Release Notes

 


Known issues

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Known issues

The following are issues and workarounds for this version of Splunk.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "About upgrading to 5.0 READ THIS FIRST" in the Installation Manual.

  • Admin users can't schedule saved searches of users unless the saved searches are shared (SPL-73386). To work around this problem:
1. Create a special power/admin user who can run scheduled searches.
2. Assign this user ownership of the scheduled searches .
3. Share the searches at the app level and grant read/write permission to the correct set of users.
  • In a search head pooling environment, the restart banner displays unnecessarily. (SPL-71121)
  • Adding an invalid saved search manually to savedsearches.conf causes splunkd to crash. (SPL-70756)
  • Stale lock file slows search performance. (SPL-74400)
  • Bundle replication fails when serverName or search head pool GUID has a final segment containing only digits. (SPL-73797)
  • Opening saved searches for editing is very slow. Workaround: disable fetch_remote_search_log in limits.conf. (SPL-75354, SPL-75647)

Data input issues

  • Adding an input using the CLI results in different capital case in source name if you use monitor vs oneshot. (SPL-54816)
  • If you edit indexes.conf by hand to add an index with a mixed-case name, you cannot add an input to that index. (SPL-51167)
  • Can't edit a UDP input if the value includes a value in the 'restrict to host' field. (SPL-47146)
  • The file browser in Data Preview will display an error and only part of the file system when trying to load large numbers of subdirectories (100+) and files (1000+). (SPL-46503)
  • Cannot edit a scripted input containing backslashes in Manager on OS X. (SPL-56043)
  • Index names cannot contain uppercase (capital) letters. (SPL-55544)
  • A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start. (SPL-33760)
  • monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
  • Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
  • When specifying a monitor input with a wildcard at the root level in Windows, Splunk logs an error and fails to index the desired files. (SPL-37087)
  • When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name. (SPL-43865)
  • Very busy logfiles which are "rotated" with the copy-truncate pattern can lead to partial logfile re-indexing minutes to hours after the copy+truncate occurs. The duplication will consist of all events from the file start to some point in the middle of the file. (SPL-70749)

Charting issues

  • The majorUnit parameter is not supported in JSChart for time axes (it is supported for numeric axes), but usage of it in Simple XML does not automatically force the chart to display in Flash. Instead, Splunk ignores any manually defined majorUnit setting you provide. As a workaround, include another unsupported-by-JSChart property definition to force the chart to display in Flash with your majorUnit setting in place. For example, if you are trying to set a 1 hour major unit (using a tag like <option name="charting.axisLabelsX.majorUnit">P0Y0M0DT1H0M0S</option>), add <option name="charting.scaleX">1</option> to the Simple XML for the chart. This causes the chart to render correctly in Flash with the major unit displaying in 1 hour increments along the X axis. (SPL-52051)
  • Setting the "stack mode" changes the 'multi-series mode'. (SPL-48439)
  • When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)

Index replication issues

  • If you disable a set of cluster peers and then run a distributed search across the now standalone set of indexers, you will get duplicate events. (SPL-60897)
  • During a rolling restart, the cluster master is showing indexes as unavailable for searching, despite having 2 of the 3 nodes available. (SPL-55972)
  • Deleted files on a hot bucket exist only on the source peer and will be lost if the source peer goes down before rolling the bucket. (SPL-52062)
  • splunkd hangs when an instance is configured as a peer and the master is not available. (SPL-54657)
  • Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, which means the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master. (SPL-52901)
  • When you deploy a cluster master with no peers or search head and do not add any within 2-3 minutes, a duplicate error "Received an empty peer list from the master" is displayed. (SPL-55532)
  • Crash in TcpOutEloop on a third node when two other nodes have been taken offline. (SPL-53753)
  • When configuring clustering peer, a misconfiguration of server.conf (for example, configuring an instance as a peer when there is no master available) could cause splunkd to hang. (SPL-54657, SPL-53447)
  • Peers cannot add themselves to cluster if splunkd SSL is disabled on the master, or if the peers have SSL disabled and the master has it enabled. (SPL-56179)
  • The clustering manager dashboard loads more slowly if there are many buckets. (SPL-56172)
  • When the specified replication port is not available, there is no error message and splunkd will not start. (SPL-55216)
  • Indexing a small amount of data on a peer with clustering disabled and then stopping, and enabling clustering on it will result in warnings in the peer's splunkd.log about "status=skipping reason="could not get size for journal" and the data is unsearchable until clustering is disabled on that peer. (SPL-54805)
  • Piping a search to the delete operator is not applied to replicated copies if the primary peer fails right after the delete happens. (SPL-54063)
  • A node that has been re-added to the cluster (after failure) does not get searched. (SPL-52828)
  • If you configure a cluster master with replication factor of n and configure fewer than n peers, peers are redirected to the configuration page even if it is fully configured, until at least n peers are configured. (SPL-56144)
  • Changing an instance to master from peer in Splunk Web does not remove master_uri or replication_port from server.conf, although everything works. (SPL-55641)
  • If you set up a cluster peer in Manager, do not specify a TCP port, and ignore the warning, the port is enabled but the configuration is written into $SPLUNK_HOME/etc/system/local. (SPL-54570)
  • An ugly error message is shown in Splunk Web when a peer fails to connect to the master. (SPL-53091)
  • Required fields are not indicated in the index replication pages in Manager. (SPL-53066)
  • When issuing a rolling restart, 'Failed to start search process' messages are written to splunkd.log. (SPL-52430)
  • Can only specify useACK=true from outputs.conf, not from Manager. (SPL-50000)
  • A cluster master allows a slave with a duplicate guid to add itself to the cluster. (SPL-48149)
  • AckQ causes permanent data stall when a single pData is larger than entire AckQ size. (SPL-82109) (SPL-84882)
  • Downloads of knowledge bundles from search heads to search peers could result in bundle corruption on the peers due to timeouts. (SPL-82333)
  • Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. (SPL-70433)

Integrated PDF generation issues

  • PDF charts do not use the same colors as are used in the onscreen charts, and are inconsistent for a given field from panel to panel. (SPL-48566)
  • Panel names that have words that are too long to wrap extend off the side of the page. (SPL-54782)
  • "Shiny"-type gauges display as minimal-style gauges in PDF printouts. (SPL-48517)
  • Split multi-series mode charts don't print to PDF. (SPL-48437)
  • Heat maps aren't printed. (SPL-73029)
  • FireFox on Windows does not render chart panels in PDF. (SPL-74353). To work around this problem:
1. Install free PDF reader if not installed already. ( http://get.adobe.com/reader/)
2. Go to Firefox -> options -> Applications
3. Set Adobe reader as default app for rendering PDF documents.
  • PDF generation fails when dashboards include HTML (SPL-75106).

Report acceleration issues

  • The Report Acceleration Summary page shows the same accelerated search created by both Admin and Power users on different lines. (SPL-56319)
  • The breadcrumb trail for the Report Acceleration page in Manager always links back to the Search app instead of respecting app context. (SPL-55558)

Search, saved search, alerting, scheduling, and job management issues

  • Time range validation in the Edit Search dialog incorrectly complains about latest time when it is validating earliest time, even if there is no error. To work around this issue, use epoch time format. (SPL-56393)
  • The search assistant continues to return values present only in deleted data. (SPL-54951)
  • The search assistant doesn't complete commands where the cursor is but instead replaces the last part of the search command. (SPL-48546)
  • When starting from a saved search, changing the search string and pressing the search button doesn't clear the module context, and you get errors like "Search cloned false ID". (SPL-54924)
  • In IE, when clicking on a dashboard (created by a very long search) and when taken to the flashtimeline, the search is not whole and it is broken. (SPL-45760)
  • When adding a pre-existing shared saved search to a dashboard, users can't save the dashboard and can't edit the name of the existing saved search. (SPL-54355)
  • When using the tscollect command, if the string specified for namespace includes single quotes, they will be included in the name of the folder created on the filesystem, although double quotes do not have this problem. (SPL-53458)
  • Creating a realtime backfill saved search in savedsearches.conf does not happen if default_backfill = false in limits.conf. (SPL-53157)
  • strptime() conversions which contain a timeformat string ending in "%H" do not work because Splunk interprets missing minutes as not matching the regex. To work around this issue, switch strftime to %H:00, strptime with %H:%M. (SPL-51772)
  • Using the spath command fails if a field was added from the search assistant. (SPL-46765)
  • Sharing a previously private scheduled summary index-populating search in a search head pooling environment may result in duplicate runs of the search and therefore duplicate data. (SPL-46970)
  • Using mode=sed with the rex command does not replace characters with '\' value correctly (SPL-55549)
  • date_*, such as date_hour field values are based on UTC, and they are not timezone-aware fields. Never use these fields if you are searching events in non-UTC timezone.(SPL-56028)
  • Saved search stanzas that are bigger than 4K will increase the load time of an app. To work around this issue, split saved searches into multiple apps. (SPL-63698)
  • Modification of _time in subsearch may results in returning of incorrect number of events. There is no warning or error message in logs, either. A workaround is to use main search if _time value is needed to be modified. (SPL-45787)
  • Distributed searches can intermittently fail on certain search peers with an error banner indicating "Streamed search execute failed because: User could not act as: <username>". The affected peer will not return results for this search. (SPL-66763)
  • Slient failure: No warning recorded when a shared scheduled search's scheduled time changes to None due to the owner/user being deleted (SPL-79341)
  • If you use | reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated. (SPL-67642)
  • In distributed search environment, "reverse" search command returns records out of order (SPL-78110)
  • Customers are unable to search a specific time range due to an error that states "Earliest time cannot be greater than latest time." Workaround: add earliest= and latest= commands to the search query. (SPL-90717)

Splunk Web and Manager interface issues

  • If you change the value in "Path to indexes" (Manager > System Settings > General Settings), you must use the CLI to restart Splunk. If you restart from within Manager, the change will not take effect. (SPL-55858, SPL-55770)
  • Clicking on "Collapse all" doesn't collapse the tree to the root nodes in "view source" mode. (SPL-51328)
  • If you misconfigure an LDAP strategy in authentication.conf, you can't fix it in Manager. (SPL-51024)
  • When you zoom several times, charts do not resize correctly when toggled into edit mode. (SPL-46211)
  • When you edit a dashboard using the Visualization Editor, any comment tags you had in your XML may be re-arranged. (SPL-52004)
  • The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index. (SPL-34123)
  • If you upload a lookup table file (Manager > Lookups > Lookup tables files) and then try to configure a new lookup definition (Manager > Lookups > Lookup definitions > Add new), you may not be able to select the file. There are two workarounds. First, you can upload the file again, starting in the destination app context. For example, to upload it to the search app, make sure you start from the search app. Second, if the file is already uploaded, change the file's permission so that it is global. For example, in the permissions view, under "Object appears" select "All apps". (SPL-36241, SPL-51601)
  • In IE6, drilling down and then hitting the Back button on the browser can cause dropdowns to not work or the search in question to use incorrect values for source type. (SPL-59089)
  • The "Next" link in Splunk Web should be grayed out after displaying by default 10K events in 4.3.x and 1K events in 5.0.x. Clicking "Next" at this point will display an empty page. (SPL-64905)
  • The paginator calculates the number of pages based on oldest buckets instead of the most recent which causes some pages to be inaccessible or blank. (SPL-73077)
  • If the session timeout (Manager > System Settings > General Settings) is set to less than 60 seconds, the Splunk Web login page displays a "Your session has expired" warning message. (SPL-73413)

Distributed deployment, forwarder, and deployment server issues

  • The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. (SPL-38182) To work around this, specify the destination index manually in inputs.conf.
  • The splunk list forward-server command does not indicate (ssl) when using common settings under default group. (SPL-55827)
  • The dbinspect command only allows for information on the local server and does not work in the context of distributed search. (SPL-56188)
  • Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
  • Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
  • When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
  • You can't use Manager to specify an app for deployment server to deploy, you can only specify server classes. (SPL-29903)
  • Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
  • Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
  • Distributed search bundle replication from *nix to Windows with illegal Windows file name characters in file name can cause bundle extraction to fail. This operation can loop and cause unwanted disk space to be used that is normally used for bundle extraction. (SPL-39464)
  • [pooling] stanza in <sh_pooling>/etc/system/local directory can render mounted bundle on search peer/indexer to fail (SPL-65575).
  • In splunkd.log DeploymentClient debug message says: DEBUG DeploymentClient - Handshake not yet finished. will continue retrying with a rate of '60000 secs'. The value 60000 is in msec and not secs. (SPL-70584)
  • Universal forwarder stops forwarding Windows security and application event logs when anti-virus is running on the forwarder. (SPL-81782)
  • Search heads request truncated replicated bundle listing from indexers, causing problems if a bundle >30 entries in the past is needed. (SPL-86758)

Windows-specific issues

  • If the Splunk installer cannot start its pre-flight checks during an upgrade, it improperly rolls back the upgrade, resulting in missing files in the %SPLUNK_HOME%\bin directory. Index files are not affected. (SPL-53796)
  • When you run the diag command, Splunk generates an "Error duping file" message. Splunk creates the diag file properly, however. (SPL-56016)
  • Splunk's universal forwarder installer improperly ignores the PERFMON and MONITOR_PATH installation flags when you install it from the command line using msiexec /i. (SPL-54615)
  • If you abort an upgrade by clicking the "Cancel" button to exit the installer, you then cannot roll back the upgrade later. (SPL-53796)
  • If you specify an incorrect WMI Query Language (WQL) parameter in wmi.conf on a forwarder, the forwarder doesn't send any WMI data, even data retrieved from correct WQL queries elsewhere in the wmi.conf file. (SPL-52403)
  • LDAP authentication does not work on Windows over the IPv6 protocol. (SPL-48342)
  • Splunk does not capture Registry events that occur within the first 30 seconds of either starting Registry Monitor or creation of a new Registry key, due to Registry Monitor's initialization lag. (SPL-43913)
  • If you upgrade a universal forwarder on Windows multiple times, the installer adds multiple universal forwarder items in the Windows "Installed programs" list. (SPL-54836)
  • Splunk on Windows does not properly update or save lookup tables when it accesses them with a search. (SPL-40332)
  • In Internet Explorer, Splunk Web does not properly display multi-lined events preceded with spaces (such as Windows Event log events, WMI events or XML). To work around this, turn off "Wrap results" in the Options menu. (SPL-40354)
  • Splunk does not correctly set timestamps for comment lines in W3C-compliant (Internet Information Server (IIS) and Exchange) log files. (SPL-29111)
  • Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows. (SPL-42212)
  • The universal forwarder installer on Windows does not copy certificates from Windows/Samba shared directories. (SPL-45590)
  • The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer. (SPL-51303)
  • If Splunk's Active Directory monitor encounters any kind of network error when communicating with a domain controller (DC) during the process of monitoring it, the active directory monitor terminates the offending thread, and no longer monitors that DC until Splunk relaunches Active Directory monitoring at the next monitoring interval. To work around this problem, install a universal forwarder on to each DC you want to monitor. (SPL-56946)
  • In Internet Explorer 6, if you click the "Back" button after drilling down into a chart or dashboard, some dropdowns in the chart can subsequently stop working. Additionally, the search that supports the chart can use incorrect values for the source type. (SPL-59089)
  • When you perform network-intensive activities in Splunk on Windows, such as running an app that invokes more than six concurrent real-time search requests, or configuring a deployment client to point to a deployment server which is on the same computer, the system could become inaccessible from the network within a period of 8 to 12 hours, or as long as 2 to 3 days, depending on the amount of network activity. For additional information on how to work around this problem, read "Workaround for network accessibility issues on Splunk Windows systems under certain conditions" in this manual.
  • A problem with the deployment client can cause a Windows server running that client to take longer to start than Windows's service manager allows. Affected systems log an entry into the System event log: A timeout was reached 30000 milliseconds while waiting for a transaction response (SPL-61193)
  • Splunk is not able to delete indexes specified in indexes.conf if you specify non-native directory separators ("/" instead of the correct "\" on Windows) in the path specifier attributes for the index (such as homePath or coldPath). To work around the problem, edit indexes.conf and change the path specifiers to be "\" instead of "/". (SPL-65186)
  • On Windows hosts with multiple CPUs, Splunk's performance monitor does not return values of greater than 100 for the % Processor Time counter, even though the counter itself might be returning greater values. (SPL-70533)
  • Universal forwarder stops forwarding Windows security and application event logs when anti-virus is running on the forwarder. (SPL-81782)

Unsorted issues

  • When you update an endpoint (for example, by a POST to apps/local/{name}), some endpoints return the updated entity (i.e. echo) and some don't. (SPL-50391)
  • JSON output for events, results, and results_preview does not seem to respect segmentation=full. (SPL-51799)
  • Changing the value of SPLUNK_DB and restarting from Manager does not respect the SPLUNK_DB change, whereas restarting from the commandline does. (SPL-55858)
  • The results_preview REST endpoint reports preview=0 when there are no results even if the job is still running. (SPL-55567)
  • Endpoints do not consistently provide eai:attributes/fields information. (SPL-50881)
  • Treeviewer does not detect change of AD structure. (SPL-53277)
  • When exporting events, time bounds are not respected if you have run the original event-generating search against a wider timerange. (SPL-47926)
  • Simple XML form searches using the populatingSavedSearch parameter will fail if any whitespace characters are present before and/or after the saved search name. (SPL-57181)
  • The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility. (SPL-50742)
  • When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception. (SPL-36819)
  • BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
  • Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)
  • When you install Splunk on Ubuntu using the Ubuntu Software Center and the .deb package, Ubuntu displays an error message that the package is of bad quality. Workaround: install using the .tgz file (SPL-43264).
  • After upgrade from 4.3.x, splunkd.log is reporting a lot of ERROR ProcessDispatchedSearch - PROCESS_SEARCH - Error opening "": No such file or directory. (SPL-63237)
  • Splunkd.log reports sporadic messages: ERROR NetUtils - Unable to negotiate ssl connection: error=1, Success and ERROR NetUtils - SSL Error = error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number To work around this issue, set [splunkd] category.NetUtils = CRIT in log.cfg (SPL-63625)
  • The migration.conf file does not have a spec or example file and is missing from the configuration file reference. This file stores a manifest of all the migration steps performed on the instance. (SPL-72543)
  • In non-License Master, "See License Manager" link in a license warning message is linked to the Splunk instance itself, not its license master. Visit License Master's Manager -> Licensing view for warning/alert messages. (SPL-42070)
  • PDF Report Server App doesn't work with latest Xvfb. (SPL-66213) Workaround: install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos
  • roleMap's attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf by command "splunk reload auth" or restarting Splunk when bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local (SPL-85036)
  • TCP output stalls inside unnecessary condition variable. (SPL-84231)

This documentation applies to the following versions of Splunk: 5.0.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!