4.3.1

4.3.1

The following issues have been resolved in this release of Splunk:

Resolved security issues

This release contains a fix for a security issue:

• Reflected XSS in Splunk Web (SPL-38585)

For more information about this issue, refer to the notice about it on the Splunk Security portal.

• We have updated OpenSSL to version 0.9.8t (CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-0050). (SPL-47440)

Resolved highlighted issues

This release contains a fix for this priority issue:

• Events from 2/29/12 are not displayed in results from searches using relative day time boundary (-1d@d) on Windows, Solaris and AIX. (SPL-48724)

Other issues resolved in this release

• Memory leak in process tracker. (SPL-48350)
• Thread deadlock between PropertyPages and UserManager. (SPL-48156, SPL-47973, SPL-47905)
• Memory leaks in lookups. (SPL-48046)
• Crash when using 'show source'. (SPL-48009)
• Choosing 'start new source type' in data preview uses props.conf values from previously auto-detected source type. (SPL-47198)
• Can't re-log in to a Splunk Web session on IE9, session shows as expired. (SPL-46857, SPL-47467)
• New default wildcard setting for value of proc in regmon-filters.conf. (SPL-46805, SPL-46844)
• Flash vs nonflash charts do not display the same x-axis range. (SPL-46724, SPL-47495)
• Error when inputs.conf contains an invalid tcp:// stanza is very unclear ("In handler 'raw': * specified in incorrect format. Please specify in <host>:<port> form"). (SPL-46697)
• Error "Failed to index" (some number of events) when rebuilding rawdata. (SPL-45933)
• Metadata searches (run when the sumary dashboard is loaded in Splunk Web) are consuming a lot of memory. This issue is also discussed in detail on Splunk Answers (SPL-45901, SPL-47087, SPL-47088)
• The spath search command leaks memory when used on data of source type "twitter". (SPL-48387)
• Changing a chart to remove the X-axis when the number of categories is above 80 will continue to remove the x-axis even if the categories are fewer than 80. (SPL-47503)
• Upgrading an app using the "install app from file" option in Splunk Web fails. (SPL-47354)
• Various apps, including the Search app, Splunk for Windows, the Deployment Monitor, and the Web Intelligence app are not working on German, Japanese, and Chinese versions of Windows. (SPL-47279)
• When performing lookups, duplicate/redundant fields are added, causing high memory usage. (SPL-47239)
• Fatal signal 6 crash in DispatchReaper when restarting Splunk if the DispatchReaper thread fails to properly parse a search artifact in the search dispatch directory. (SPL-47232)
• Issue with timeformat setting assuming the leading "=" is part of of the time format definition. (SPL-46840)
• Indexer thread pool workers which are executing BucketMover:AsyncFreezer can get stuck doing statfs64() most of the time that they are picked up by pstack, which hammers the storage device. (SPL-46638)
• When using search head pooling, lots of /etc/users directories makes conf/search startup very slow. (SPL-46568)
• Sparklines over all time don't always render properly, and are sometimes blank. (SPL-46534)
• The text field and drop-down menu in the Create alert panel are cropped. (SPL-46386)
• Setting CHARSET in data preview has no effect. (SPL-46347)
• When adding using an IPv6 address as the host for forward-server from the UI, duplicates are allowed (and shouldn't be. (SPL-46096)
• Indexer using the Hadoop Connector app sees splunkd grow to several GB of RSS/Virtual size, exhausts available swap space. (SPL-46056)
• High CPU usage when using universal forwarder in cloning groups where the UF is sending uncompressed data and the indexers are expecting compressed data. (SPL-46034)
• Fatal signal 6 crash in universal forwarder MainTailingThread. (SPL-45418)
• Incorrect date format for en-GB, it-IT, ja-JP, ko-KR, zh-CN, and zh-TW onthe x-axis of summary and report chart and flash timeline views. (SPL-42469)
• Saved search manager loses lookup populating fields it does not recognize. (SPL-42244)
• A splunktcp input can become unacceptably slow when DNS resolution is slow, and connection_host is set to DNS. There is no warning logged anywhere. (SPL-41351)
• Fatal signal 10 crash in DispatchReaper thread due to non-existent accessed physical address. (SPL-46028)
• Fatal signal 11 crash on universal forwarder MainTailingThread. (SPL-39617, SPL-40409)
• Search Head Pooling: segfault in PropertyPages when IConfCache gets bounced while _cacheLock held. (SPL-48070)
• In Manager > Data inputs > Remote event log collections, the enabled/disabled banner message does not display the correct status. (SPL-45692)
• Under Firefox 3.5 via Splunk Web's Manager > Access Control > Users to save a new user record, a banner message displays indicating: Your entry was not saved. The following error was reported: server abort. (SPL-47195)
• The spath command does not correctly recognize and extract nested XML elements unless you list every element above the one you want to extract. (SPL-46890)
• The like function is not accepting sub-functions. For example: | where A like(lower(B)). The workaround is to use the sub-function in an eval expression before | eval B=lower(B). (SPL-47213)
• fstat incorrectly reports the size of the journal write to NFS, resulting in missing indexed data. (SPL-39590)
• Unreasonable ViewstateReaper RAM usage with ~600 global app viewstates + 1000's of /etc/users. (SPL-48037)
• Ubuntu zoneinfo causes Splunk timestamp to show 18 min and 48 seconds due to 01/01/1920 time change. (SPL-47828)
• A view of an app cannot use the dispatch directory of a saved search, unless said search is within the content of the same app. (SPL-47771)
• A non-working UDP input (for example if another process is using the same port) will cause a splunkd crash on Windows. (SPL-47539)
• When a real-time windowed search has too many results in the window, disk is used as backing store. these files should be gzipped rather than straight csv to save space. (SPL-47462)
• The upper() eval function not identified as returning a string . (SPL-47447)
• Non-flash chart with a real-time search is leaking memory. (SPL-47359)
• Link to results from RSS goes to a different event in the result set than the link from an alert. (SPL-47240)
• In Firefox 3.5, when saving new user record, displays red banner of "Your entry was not saved. The following error was reported: server abort." (SPL-47195)
• The splunkd tcpinput seems to have trouble with "connection aborted" ECONNABORTED on first accept() -- tcp input stops calling accept() after this point. (SPL-47102)
• The redirect to set up the Windows TA app directly after installing it fails because the app name is all lowercase. (SPL-47073)
• Internationalization log warnings should be DEBUG-level messages. (SPL-47017)
• Splunk Web shows a maximum of 100 indexes in the role permissions screens. (SPL-46879)
• The default saved search "Messages by minute last 3 hours" no longer shows anything in default report. (SPL-46868)
• IPv6 and syslog out (TCP or UDP) do not work well together; events are not received from forwarders. (SPL-46860, SPL-46859)
• Using distinct_count as stats function for a sparkline causes search to fail. (SPL-46818)
• Alert action: Script: runshellscript.py fails to escape special characters, and fails to pass full contents in a argument. (SPL-46735)
• When configuring forwarding and receiving ( Manager » Forwarding and receiving » Forward data ), Splunk currently allows you to make duplicated IPv6 entries. (SPL-46676)
• Data preview: clicking reset after apply existing sourcetype clears chosen source type (SPL-46673)
• Forwarding with SSL does not seem to compress the SSL stream. (SPL-46535)
• Fatal signal 11 crash on Sparc with "No memory mapped at (some address) Crashing thread: MainTailingThread". (SPL-46421)
• Fatal signal 10 crash on Sparc with "Unaligned memory access at (some address) Crashing thread: MainTailingThread". (SPL-46390)
• User can browse an AD via Splunk Web but cannot connect via the CLI. (SPL-46411)
• The license_usage.log can display blank values for the host value (h) This is causing reporting issues where customers rely on the host value to gather stats. (SPL-46372)
• Drop down boxes overlap other drop down boxes in Edit visualization dialog box. (SPL-46301)
• The init.d splunk script returns a useless error code (always 0) for 'status' command. (SPL-46273)
• In the absence of a default "host" in inputs.conf, events indexed to _audit get "host=localhost". This is inconsistent with the "host" value for _internal. (SPL-46179)
• The append command fails when the subsearch to which the results are to be appended produces an empty result set. (SPL-46175)
• Data preview: the tree browser displays same folder twice. (SPL-46158)
• WARN DiskMon - Potential performance issue: getting available disk space for partition (blockSignature index problem). (SPL-45990)
• WARN DiskMon - Potential performance issue: getting available disk space for partition (forward slashes in indexes.conf on Windows). (SPL-44955)
• Windows regmon ExecProcessor error in splunkd.log after clean install "No enabled entries have been found for regmon or procmon in the conf file" and the ERROR and INFO messages are on the same line. (SPL-45986)
• Incorrect msg "Enabled localhost" is displayed even when the event log collection for localhost is disabled. (SPL-45692)
• Treeview: tree grows in a loop when "Unable to connect to AD" error occurs. (SPL-45664)
• 4.2.4 deployment-client unable to finalize install if /metadata/local.meta file is not present in the bundle. (SPL-45019)
• Splunk is ignoring whitelist hive path set in regmon-filters.conf and is indexing paths other then what is specified. (SPL-41561)
• splunkd only reports the first bucket collision found in each index upon startup even if several conflicts exist. (SPL-39107)
• when splunk diag fails, it should clean up temp files. (SPL-46226)
• force cval generated on login page to always be an integer (SPL-46300)

• Was this topic useful?
• Post a comment