Documentation > Splunk > Release Notes > 4.2.1

Release Notes

 


What's new
Known issues for this release
Changelogs (what's been fixed) by version
  • 4.2.1
Credits

4.2.1

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

4.2.1

The following issues have been resolved in this version of Splunk:

Security issue resolved

A reflected XSS exploit was resolved in Splunk Web. For more details about this issue, refer to this issue's page on the Security portal. (SPL-38585)

Resolved issues

  • Epoch timestamps not parsed correctly after March 12, 2011. (SPL-37992)
  • In rare cases, concurrent hash table and string length collisions for metadata field values can cause index-level metadata files to grow to very large sizes, up to several gigabytes. (SPL-38464)
  • Splunk Web fails to start if the SPLUNK_HOME path in splunk-launch.conf ends with a directory delimiter ("/" for Linux or "\" for Windows). (SPL-38054)
  • Splunk Web can become unresponsive due to excessive session/lock files in var/run/splunk. Removing the lock files and restarting Splunk will resolve the issue. (SPL-37409)
  • The error 'SearchOperator:loadjob': Cannot find artifacts within the search..." in is written to splunkd.log on the first run of an alert that includes the 'rises by' or 'drops by' conditions, although the search executes correctly. This is because there can be no change in the value on the first run of the search. (SPL-33432)
  • If when saving a search, a user gets the error message: 'Cannot find viewstate with vsid=' it means that the user doesn't have sufficient permissions to save viewstates to the app. (SPL-37874)
  • If you are using distributed search and your Splunk installation is not on the same partition as your indexes, you may see issues where you run out of disk on the indexer if you run searches that return a very large number of events (such as for *). (SPL-37799)
  • Using "show source" from a 4.2 search head against a 4.1.x index doesn't remove subseconds properly and causes the surrounding search to fail. (SPL-37776)
  • An error "Failed to fetch data : In handler 'win-perfmon-find-collection': bad allocation" is displayed when trying to add Performance Monitoring counters as inputs installed on non-English Windows server. (SPL-37560)
  • If you create and delete keys which have Chinese names in the Windows Registry, in Splunk, the events don't show the Chinese names. (SPL-22148)
  • When viewing Splunk Web in English, a cacheing issue can cause Chinese text to be displayed. (SPL-37917)
  • The Windows 4.2 lightweight and universal forwarder parses WinEventLog datastreams on the forwarder, preventing all parsing control on the indexer. The symptoms of this are: no filtering nor routing to the nullqueue based on props and transforms. (SPL-38443)
  • A migration from 4.1.x to 4.2 on Windows replaces %SPLUNK_HOME%\etc\apps\windows\default\*.conf files with *.conf.in filenames. Work around this issue by first backing up the configuration files for your existing Windows app's local directory, then download and install the latest Splunk for Windows app from Splunkbase. (SPL-38402)
  • Events from Windows Event logs line break at random positions. Work around this issue by editing the value of LINE_BREAKER in $SPLUNK_HOME/etc/system/default/props.conf and specifying ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) as the value. (SPL-38325)
  • Splunk Web shows Event Log Collections that were enabled in 4.1.x as going to index=None, although it is actually going to the default index. (SPL-37529)
  • Setting restartSplunkd=true on a Windows deployment client causes an error: "Exception: <type 'exceptions.WindowsError'>, Value: [Error 6] The handle is invalid" to be written to the Windows Application event log. (SPL-37439)
  • The splunk list index command returns a segmentation fault. (SPL-37796)
  • Distributing a search to a Free version of Splunk gives a "version mismatch" warning. (SPL-37167)
  • Deployment manager shows extra (not real) forwarders because of empty fields in metrics.log. (SPL-37264)
  • Occasional universal forwarder crash in TcpOutEloop. (SPL-37491)
  • Forwarder crash with 'TcpOutputClient::decrementRefCount(): Assertion `_refCount > 0' failed'. (SPL-38776)
  • If upgrade from 4.1.x to 4.2 fails and "An error occurred: Failed to run splunkd rest" is displayed during the migration process, it is possible that the *nix app failed to migrate. (SPL-38651)
  • A warning message ("Skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block") is displayed in Splunk Web due to congestion in queues (most often tcpout-queue) (SPL-37407)
  • An error ("ERROR IndexProcessor - 'homePath' tag required in config for index sample") stops migration process when upgrading from 4.0 to 4.2. (SPL-38061)
  • The splunkd process crashes on startup if a bucket's metadata is corrupt. (SPL-36595)
  • Migration from 4.2 should check for metadata corruption. (SPL-38730, SPL-38738)
  • New 4.2 installations use serverName that does not agree with 4.1.x versions. (SPL-38563)
  • New 4.2 installations on Windows use $COMPUTERNAME rather than hostname for value of host. (SPL-38561)
  • Universal forwarder changes capitalization of the hostname and the UI now displays two hosts. (SPL-38141)
  • Search Head Pooling gets error of "end-of-stream" in the app view if the app is located not only in the shared mount point, but also in etc/apps.(SPL-38485)
  • Upgrading from 4.1.x to 4.2 overwrites existing Windows and *Nix app config files with files ending in .in. (SPL-38402, SPL-38340)
  • Crash in HTTPRequestHandlerThread in splunkd when enabling the *Nix app (SPL-38260)
  • Splunk Web en-US/paths URL is returning "IndexError: list assignment index out of range". (SPL-38100)
  • Can't use the Services.msc interface to restart Splunk Web on Windows after changing caCertPath, changes don't get picked up properly. (SPL-38027, SPL-35732)
  • Mako runtime error when upgrading from 4.1.x to 4.2 on PPC Mac. (SPL-38026)
  • Getting an error "ERROR IndexProcessor - calling getPolicyByDomain, but not a read-only IndexProcessor." in splunkd.log since upgrading to 4.2. (SPL-37994)
  • Universal forwarders accept and spawn search processes that crash with a lot of PROCESS_SEARCH WARNs in splunkd.log. (SPL-37978)
  • Splunk generating a lot of dmp files from splunk-admon.exe crashing. (SPL-37898)
  • Search head peers drop off the list of known search head peers in Manager if authentication against that peer fails. (SPL-37754)
  • The splunkd.log fills with 2 ERRORs every 5 seconds once minimum free disk space reached. (SPL-37616)
  • Table command adds a bunch of empty fields at the very end of running the search. (SPL-37500)
  • Queue full with raw TCP input causes a hang and unclean shutdown when doing index-and-forward. (SPL-37465)
  • Banner message "skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block" when there is no congestion. (SPL-37407)
  • splunk-optimize doesn't identify bad tsidx when it finds one. (SPL-37107)
  • No error messaging displayed to users if SSO login fails. (SPL-30884)
  • Upgrade of SplunkLightForwarder and SplunkForwarder tries to launch Splunk in browser at the end. (SPL-25676)
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.2.1/ReleaseNotes/4.2.1"

This documentation applies to the following versions of Splunk: 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!