Known Issues for release 3.2.1

Known Issues for release 3.2.1

This page contains known issues and workarounds for this release of Splunk.

General issues and considerations

This section contains general considerations, issues and workarounds for this release of Splunk.

• Live tail is a powerful feature, and as such can tax system resources. For this reason, Splunk defaults to only allowing you to run one Live Tail at a time. However, you can edit web.conf to allow for multiple Live Tails. You must enable HTTP pipelining for this to function correctly. Refer to web.conf for more details.
• If you switch from LDAP authentication to Splunk's built-in authentication, you must restart from the command line before you can log in again.
• The $SPLUNK_HOME/share/splunk/search_oxiclean/rss directory is installed with incorrect permissions. You must enable write permissions for this directory so that RSS feed pages can be created.
• You cannot specify a relative path when setting $SPLUNK_DB.
• The File System Change Monitor does not monitor directories, only the contents of those directories. If an empty directory is deleted, renamed, or otherwise changed, you will not receive an alert. However, if any file in the directory is changed, you will receive an alert.
• 2.0.x licenses will NEVER work with 3.x+. If you have a current Plus Support contract you are entitled to upgrade your license to 3.x. If you do not have a current support agreement in place please contact sales@splunk.com.
• Export and import of user data may not work properly.
• Splunk's authentication module does not work with Domino LDAP.
• Log file rotation does not currently work while tailing SMB mounts. Work around this by mounting as CIFS.
• Upgrading using rpm does not create a etc.bak file.
• If you are running two different instances of Splunk on one machine, you cannot log into both instances at once, even with different shell sessions. However, you can use the -auth option in your search string to provide credentials for a different user on the fly.
• Some SUSE 10.x users might experience incorrectly displayed dialog boxes and searches may return the message "Unable to get a properly formatted response from the server; canceling the current search." This is a problem with the mime.types configuration. Instructions on how to correct this problem can be found here.
• If you are using Splunk Deployment server, you must upgrade it to match all your Splunk instances. Mixed version environments are not supported.
• Splunk is incorrectly calculating the size of your index. This means that the maxTotalDataSize specified in your indexes.conf file is not being honored. To workaround this issue you can reduce the value by 20%. This will be resolved in the 3.2.2 release
• If you are in a timezone with non-DST offsets (GMT), you will crash at startup.

Windows-specific considerations and known issues

As a result of porting Splunk to the Windows platform, some functionality is not available or works differently due to platform differences or limitations:

• FIFO data inputs are not supported
• 'Watch and symlink' operation is not supported with file-based data inputs.
• Specifying mapped paths that include drive letters (such as C:\) are not supported. To work around this, use a full UNC path to the network resource (in the form \\servername\full\path\to\resource). Splunk must be running as a user with Admin privileges on the network.
• The exporttool function does not support exporting to the original source, but does support export to csv.
• You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf.
• Wildcards are not currently supported when specifying paths to files in regexes.
• A Unix deployment server is currently unable to properly distribute configs to Windows clients.

Solaris-specific considerations and known issues

• Splunk currently uses an inefficient memory allocator for Solaris installs. To work around this, start Splunk in the following manner: LD_PRELOAD=libumem.so splunk/bin/splunk restart

Search issues, including deprecated commands

• The readlevel and readlimit modifiers are deprecated as of version 3.2. Splunk now handles the verbosity of events intelligently with no need for specification.
• The maxresults and maxtime modifiers have been deprecated. If you have saved searches that use maxresults, they will no longer function in 3.2.
  • Use the Preferences menu in Splunk Web to configure these values.
  • From within the CLI, use of maxresults has changed from being inside your query (for example, splunk search "search foo maxresults::100") to being outside your query (for example, splunk search "foo" -maxresults 100).
• The remote command is deprecated.
  • In Splunk Web, perform remote functionality in the Distributed tab of the Admin interface.
  • Click Admin in the upper-right corner of Splunk Web.
  • Click Distributed from the Distributed tab to turn on Distributed searching and then restart the server.
  • Add the servers you want search requests to be distributed to.
  • Restart Splunk. Once you restart Splunk, all search requests are sent to the servers you specify in the list.
  • In the CLI, use the dispatch command to execute remote functionality. You must have distributed search configured prior to running dispatch.
• The header argument for the diff command has no effect; the header data is always displayed.
• Performing multiple searches at once from the Web UI can occasionally return a "search was canceled" error.
• Searches that operate on large events, such as configuration files and tabular data (top/ps ouput, logs containing multi-line events), can stress the memory available on 32-bit systems. Splunk recommends that you reduce the maximum number of results from the Preferences menu in Splunk Web or consider searching asynchronously using the command line interface when you are performing these types of searches. This issue can be compounded in distributed search scenarios, where the pool for results is greater. Additionally, the optimizations Splunk applies when displaying non-distributed search results are not available when performing distributed searches; this will also affect memory consumption.
• Using the localize search command without arguments crashes splunkd.
• Searching for indexed fields with capital letters in the name will return zero results. To work around this issue, use all lowercase letters for your indexed field names.

Distributed search issues and considerations

• If you are adding or changing a license on any server in your distributed cluster, restart all of them to ensure that they display correctly on each others' dashboards.
• Autodiscovery of hosts for distributed search is unreliable.
• If you are using Splunk in a distributed search cluster, you must upgrade each node to exactly the same version of Splunk; mixing 3.1.x and 3.2.x nodes in a distributed search cluster is not supported. You must upgrade all 3.1.x nodes to 3.2.x.* In the deployment server, the 'default' class is supposed to target all deployment clients; however, configuration files placed in the default directory on the deployment server do not get pushed properly.

Splunk Web issues and considerations

• Splunk 3.2 requires Flash 9. (download). Flash is available for Firefox 1.5 and 2.0, and Internet Explorer 6 and 7. See the Adobe Flash system requirements. You can check which version of Flash you are running here.
• Firefox 3.0b1 will not currently display any data with Splunk Web. Please use Firefox 2.0.0.10 or earlier.
• If you create a saved search with the alert condition set to 'always' and then change this field to another value, the third field becomes inaccessible. To work around this, select **Choose...*, save the change, then re-edit the saved search to reflect your wishes.
• If you create an event type that contains a space in the name and also specify tags for the event type at the same time, you cannot search on the tags.
• If you pipe into a saved search, time range specifications are ignored in Splunk Web.
• Section headers may sometimes display incorrectly in Splunk Web.
• If you are using IE7, you may experience inconsistent results in the timeline display.
• if you assign multiple graph types to a saved search, only the initial type is displayed, and when you re-run the search, no graph is displayed.
• Time ranges are not retained in snapshots.
• To specify a label for a report column that includes spaces (with quotes surrounding the label name), do not use eval. Use rename and specify it as the last search processor in your string.
• Some users have reported browser crashes with Firefox. Mac users who experience this are encouraged to submit CrashReporter logs from the Firefox crash. These can be found in ~/Library/Logs/CrashReporter.
• If you upgrade from Splunk 3.1.x and have saved searches which you subsequently add to your dashboard, the chart type display option will be reset to the default, which is a bar chart.

Configuration considerations and issues

• Entries in indexes.conf are case sensitive, including the stanza name itself.
• Reusing a field name in fields.conf results in the field being undefined.
• Use props.conf to alter Splunk's settings. The properties.xml file is still included with the product, but its settings have no effect.

Splunk Toolbar considerations and issues

• The Splunk Toolbar sometimes incorrectly displays two drop-down arrows in the search box. This is has no effect on functionality.
• When running a free Splunk license, or an unlicensed copy of Splunk, the toolbar may not get past the "Welcome to Splunk" start page.
• Occasionally a search done in the toolbar will not return results. This may cause the browser to hang. The searches will work correctly if run directly in Splunk Web or the command line (CLI).
• In some cases, the toolbar will prevent "Find in this page" functionality from running multiple times on the same page. These reports have been limited to users running multiple browser add-ons (e.g. colorful tabs, dom inspector, user agent switcher).
• Autologin does not work if the Autologin is set to off prior to configuring a Splunk server in the toolbar.
  • To login automatically set Autologin to on prior to configuring the server.
• The toolbar does not have a mechanism for alerting if its credentials are invalid.
  • When a Splunk server is configured to talk to an LDAP server that locks accounts after N failed login attempts, users should verify that their credentials are correct.
• There are some cases where the toolbar may take over the current user session if the toolbar is configured to talk to a Splunk instance that is different than the one a user is currently logged into.
• There may be conflicts if a user is logged into one Splunk instance and runs a toolbar search on a different Splunk instance.

• Was this topic useful?
• Post a comment