Known issues

Known issues

The following are issues and workarounds for version 4.1.4 of Splunk.

Epoch timestamps not parsed correctly after March 12, 2011

This problem affects ALL Splunk versions: 3.x, 4.x, and 4.2.

In Splunk's datetime.xml, the regular expression for parsing epoch time assumes values from 2002 through to March 12th 2011. Those values started with 10,11,12. On March 12th, 2011, the seconds since 1970 became 1300000000, starting with 13.

First, make a backup copy of $SPLUNK_HOME/etc/datetime.xml, and then modify it. Change the _utcepoch regex (at around line 200) to the following:

<define name="_utcepoch" extract="utcepoch, subsecond">
    <!-- update regex before 2017! :) -->
    <text><![CDATA[((?<=^|[\s#,"=([\|{])(?:1[012345]|9)\d{8}|^@[\da-fA-F]{16,24})(?:.?(\d{1,6}))?(?![\d(])]]></text>
</define>

Alternatively, for your sources that use epoch time, explicitly specify a strptime format in props.conf, by using TIME_FORMAT and TIME_PREFIX fields.

Example:

[asterisk]
TIME_FORMAT = %s

Data input issues

• monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
• Adding an input directory without the trailing slash can produce an error: "Encountered the following error while trying to save: In handler 'monitor': Path must be absolute." (SPL-30011)
• TIME_FORMAT/strptime ignores the hour component of a timestamp if minutes are not provided. (SPL-23777)
• When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294)
• Time elapsed between startup and indexing of events can be > 15 minutes due to either Hosts.data file containing thousands of duplicate hosts because some inputs are adding a space to the hostname or due to e metadata files in your index. Contact Support for workaround. (SPL-31033, SPL-31035)
• Sources.Data filesize grows (hundreds of MBs) to where the indexqueue can cause forwarder connections to be dropped/temporarily refused. Contact Splunk Support for workaround. (SPL-31033, SPL-31196)
• The props.conf settings CHARSET, CHECK_FOR_HEADER, and NO_BINARY_CHECK are not resepected on the basis of host stanzas. Use source or sourcetype for these settings. (SPL-31303)
• Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
• In Splunk 4.1.4 only, NO_BINARY_CHECK is not effective. (SPL-32979)

Splunk Web and Manager interface issues

• If you have cookies disabled or if the server and/or client CPU time are not in sync, you will be returned to the login page. Both machines must have the correct time set when cookie timestamp is verified. (SPL-22393)
• Pressing Enter on the interactive field extractor "Save Field Extraction" form closes the form and does not save the field extraction. (SPL-30419)
• Creating a field via the interactive field extractor displays a redundant error. (SPL-30417)
• The field summary popup windows doesn't show all of the field values if you have 10 events per page selected. (SPL-30464)
• If you type a new search into Splunk Web after your session has timed out (but before you've re-authenticated, click >, and re-log in as requested, the search you ran last before the one you just typed in will be run. (SPL-30460)
• When configuring Splunk Web to use SSL, an 404 Not Found error is displayed. (SPL-30333)
• Hover-over labels in Flash timecharts are too narrow to display the entire timestamp. (SPL-30251)
• The interactive field extractor mistakenly interprets < and > in field names as comparison operators and will generate an error "Unable to get sample events: Error in 'UnifiedSearch': Unable to parse the 'Invalid LHS for comparison' search." (SPL-30148)
• Using Manager > Search Macros in Splunk Web to define search macros that take arguments results in a non-working configuration. To work around this issue, define these types of search macros in $SPLUNK_HOME/etc/system/local/macros.conf (or in the appropriate app directory). (SPL-30227)
• Disabling a deployment server server class via Manager generates an error. (SPL-30398)
• Using the browser's Back button to get back to a form view doesn't work properly; you have to re-run the search to redisplay the graph. (SPL-27179)
• Zooming out in the flashtimeline only zooms out the previous time region, not the subsequent one. (SPL-30554)
• Splunk Web still thinks your license is expired if you replace it behind the scenes. To work around this issue, choose 'Enter a new license number' and then log in. (SPL-28582)
• The success message when uploading a file in Splunk Web does not correctly display the filename. (SPL-29855)
• Link to "browse more apps" in Manager > Apps returns an ERROR page when offline (SPL-33343)
• Using jquery before 1.3.2 with changeset 6268 results in false activeX warnings (see http://dev.jquery.com/changeset/6268/trunk). A patch is available, to apply the patch:
  • Download the patch file.
  • Unzip the patch file.
  • cd $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/contrib
  • patch jquery-1.3.2.js jquery-activex.patch
  • Because Splunk Web aggressively caches content, you must change the URI signature:
  • Open http://localhost:8000/_bump
  • Click the 'bump version' button.
• When you filter a list of objects in Manager by app context or owner, then perform an operation on an object in the list, the filter is reset. (SPL-27623)
• Sorting columns fails when the values in the fields start with numbers but aren't pure numbers. (SPL-31478)
• Alt+Click does not include the escape character "\" when it's needed. (SPL-32934)

Charting and drill-down issues

• When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)
• SimpleResultsTable and Flashchart do not honor "showperc=f" with a search using "top" as the transform command. (SPL-29635)
• Options for advanced charting display briefly when loading the basic charting page. To access the advanced options, click the 'x-axis' and 'y-axis' links. (SPL-26611)
• Drill down will not work correctly if the search query contains "not". The query will get rewritten to use "NOT" (SPL-31862)

Search, saved search, scheduling, and job management issues

• Deleting events via the delete operator does not seem to work. (SPL-30499, SPL-30468)
• Pausing a search job in the Job Manager does not update the job's displayed status (SPL-24999)
• When running a search with 'use starthoursago', the displayed time range message is misleading (although the results are correct). (SPL-30250)
• It is possible to create a dashboard which has a real-time search on it and then have it scheduled for delivery. This is not actually supported. (SPL-29782)
• There is no way to escape an asterisk (*) in the search language. (SPL-30079)
• Scheduled searches stop firing with occasional "WARN SavedSplunker - Saved splunk failed to get current user context" error in scheduler.log. (SPL-33391, SPL-38047)
• The file operator crashes splunkd and is no longer supported for 4.1.x. (SPL-36953)
• Scheduled searches containing a double-quoted great-than sign will not properly pass arguments to alert scripts (SPL-33246)
• Results using the perc* and median functions for stats/chart/timechart are off by 1 rank. For any dataset larger than a few hundred values, the error is negliable or non-existent (because the value at rank N and at rank N+1 are very likely to be the same or very close to being the same). (SPL-40331)

Localization, internationalization, and character set issues

• Certain Japanese language OSes, including most versions of Windows, use the ¥ (Yen) symbol to denote backslashes in path names. This can cause issues when monitoring or spooling files, and may require custom regex configurations where a file path is part of the dataset. (SPL-23307)

(This issue is also present in the Japanese PDFs of the documentation.)

App and app development issues

• An issue exists in the first time run experience around input collisions: if you enable the *Nix App, the inputs it adds put their data in the "os" index, which by default is only searchable from the *Nix App interface. If you then try to add /var/log as an input (through the Getting Started App or any other App), an error is displayed stating that this input already exists. (SPL-25138)
• It's possible to get to the setup page for an App without enabling it first. (SPL-24852)
• No dashboards are added to the navigation menus for the Windows and *Nix Apps. (SPL-24933)
• Old modules, templates, and other App components are not deleted on upgrade. (SPL-22494)
• The *Nix app is not supported on AIX. (ENH-3001)
• Some 'form search' visual styling elements and contextual styles rely on custom css that only comes with the Search app. (SPL-29816)
• The *Nix app does not run on Windows. (SPL-25576)
• Navigation menus do not support nesting below 2 levels deep. (SPL-29475)
• If you specify more than the 3-column maximum for layoutPanel, the error message is not very helpful. (SPL-29295)
• You can create/update/clone/delete 'Navigation menus', but Splunk Web only uses default.xml. (SPL-30024)
• SoftWrap module does not work with ShowSource module (SPL-39851)

Windows-specific issues

• The crawl feature is not applicable on Windows. (SPL-24843)
• Adding a Windows-specific input (such as Event Log, Windows Registry, or WMI) in Manager takes longer than adding a file or directory input. This issue will be resolved in a future release. (SPL-26235)
• The Message field is not extracted and therefore missing from imported Windows .evt data. (SPL-24947)
• Timestamps are not set correctly for comment lines in W3C (aka Windows IIS and Exchange) log files. (SPL-29111)
• The splunkd.exe executable on Windows is generating about 4,000 page faults/sec page faults when running the Windows app (only) with all the inputs turned on. This is not necessarily a real problem since most of them will be cache hits and won't end up as hard (on-disk) page faults. However, if the machine is under memory pressure (perhaps from another RAM-hungry app) then splunkd's behavior may cause lots of hard page faults/sec. (SPL-30343)
• On Windows XP/2003 systems, Event Log checkpointing fails if you stop Splunk, clean the events, and restart Splunk. To work around this issue, don't stop Splunk when you clean the events. (SPL-29594)
• Windows installer MSI flags place objects (such as input definitions) in conf files in $SPLUNK_HOME/etc/system/local, which can interfere with deployment server operations. (SPL-29378)
• When translating GUIDs/SIDs in event logs, if the DC Splunk is connected to goes down and then comes back up, Splunk doesn't recover the connection. (SPL-30368)
• When using the commandline to install, if FORWARD_SERVER is set but SPLUNK_APP is not set, forwarding is not enabled. (SPL-29304)
• By default Windows App is enabled, but no windows inputs are enabled (wmi:* and wineventlog:*). (SPL-30979 )
• Using the CLI to perform a distributed search TO Windows Server 2008 R2 with a bundle having more than 8 lookup files fails. The same operation hangs when you use Splunk Web. Contact Support for a workaround. (SPL-33572)
• The file operator does not work at all on Windows. When used on a directory, it crashes splunkd. It will not be fixed. Instead, it is no longer supported for 4.1.x and removed in later versions. (SPL-33897, SPL-36953)
• When reinstalling or upgrading Splunk on Windows, the Splunk installer overwrites custom certification authority (CA) certificates in %SPLUNK_HOME%\etc\auth, which can cause SSL communication to fail between a forwarder and an indexer. (SPL-43373)

Unix-specific issues

• The enable boot-start feature which creates system init scripts for Splunk lacks some Red Hat-specific logic. Splunk is not cleanly shut down on system shutdown/reboot, and changing runlevels between 3 and 5 may try to launch Splunk when it is already running (SPL-32812, SPL-32248)

CLI issues

• CLI output does not recognize "dumb" terminals. (SPL-30432)
• The -raw option for the CLI output command is not supported and should be removed from the help. (SPL-30404)
• CLI search using -uri from a 3.3 host to a 4.x host produces an error. (SPL-29681)
• Can't enable and disable inputs via the CLI. (SPL-30555)
• CLI 'help' information is only available if Splunk is running. (SPL-30576)
• the CLI 'reverse' command returns some events more than once. This does not happen when running the same command in Splunk Web. (SPL-33376)

Lookup issues

• Doing a field lookup from a csv file that uses ^M does not work. (SPL-29434)

Distributed deployment and deployment server issues

• Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
• Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
• When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
• You can't specify an app for deployment server in Manager, only server classes. (SPL-29903)
• Repository Location should not be optional at Manager > Deployment > Deployment server > Add New. (SPL-29901)
• The message displayed when a distributed search peer is unreachable doesn't tell you if there are more than one. (SPL-28399)
• Splunk2Splunk HTTP forwarding ("httpoutput" stanza in outputs.conf) is not currently functional. (SPL-32830)
• Light forwarders are unable to load-balance UDP incoming data across several indexers using autoLB - The data will be forwarded to one indexer only. A regular forwarder is currently needed achieve this. (SPL-32708)

Unsorted issues

• On shutdown, many WARN lines are displayed in splunk.log that should actually be INFO. These lines can be safely ignored. (SPL-24862)
• Splunk Web does not notify you if you specify an invalid port number in web.conf. (SPL-25584)
• Manually rolling buckets generates a "FATAL" error, although the rolling works fine. (SPL-29045)
• Persistent queue functionality is not working, and will be reworked in a future release. (SPL-27545, SPL-28957)
• Splunk doesn't run on FreeBSD with ZFS. (SPL-30317)
• Some punct tag syntax from pre-4.1 tags.conf files may not be recognized in 4.1 and searches for those tags may not return expected results. To work around this issue, recreate your punct tags using Splunk Web in 4.1. (SPL-28353)
• On the first startup after upgrading, you see the message - Checking databases... ERROR :: 'homePath' - In the 4.1.4 build, we removed an old legacy index called [splunklogger] from the $SPLUNK_HOME/etc/system/default/indexes.conf, if you have a reference to this index in any of their other indexes.conf files, it will cause this error and not allow Splunk to startup. Remove that entry, and Splunk will start.
• A crash issue has been identified with SuSE Linux Enterprise Server 11 / OpenSuSE 11.0,11.1,11.2 and 11.3, combined with Splunk on x86_64. It is caused by a SuSE patch to glibc which breaks programs using external mallocs. The problem can be identified by __res_iclose() in the backtrace in the crash log. It will be fixed in an upcoming release. For now contact support for an interim build. (SPL-37331)
• PDF Server App is outputting PDF Reports with some overlapping panels. (SPL-38101)
• Rpm package verification " rpm -V splunk-xxx-xxx.rpm" return a message "missing splunk-launch.conf.default" even though the content does not have problem. (SPL-35181)
• Lowering the maxDataSizeMB or homePath.maxDataSizeMB in indexes.conf might freeze more buckets than the size specified in these attributes. Avoid to use these attributes to reduce the already-indexed volume. (SPL-40220, SPL-39849)

• Was this topic useful?
• Post a comment