4.1

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

4.1

The following issues have been resolved in this release:

Field picker sorting broken after I click around different pages of search results and add/remove fields. (SPL-23308)
maxTotalDataSize doesn't seem to be honored. (SPL-30534)
When getting local Windows Event logs and also indexing .evt files, splunkd will crash if the local Windows Event logs have GUIDs in them. (SPL-30314)
Saved search object "win_eventlog_count_sum_index" has a specific owner, which causes the UI to try to access that specific user's workspace. (SPL-30229)
Dashboard search in Windows app creates excessive summary index entries. (SPL-29972)
Event Results Time range displayed in wrong TZ when choosing date from calendar picker.
Running the MSI commandline installer with LAUNCHSPLUNK=0 & SplunkLightForwarder enabled causes splunkweb to start up. (SPL-29798)
Disabling typeahead per role results in unsightly error in Splunk Web. (SPL-29337)
Show Source' only displays 100 lines. (SPL-29292)
Searches are scheduled & run with SplunkLightForwarder enabled. (SPL-29224)
Running splunk clean all -f barfs with "ERROR :: Cannot call rmtree on a symbolic link" if symbolic links exists in DBs. (SPL-28949)
In situations where an index has been deleted but the inputs feeding have not also been deleted, indexed data volume is measured before it's actually commited to disk. (SPL-28915)
Systems with large metadata (.data) files (can be due to sourcetyping issues) experience degraded search performance. (SPL-28700)
Sending files to the sinkhole follows symlinks to directories, deleting contents outside the sinkhole. (SPL-28652)
Switching from enterprise to free results in nonfunctional searches with ugly summary indexing error. (SPL-28470)
The content of the audit index is counting against license. (SPL-28462)
Archived data copied into thaweddb requires Splunk restart. (SPL-28428)
The _time field is always included in results, even when I tell it not to. (SPL-28413)
SplunkLightForwarder app with forwarder license is reporting license violations. (SPL-28354)_
Should not be able to remove app read/write privileges for the admin user. (SPL-28079)
Cleartext passwords in authentication.conf files are not encrypted/replaced if the authentication.conf file is stored in etc/apps/search/local instead of etc/system/local. (SPL-28073)
Automatic kv extraction is not working some events. (SPL-27889)
Wnabling SplunkLightForwarder without an outputs.conf tcpout set up automatically blackholes your data. (SPL-27747)
host= on TCP input is not respected. (SPL-27735)
Audit signing is IDing the events in wrong order resulting in false gaps. (SPL-27673)
When a machine set up for distributed search goes down, the main indexer becomes unusable. (SPL-27640)
Email alert garbles Japanese characters. (SPL-27541)
If you use panel_row_1_col_1_grp_1 with nothing in the row_1_col_1 node, an exception is thrown. (SPL-27354)
Problems with lookup tables against strings containing backslashes. (SPL-27351)
Strings containing backslashes are not properly passed in forms. (SPL-27343)
The splunk set server-type forwarder CLI option is broken and should be removed. (SPL-27283)
Simple XML searchPostProcess basically doesn't work with <chart> and <fields>. (SPL-27248)
Automatic load-balancing forwarder breaks when the indexer is out of disk space. (SPL-27235)
Easy to overwrite saved searches when sharing. (SPL-27201)
Setting in $SPLUNK_HOME/etc/system/default/props.conf still taking precedence over setting in app's props.conf. (SPL-27062)
Search processes running but jobs page reports all searches as done. (SPL-26861)
Links to saved searches in email alerts older than 24 hours return 404 and stack trace. (SPL-26448)
The splunk list forward-server command does not work when doing SSL forwarding. (SPL-26236)
Typeahead is not picking the right values. (SPL-26218)
Different fields displayed searching via Splunk Web and email alert link. (SPL-26203)
Typeahead searches crashing, high memory usage. (SPL-25790)
Removing a UNC path via Splunk Web strips Windows backslashes. (SPL-25473_
Highlight works for the first transaction event but not on the second event. (SPL-25419)
Downed (ungraceful shutdown) forwarder completely skips over the rest of log file. (SPL-25259)
Default extractions for access_combined sourcetype don't work when URI is enclosed with quotes. (SPL-18953)
A .csv file with ^M linebreaks won't create fields, replace with proper linebreaks and it's ok. (SPL-17294)
Undefined transform is reference in [WinRegistry] stanza in props.conf, resulting in an error in splunkd.log. (SPL-30433)
Confusing messaging when using distributed search and mixed indexes:"A clause in your search will not return results. Make sure you are using 'OR' to search multiple indexes and at least one specified index exists." (SPL-30198)
Quoted expression inside parentheses is incorrectly escaped on load. (SPL-29155)
Exception data from search script does not work for some flags (streaming, retainsevents, overrides_timeorder) and an "error in 'restitch' command" error is displayed. (SPL-28851)
Provided search command scripts do not actually do the same thing that the commands they are named after do; this confuses people trying to write search scripts. These scripts should be removed or renamed. (SPL-28789)
Typeahead should timeout faster upon initial connection to search peers. (SPL-28773)
Remove '(optional)' from Manager » Distributed search » Search peers » Add New. (SPL-28466)
Alert script stalls if the search does not return. (SPL-28421)
Setting user password with non-existent role breaks Splunk Web access. (SPL-28417)
Package preinstall script tries to create solaris user with shell '/bin/bash' which is frequently not present. (SPL-28331)
House cleaning on limits.conf.spec for those parameters no longer valid. (SPL-28321)
Lookup code doesn't tell user about nonexistent fields. (SPL-28307)
No online help for UPPERCASEd commands, although such are valid. (SPL-28284)
Splunk Web gets really slow if its connection to the external internet is intermittent (it's trying to connect to Splunkbase. (SPL-28210)
Batch file input/sinkhole doesn't re-eat files on Windows XP. (SPL-28019)
Show source action will generate lots of errors in logs. (SPL-27839)
In alert_actions.conf.spec: inline = auto -- should be removed. (SPL-27814)
etc/apps/learned/local/props.conf can balloon when a "bad input is added and too many sourcetypes are created, which affects performance. (SPL-27810)
The cron_schedule is whitespace sensitive (SPL-27775)
Reports with Heat map or high-low values don't show up on a dashboard. (SPL-27743)
The progress indicator does not display anything initially, until the search returns the first event. (SPL-27736)
Delayed indexing for 200+ UDP sources on same port. (SPL-27632)
viewstates.conf is not promoted when a user promote a search that has additional fields from the fields picker. (SPL-27503, SPL-28503, SPL-24827)
Missing etc\system\README deploymentclient.conf.spec and .example. (SPL-27388)
The listtails CLI command has been deprecated and should not be used. For most purposes, the list monitor command can be used instead. (SPL-27334, SPL-31602)

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/ReleaseNotes/4.1"

« Workaround for SSL configuration for users of Firefox 3 4.1.1 »

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Release Notes

4.1

4.1

Comments