Fixed issues
Splunk Enterprise 7.2.0 was released on October 2, 2018. This release includes fixes for the following issues.
Issues are listed in all relevant sections. Some issues might appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.
Highlighted issues
Date filed | Issue number | Description |
---|---|---|
2018-08-29 | SPL-159442, SPL-156444 | Searches in 7.1.x may take considerably more memory than with 7.0.x or earlier. This applies particularly to searches that search and/or return a large result set. Due to search speed performance improvements some memory usage increase is expected with 7.1.x and later even after this issue is fixed. |
Highlighted issues
Date resolved | Issue number | Description |
---|---|---|
2018-07-12 | SPL-146352, SPL-156438, SPL-156439, SPL-156440, SPL-156441 | LDAP reload can severely delay remote app deployment, need app reload metrics to improve diagnosability. |
Authentication and authorization issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-10 | SPL-158140, SPL-156361 | Splunk is crashing with DUO authentication after reload is issued |
2018-08-09 | SPL-155548, SPL-167662 | Unable to see all local users in search head UI |
2018-06-28 | SPL-146728 | Exported SAML SP Metadata not respecting "nameIdFormat" configuration. |
2018-06-07 | SPL-155316, SPL-149332 | SAML - Upon Login Failure all current roles being sent is displayed to user in error message |
2018-05-23 | SPL-153877 | SAML IdP configured for Centrify throwing: AdminHandler:AuthenticationHandler Errors |
2018-04-09 | SPL-151937, SPL-153123, SPL-153124, SPL-153125 | Scripted authentication fails to parse getSearchFilter output, hitting PCRE_ERROR_MATCHLIMIT. |
Data input issues
Date resolved | Issue number | Description |
---|---|---|
2018-10-25 | SPL-156817 | HEC json file give "Invalid data format" on 7.x versions with event sizes greater than 512kb |
2018-07-26 | SPL-147638, SPL-157922, SPL-157923 | Splunkd crashes when HEC inputs configuration contains duplicated tokens |
2018-07-19 | SPL-157319, SPL-156315 | After upgrade to 7.x, HEC events greater than 512KB are dropped with parsing errors, resulting in degrade of indexing throughput |
2018-06-01 | SPL-153591, SPL-155066, SPL-155067, SPL-155069 | high delay on events from UF after upgrade to (6.6.x) |
2018-04-12 | SPL-152628 | PREAMBLE_REGEX doesn't work on 7.0.2 but OK with 7.0.0 |
2018-03-14 | SPL-137275, SPL-130962 | Files are not getting ingested if there is missing eol |
Search issues
Date resolved | Issue number | Description |
---|---|---|
2018-09-05 | SPL-159414, SPL-159182 | Memory growth with transactions and keeporphans |
2018-08-15 | SPL-154875, SPL-144312 | Owner of Macros can not be reassigned in Web UI in version 6.6.x |
2018-08-09 | SPL-155348, SPL-148606 | Inconsistent Search Results Against _audit Index |
2018-08-09 | SPL-158332, SPL-157433 | lookup OUTPUTNEW commands mistakenly cause optimizer to remove preceding search commands resulting in missing field values |
2018-08-08 | SPL-157120, SPL-158035 | Customer upgrade to splunk 7.1 and this broke his HUNK Archive index. |
2018-08-08 | SPL-157516, SPL-153464 | Job Progress Status goes from 0 to 100 back to 0 |
2018-08-01 | SPL-156448, SPL-152245 | Scheduled search job terminated unexpectedly |
2018-07-26 | SPL-157687, SPL-153976 | Splunkd Crashes When Opening A Simple Dashboard |
2018-07-26 | SPL-149132, SPL-142710 | Splunk ignores "is_risky=false" setting for any command that is not an actual custom script like sendemail. For example the setting is ignored for outputlookup and outputcsv. |
2018-07-16 | SPL-155773, SPL-154973 | timeline preview shows random events, but not the ones based on the selected timeline segment |
2018-07-12 | SPL-152434, SPL-154531, SPL-154532, SPL-154533, SPL-154534 | xml export bloats in size due to repeated <fieldOrder> section |
2018-06-14 | SPL-155106, SPL-155412, SPL-155413 | splunkd process consuming large amount of memory in 7 |
2018-06-12 | SPL-152598, SPL-154005, SPL-154876, SPL-157818, SPL-157913, SPL-158186 | The "srtemp" directory can grow to hundreds of GB in size and fill up the disk due to orphaned temporary files left behind by abnormally terminated searches and never reaped |
2018-06-07 | SPL-154931, SPL-154463 | When eventstats is the last command in a reporting search in Splunk 7.1.0 the stats tab truncates all results past a certain number of results. |
2018-06-07 | SPL-145831 | In search.log, IndexScopedSearch message with lispy string is missing a space between index name and "is". It's "index=indexNameis" instead of "index=indexName is" |
2018-06-07 | SPL-154026, SPL-155293, SPL-155294 | gentimes command shows incorrect starthuman time with daylight savings |
2018-06-03 | SPL-154542, SPL-154138 | Searches with multikv extraction use too much memory: potentially orders of magnitude more than previous versions. |
2018-05-30 | SPL-154737, SPL-153432 | The bins option returns inconsistent count values in distributed environment |
2018-05-10 | SPL-152490, SPL-148796 | ui_inactivity_timeout not working even after search completes |
2018-05-08 | SPL-153349, SPL-154301, SPL-154302, SPL-154303 | Scheduling Alerts - Apply Time Range Of Initial Search Not Reflecting when Saving as Alert |
2018-05-01 | SPL-153732, SPL-145602 | REGEX flag (?J) "duplicate group names" causes splunk to crash |
2018-04-30 | SPL-152806, SPL-141639 | 6.5.2 Error in chart command: The value for option span is invalid: log10 |
2018-04-19 | SPL-153521, SPL-145560 | Splunkd DispatchManager logging is inconsistent |
2018-03-28 | SPL-135296, SPL-105039, SPL-152728, SPL-152729, SPL-152735, SPL-152815, SPL-152817 | SearchResults complains in splunkd.log about a corrupt CSV file header without naming the problematic file or lookup table |
2018-03-27 | SPL-151719, SPL-152232, SPL-152236 | Windows Events Logs: Hidden Character Added To Field Name Breaks Search |
Saved search, alerting, scheduling, and job management issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-09 | SPL-155699, SPL-153792 | Datamodel works both accelerated and non-accelerated in standalone, but fails on indexer instance when accelerated in an indexer clustered environment |
2018-07-24 | SPL-156991, SPL-153649 | Search scheduler shifts earliest_time and latest_time based on the skew, when using allow_skew |
2018-07-16 | SPL-155352, SPL-157325, SPL-157326, SPL-157327 | Search scheduler can be blocked by slow kvstore responses during saved search history pruning. |
2018-07-11 | SPL-153576 | scheduler sourcetype create a field with the same name as in the event - message field auto extraction does not work |
2018-06-18 | SPL-155219, SPL-155560 | DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load |
2018-05-23 | SPL-154136, SPL-154836 | Duplicate alerts are triggered for real time alert type on Splunk Enterprise 7.1.0 |
2018-05-07 | SPL-147319, SPL-154403, SPL-154405 | SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log |
2018-04-09 | SPL-148958, SPL-153147, SPL-153148, SPL-153149, SPL-153150 | tstats will not return any results from an Accelerated Datamodel/Namespace/tscollect job if the raw event has 2-byte characters |
Charting, reporting, and visualization issues
Date resolved | Issue number | Description |
---|---|---|
2018-07-26 | SPL-157687, SPL-153976 | Splunkd Crashes When Opening A Simple Dashboard |
Data model and pivot issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-13 | SPL-156254, SPL-152600 | Save the pivot table as a Report or Dashboard: Pivot Table Error - Error in PivotRowCol |
2018-08-09 | SPL-155699, SPL-153792 | Datamodel works both accelerated and non-accelerated in standalone, but fails on indexer instance when accelerated in an indexer clustered environment |
2018-06-18 | SPL-155219, SPL-155560 | DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load |
2018-05-07 | SPL-147319, SPL-154403, SPL-154405 | SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log |
2018-04-09 | SPL-148958, SPL-153147, SPL-153148, SPL-153149, SPL-153150 | tstats will not return any results from an Accelerated Datamodel/Namespace/tscollect job if the raw event has 2-byte characters |
Indexer and indexer clustering issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-02 | SPL-151331, SPL-148413 | Bucket fix-up stack stuck with reason "potential dup primaries" prevents cluster from advertising all data searchable |
2018-07-17 | SPL-153221 | Added db path collision check for summaryHomePath |
2018-07-04 | SPL-154580, SPL-146688 | Race condition in Indexer Cluster bundles dry run causing "Unable to create/replace target file: No such file or directory". |
2018-06-22 | SPL-155220, SPL-154986 | single-copy bucket stuck with status "no possible primaries", causes entire cluster to be tagged as "not fully searchable" |
2018-06-17 | SPL-154997, SPL-153569 | Data rebalance blocked by stuck bucket discard |
2018-06-04 | SPL-153036, SPL-155224, SPL-155225, SPL-155226 | SHC CMBucketId has lock contention from std::map log(n) lookup time |
2018-05-18 | SPL-152465, SPL-153596, SPL-153597, SPL-154595, SPL-154647, SPL-154648 | Clustering - when a peer is in detention, we will make excess copies |
2018-05-09 | SPL-147996, SPL-146575 | RF and SF not being met on CM after adding new Indexes and rolling restart |
2018-04-18 | SPL-153121, SPL-153520 | CMSlave Should output errors when failing to enqueue the bundle validate job |
2018-04-03 | SPL-146335, SPL-151811, SPL-151813 | DispatchReaper not cleaning up remote-bundle files on CM |
Distributed search and search head clustering issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-09 | SPL-157926, SPL-157978 | Scheduler blocked during pruning savedsearch history due to slow LDAP server |
2018-07-26 | SPL-155778, SPL-155536 | prolonged gaps in SHC captain metrics.log group=searchscheduler |
2018-07-18 | SPL-156528, SPL-154592 | Incorrect Version Mismatch Message |
2018-07-12 | SPL-146352, SPL-156438, SPL-156439, SPL-156440, SPL-156441 | LDAP reload can severely delay remote app deployment, need app reload metrics to improve diagnosability. |
2018-06-27 | SPL-154747, SPL-154419 | SHC captain does not clean up local bundles after failed replication attempts |
2018-06-26 | SPL-154934, SPL-154870 | BundleDeltaHandler failing on indexing_tokens directory |
2018-06-24 | SPL-154926, SPL-154032 | SHC bundle rejected at push-time because of built-in apps warning is still created and picked up by SHC members |
2018-06-22 | SPL-151900, SPL-156177, SPL-156178, SPL-156179 | Distsearch.conf: value specified in disabled_server property will get ignored, if same value exists in servers property |
2018-06-15 | SPL-155043, SPL-154402 | SHC: alert suppression may fail during restart due to timing issues |
2018-06-15 | SPL-154841, SPL-154654 | SHC captain stops delegating DMA searches after a delegated DMA search job fails (status=delegated_remote_completion, success=0). |
2018-06-04 | SPL-154739, SPL-154089 | Search heads may fail with "Skip search X during searchable rolling process" in invalid configurations where they communicate with cluster masters in an older version. |
2018-06-01 | SPL-152935, SPL-154616, SPL-154617, SPL-154618 | KVStore Replication Error: replSetReconfig got BadValue _id field value of 256 is out of range |
2018-05-23 | SPL-149009, SPL-141363 | Indexers report "Unknown search command" for external search commands even though the indexers contain the search bundle with the external command |
2018-04-25 | SPL-153831, SPL-148106 | Crashing thread: TcpChannelThread, Assertion `_slave != __null ClusteringMgr::_slave_writeBucketsToSearch. |
2018-04-12 | SPL-152280, SPL-153218, SPL-153219, SPL-153220, SPL-153314 | Deployer app staging area may miss bundles if preparation takes more than 10 minutes. |
2018-04-10 | SPL-130444, SPL-152625, SPL-152626, SPL-152627 | SHC: alert suppression may fail during restart if suppression information does not exist locally on member |
2018-04-05 | SPL-147403, SPL-132295 | Excessive "Inconsistent bundles" Logging |
2018-03-21 | SPL-145554, SPL-152420, SPL-152421, SPL-152422 | The savedsearch key/value field is not quoted in SHCMaster log message breaking extraction |
Universal forwarder issues
Date resolved | Issue number | Description |
---|---|---|
2018-04-20 | SPL-151229, SPL-153631, SPL-153632, SPL-153633, SPL-153634, SPL-153635, SPL-153636 | AIX 7.1 Deployment Server Restarting UF give splunkd; SRC did not 'chssys splunkd' on our behalf: exit code=-1 |
Distributed deployment, forwarder, deployment server issues
Date resolved | Issue number | Description |
---|---|---|
2018-05-31 | SPL-153261, SPL-155010, SPL-155009 | Slow Performance in the Deployment Server UI and sometime crash the browser |
2018-05-04 | SPL-149328, SPL-156354, SPL-156355 | Deployment Clients unable to connect to Deployment Server with phoneHomeIntervalInSecs = 600 |
2018-04-30 | SPL-151413, SPL-148851 | Application bundle cache (by default under $SPLUNK_HOME/var/run/tmp/) *never* gets cleaned up on Deployment server even server class no longer exists |
Monitoring Console issues
Date resolved | Issue number | Description |
---|---|---|
2018-07-31 | SPL-158060, SPL-156694 | "Failed to fetch DMC settings to verify status" error in web_service.log when clicking "Settings> Data Inputs" from Splunk Web |
2018-04-27 | SPL-153396, SPL-149486 | "HTTP Event Collector: Deployment" dashboard is not rendering at all and incorrectly reports "You currently have no tokens configured" |
2018-04-25 | SPL-153498, SPL-138918 | Mount points are not listed correctly in "Average I/O Usage and Performance" panel of Monitoring Console |
Splunk Web and interface issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-09 | SPL-157828, SPL-157139 | Can not display more than 30 alerts in Alert's trigger actions |
2018-07-25 | SPL-157705, SPL-157317 | In Forwarder Management Web GUI screen, 'more server classes' pop-up has titile: Apps |
2018-07-19 | SPL-153408, SPL-153034 | Formatting of an event is not kept when piped to table |
2018-07-16 | SPL-155773, SPL-154973 | timeline preview shows random events, but not the ones based on the selected timeline segment |
2018-07-12 | SPL-157204, SPL-156282 | Wrong description in lookup definition in UI |
2018-07-09 | SPL-155723, SPL-154541 | No filter by owner in views when owner contains a back slash "\" |
2018-06-07 | SPL-154026, SPL-155293, SPL-155294 | gentimes command shows incorrect starthuman time with daylight savings |
2018-05-31 | SPL-154823, SPL-153658 | UI Visualizations of wide lists are not rendered correctly. |
2018-05-10 | SPL-152490, SPL-148796 | ui_inactivity_timeout not working even after search completes |
2018-05-08 | SPL-153349, SPL-154301, SPL-154302, SPL-154303 | Scheduling Alerts - Apply Time Range Of Initial Search Not Reflecting when Saving as Alert |
2018-04-30 | SPL-147061, SPL-153995, SPL-153996 | debug/refresh reports errors on vanilla install. |
Windows-specific issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-09 | SPL-156538, SPL-153030 | PowerShell inputs fail after several runs |
2018-06-06 | SPL-143484, SPL-148223 | splunk-perfmon.exe using high memory |
2018-04-17 | SPL-151800, SPL-153191, SPL-153192, SPL-153193 | Windows Registry Monitoring Input is ignoring the _TCP_ROUTING setting |
REST, Simple XML, and Advanced XML issues
Date resolved | Issue number | Description |
---|---|---|
2018-06-04 | SPL-153959, SPL-152556 | fill_summary_index.py fails in SHC environment |
2018-05-23 | SPL-153655, SPL-154837, SPL-154839, SPL-154840 | /services/search/jobs/*/results is responding with duplicate JSON field 'init_offset' when output_mode is 'json_cols' and search has no result |
PDF issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-08 | SPL-154879, SPL-148553 | Geostats generates blank map using fieldColors when emailed PDF dashboard |
2018-05-09 | SPL-153916, SPL-153668 | When exporting to PDF one particular IP Address generates an error while others work |
2018-03-27 | SPL-151132, SPL-152435, SPL-152437, SPL-152438 | PDF export broken with SimpleXML <init> TAG |
Admin and CLI issues
Date resolved | Issue number | Description |
---|---|---|
2018-08-09 | SPL-156715, SPL-136970 | default and local meta files getting corrupt or being altered in such a way as to cause warnings. |
2018-07-24 | SPL-157731, SPL-154594 | system/default/props.conf for python.log just plain WRONG |
2018-06-14 | SPL-155132, SPL-146439 | Saving roles manager page when no indexes are listed remove previous indexes |
2018-06-11 | SPL-154857, SPL-153624 | savedsearches.conf configuration is_visible needs clarification |
2018-06-01 | SPL-154772, SPL-154589 | Enabling splunk boot-start won't work with ubuntu-like distro |
2018-05-16 | SPL-154022, SPL-153625 | leading and trailing comma validation should be robust for http proxy configuration |
2018-05-14 | SPL-153105, SPL-154478 | New splunkd_stop_timeout parameter in server.conf displays validation warning when pushed from cluster master |
2018-05-02 | SPL-132996 | The shcluster-bundle command ignores mis-spelled or unknown parameters silently, which might produce unintended consequences |
2018-03-29 | SPL-147286, SPL-152846, SPL-152848, SPL-152849 | Setting DATETIME_CONFIG as filename does not update props.conf |
2018-03-12 | SPL-148877, SPL-145579 | chkconfig directive missing for AWS with enable boot-start |
Uncategorized issues
Date resolved | Issue number | Description |
---|---|---|
2019-01-23 | SPL-160037, FAST-11458, INFRA-5076, SPL-160858, SPL-160859, SPL-160860 | Windows 2016 Standard blocked Splunk Enterprise 7.1.3 installation on a VM with BIOS UEFI mode enabled + Secure Boot enabled due to "A digitally signed driver is required" |
2018-08-21 | SPL-151328, SPL-141808 | (Windows Only) Support sslRootCAPath on Windows |
2018-08-21 | SPL-158931, SPL-160031, SPL-156983, SPL-158938, SPL-160030 | Suppress introspection errors from bulletin board on Cloud instances |
2018-08-21 | SPL-159051, SPL-146261 | Search Assistant executes subsearches incurring subsearch side effects and increased CPU and memory usage |
2018-08-16 | SPL-156996, SPL-154144 | CPU Cores Not Calculated Properly or Correctly |
2018-08-14 | SPL-155772, SPL-157897, SPL-157899 | SEDCMD not working for long characters |
2018-08-10 | SPL-157243, SPL-158583, SPL-158584 | Inability to disable UI warnings in messages.conf renders disabling the scheduler impractical. |
2018-08-09 | SPL-147249 | Inputlookup for lookup with space in the filename fails with "Invalid argument: ..." with search optimization enabled |
2018-08-01 | SPL-157745, SPL-158142 | Lengthy login_content messages run off login window |
2018-08-01 | SPL-156205, SPL-154378 | Splunk Introspection mem_used misreporting very high values "17592186044029.098" |
2018-07-31 | SPL-154660, SPL-156690 | KVStore can't start correctly because of MongoDB multikey index limits, no splunk doc mention this, doc update only |
2018-07-31 | SPL-153699, SPL-158098, SPL-158118, SPL-158120, SPL-155646 | Indexer message/slowness after splunk 7 upgrade and possibly reducing indexer capacity to half. |
2018-07-31 | SPL-157530, SPL-157436 | 404 Error: quality_of_incoming_data |
2018-07-31 | SPL-155646, SPL-153699 | Indexer Processor thread should attempt to free up the slots to run splunk-optimize |
2018-07-31 | SPL-157795, SPL-157342 | Prebuilt panels text in an app are not extracted for localization when using "splunk extract i18n -app <appname>" command |
2018-07-31 | SPL-156690, SPL-154660 | KVStore can't start correctly because of MongoDB multikey index limits, no splunk doc mention this, doc change only |
2018-07-26 | SPL-155000, SPL-152888 | Chunks of summary index data are routed to the wrong index when queues are blocked |
2018-07-24 | SPL-142942 | splunk-powershell.ps1 gets stuck in EndInvoke call when an exception is encountered |
2018-07-15 | SPL-156193, SPL-153174 | Request for better messaging for "Duplicated License situation happen on peer ..." |
2018-06-29 | SPL-155351, SPL-155035 | Splunk Fowarders splunkd process stopping - Crashing thread: HttpClientPollingThread |
2018-06-29 | SPL-154752, SPL-147803 | License master incorrectly calculate the daily license usage and that impact new data input. |
2018-06-28 | SPL-155716, SPL-155427 | CIM Setup page is showing single line because of Indexes.js collection not executing callbacks |
2018-05-31 | SPL-154018, SPL-154062, SPL-155385, SPL-157142 | Splunkd looks for default openssl cert file under build path |
2018-05-23 | SPL-153958, SPL-153724, SPL-154459 | mcollect should check index permissions for the index that it is trying to write to. |
2018-05-21 | SPL-152084, SPL-153333, SPL-153334, SPL-159597 | S2S: clientCert required in outputs.conf on SSL client although requireClientCent=false set on SSL server |
2018-05-16 | SPL-154139, SPL-154567 | embedded report uses oldest search artifact from the history endpoint |
2018-05-09 | SPL-152887, SPL-154366, SPL-154367 | Color Range Feature coupled with real-time search causes the colors to flicker when updating |
2018-05-09 | SPL-151896, SPL-145371 | Bulletin board message timestamp incorrect on SHC members |
2018-05-03 | SPL-153011, SPL-154129, SPL-154130 | HTML entity name appears in Tour dialog if username contains &,<,>,",' |
2018-04-27 | SPL-151228, SPL-153934, SPL-153935, SPL-153937 | Add suppression state file listing to splunk diag. |
2018-04-13 | SPL-153047, SPL-145043 | Too long of a dashboard title throws nondescript error message, |
2018-04-02 | SPL-135274, SPL-151304, SPL-151306, SPL-151307, SPL-152244 | search assistant incorrectly wrapping kv pairs in quotes |
2018-03-29 | SPL-147956, SPL-152814, SPL-153081 | mstats not returning results if tmp folder does not exist. |
2018-03-28 | SPL-145094, SPL-153078, SPL-153079, SPL-153080, SPL-153082 | introspection: IOStats read incorrect if more than one partition created on one physical drive |
2018-03-13 | SPL-148815, SPL-151755, SPL-155093 | Mistranslation of "Product Tour" > "Add Data Tour" in Japanese |
PREVIOUS Timestamp recognition of dates with two-digit years fails beginning January 1, 2020 |
NEXT Deprecated features |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0
Feedback submitted, thanks!