4.1.5

4.1.5

The following issues have been resolved in this release of Splunk:

Security issues

For additional details about the first two security issues in this list, visit the Splunk Security Portal page about them.

• Splunk's XML parser is vulnerable to XXE. (SPL-31061)
• SPLUNKD_SESSION_KEY parameter allows session hijacking (SPL-31094)

We'd also like to thank Les Fenison and Atomicorp for alerting us in such a pleasant manner that our libcrypto.so is compiled with executable stack. This has now been resolved. (SPL-33103)

CLI and configuration file issues

• NO_BINARY_CHECK did not correctly allow you to index data that Splunk would otherwise reject as binary, and CHARSET settings based on the source or pathname of files now operate correctly again. (SPL-32979)
• Bug with lookup local=t when used after inputlookup append=t. (SPL-33234)
• No way to blacklist large lookup files from being replicated (no way for an app to specify that some of its files are not to be replicated). (SPL-33144)
• Splunk crash logs fail the CRC check - need a timestamp added to the output. (SPL-32464)
• The output csv command is not producing all the results from the CLI. (SPL-31976)
• The meta::all command has been removed. The exporttool utility now works properly with or without it. (SPL-33413)
• Add an option that allows users to exclude certain files from the diag tarball. Refer to "Contact Support" in the Admin Manual for details. (SPL-26717)
• The -raw option for the CLI output command is not supported and should be removed from the help. (SPL-30404)
• The runshellscript command is undocumented in searchbnf.conf. (SPL-33112)
• Some lists returned by Splunk's CLI (for example, splunk list users only return 30 results. (SPL-32710)
• Case-sensitivity of EVT file recognition stanza in default props.conf doesn't account for files with full or partially capitalized file extensions. (SPL-32927)
• The default value of receiveTimeout in distsearch.conf is now 600 (10 minutes). (SPL-32904)

Search and scheduled alert issues

• Searches for eventtype=* throw parsing errors when the *Nix app is enabled. (SPL-32957)
• With unix app enabled, search for eventtype=*, the search inspector doesnt work. (SPL-32951)
• The eval command causes splunkd to crash in the dispatch thread when you leave a string empty. (SPL-32881)
• The eval command now has a tonumber() function to go along with the existing tostring() function. (SPL-32869)
• Error in 'UnifiedSearch': unable to parse search 'Missing RHS for OR'. (SPL-32258)
• Intentions adding "None" when you use the reverse search command. (SPL-31779)
• Events Table shows only event counts during high real-time event frequencies. (SPL-31774)
• Using the string "::" in a field value was breaking the search, even when the field name string is doublequoted. This behavior will still work, but is deprecated (message will read "Use of "<field>::<value>" (with double quotes) is deprecated. Please use <field>="<value>" instead." (SPL-31728)
• Distributed search error - "Not a Splunk Server". (SPL-31279)
• Getting an error in subsearches that use Python search commands. (SPL-31773)
• Search fails when more than 125,000 events are found at a given epoch time for a single source and index. The limit has been increased to 1,000,000 events. (SPL-32791)

Splunk Web and Manager issues

• Manager always shows 30 for files and directories. (SPL-32356)
• The time range picker displays only the first 30 items in the list. (SPL-32769)
• "setup" action of an app leaves you in another app's UI context (which prevents application.js from loading). (SPL-32275)
• With few results windowed, real-time search does not show results in EventsViewer. (SPL-32132)
• Drilldown on field where fieldname contains spaces doesn't work - fieldname not quoted. (SPL-32202)
• Link to "Add more data" in Search app dashboard returns an ERROR page when root_endpoint is set. (SPL-32106)
• "Cannot find viewstate" error after moving a saved search from one app to another. (SPL-31004)
• When you filter a list of objects in Manager by app context or owner, then perform an operation on an object in the list, the filter is reset. (SPL-27623)

Inputs and indexing issues

• TailingProcessor INFO logging is much too chatty. (SPL-33126)
• LWF internal logs are included in 'per_host_thruput' metrics. (SPL-30936)
• Adding an input directory without the trailing slash can produce an error: "Encountered the following error while trying to save: In handler 'monitor': Path must be absolute." (SPL-30011)

PDF Server appp issues

• PDF Errors with "Failed to start: Check that all Firefox dependencies are met" (SPL-31234)
• Fonts in PDF server are unreadable. (SPL-31790)
• PDF debug page does not work if SSL is turned on. (SPL-33440)
• PDF Server fails to start on Ubuntu 10.04 if libgnome-ui is installed. (SPL-33199)

Unsorted issues

• Crash in merging thread with error "Crashing thread: merging". (SPL-33351)
• Crash in "BatchReaderTPoolWorker-0" thread after a few minutes of uptime following upgrade from 4.0.3 to 4.1.4. (SPL-32956)
• Splunk now includes support for Chinese AM/PM (上午 / 下午) to date parser. (SPL-32826)
• Upgrade from 4.1 to 4.1.3 deletes batch script files from %SPLUNK_HOME%\bin\scripts. (SPL-32713)
• Crash caused by ID conflicts when moving from warm to cold, with "DatabaseDirectoryManager - Splunk has detected that a directory has been manually copied into its database, causing id conflicts" error in splunkd.log. (SPL-32602)
• Web Client Error Caused by Form Name Reference in getFormValues. (SPL-32476)
• Splunk migration should not modify the existing startup type property for the Windows services of splunkd or splunkweb. (SPL-32313, SPL-31582)
• Cert generator (genRootCA) script is missing on Windows. (SPL-32133)
• Memory Leak in tailing for excluded files (whitelist/blacklist). (SPL-31745)
• Modules in lister can be configured to pay attention to outer intentions, but not to outer time ranges. (SPL-31706)
• Upgrade from 4.0 -> 4.1 leaves stale data_extractions.xml in etc/apps/search/default/data/ui/manager/ (SPL-31174)
• Some 'form search' visual styling elements and contextual styles rely on custom css that only comes with the Search app. (SPL-29816)

• Was this topic useful?
• Post a comment