • No search progress indicator: After the user clicks the Search button, no indication is given that a search is being performed (even though the search is in fact running). This is a known core Splunk issue (SPL-51660). The table or report remains empty until the results of the search are complete. (SOLNPCI-714)
  • When you click on a medium level (or other level) urgency event in the Viewing Notable Events by Urgency dashboard, this error appears:
Results Error
Error #2032
Despite the error, the process continues to show the medium urgency (or other level of urgency) events that you selected. Drill-down to other data works fine and the error is only briefly displayed before you are redirected to the appropriate page.
This error only appears with the initial urgency or severity level selection; it does not re-occur on subsequent choices of severity from the dashboard. (SOLNESS-2431)

Internet Explorer

  • When using Splunk with Internet Explorer, you need to disable XSS protection in Internet Explorer. If XSS is not disabled, the "View Full Results" link may point to the timeline view with errors. Add Splunk to the list of trusted sites and only disable XSS protection on trusted sites. (SOLNESS-3210)
  • When using Internet Explorer 8 in compatibility mode the Notable History Chart does not render after the page loads (PCI Scorecard > Notable Event History Chart). If you hover the cursor over thr cursor over the chart series item (the colored square) in the legend, the column chart displays. If you switch Internet Explorer into standard mode, the chart will display. (SOLNESS-2421)
  • When viewing the Incident Review dashboard using Internet Explorer 9, if you finalize the search, the word "events" ("Edit all _ matching events.") is wrapped to the next line. The workaround is to increase or decrease the page size. (SOLNPCI-1038)
  • Using Internet Explorer while performing a drill-down search can exceed the IE URL limit and prevent the drill down search from displaying. (SOLNPCI-1155)

Inputs

  • TA-mcafee uses python scripts to collect McAfee EPO data. The script mcafee_epo.py has a dependency to the python bundled with Splunk Enterprise that prevents it from running on other python installations. (ADDON-894)
Last modified on 03 February, 2016
  Change Log

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters