Known issues

Prior to an upgrade, edit the $SPLUNK_HOME/etc/splunk-launch.conf file (%SPLUNK_HOME%\etc\splunk-launch.conf on Windows) and add the following line:

PYTHONUTF8=1

Save the file, then perform the upgrade.

If the upgrade succeeds, but Splunk Web then displays a blank screen when you attempt to log into the Splunk Enterprise instance, follow this workaround, then restart the Splunk Enterprise instance.

OR 2. Upgrade to Solaris 11.4

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

Downgrade to 8.2.x

Downgrade to 8.2.x

Downgrade to 8.2.x

This issue is not deterministic within a search, so re-running will usually work.

We recommend sizing the threshold based on lookups in your environment.

Please note that this will increase the amount of memory used for searches that use lookups, which could be significant in environments with many concurrent searches.

index=main earliest=-10s latest=now

Running the same search without including 'latest=now' might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches. See Specify earliest relative time offset and latest time in ad hoc searches in the Splunk platform Search Manual.

Fix : upgrade Splunk to a fixed version

Both workarounds impact the performance for searches using the 'stats' family of functions such as 'chart', 'timechart', 'eventstats', 'tstats', 'prestats', 'mstats' and 'streamstats' because performance enhancements added with StatsV2 are not used. As a result, upgrading to Splunk Enterprise version 9.0.1 or higher is preferred.

allow_caching=f to the lookup command:

| lookup <name> allow_caching=f ... 

On 7.3+: Add allow_caching=f to the lookup definition on the search head

transforms.conf:
[<lookup name>]
allow_caching = f

To check if you might be running into this issue, you'll need to enable debug on the search in question by adding:

| noop log_DEBUG=CachedProvider
<pre>
If you have hits for the cached lookup, like in the sample log below, you can hit this issue.

<pre>
DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385

clears the stash_new files

allow_caching=f to the lookup command:

| lookup <name> allow_caching=f ... 

On 7.3+: Add allow_caching=f to the lookup definition on the search head

transforms.conf:
[<lookup name>]
allow_caching = f

To check if you might be running into this issue, you'll need to enable debug on the search in question by adding:

| noop log_DEBUG=CachedProvider
<pre>
If you have hits for the cached lookup, like in the sample log below, you can hit this issue.

<pre>
DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385

- run the search in the right order

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

allow_caching=f to the lookup command:

| lookup <name> allow_caching=f ... 

On 7.3+: Add allow_caching=f to the lookup definition on the search head

transforms.conf:
[<lookup name>]
allow_caching = f

To check if you might be running into this issue, you'll need to enable debug on the search in question by adding:

| noop log_DEBUG=CachedProvider
<pre>
If you have hits for the cached lookup, like in the sample log below, you can hit this issue.

<pre>
DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385

for example, add

 | convert timeformat="%FT%T.%3Q%z" ctime(_time)

to the end of your search

For example:

[search]
max_searches_per_process=1

to

[search]

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

instead of

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch:

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example:

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

The workaround is to have indexers attached to the `rsh`

Another workaround is to change the max_workers_searchparser setting to a value lower than its default.

Use this workaround if you are using your Splunk Enterprise federated search head (FSH) instance only for running federated searches. This workaround might affect non-federated searches.

On the Splunk Enterprise FSH, follow these steps:

1. Create limits.conf in a local/ folder.
2. Set the max_workers_searchparser setting to a number lower than its default (1 or 2). For more information about this setting see the Admin Manual.
3. Test which setting value provides a better performance.

On deployment that don't have indexers at the moment a low performance indexer should be created ( on a vm etc ) and added as a distributed peer.

To make sure that happens: 1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle. 2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment. 3. Trigger a search from the local deployment. This will make sure that the bundle is sent ASAP towards the remote deployment.

curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1

See Federated search endpoint descriptions in the REST API Reference Manual.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Federatedconf

To check the workaround is working, restart the instance to see if logs appear. (See attached image: Image-20221110-234300.png)

- run the search in the right order

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

collections.conf [LoggedOutSessionTokens] disabled = true

server.conf [general] invalidateSessionTokensOnLogout = false

index=_internal host IN (<CommaSeparatedSHList>) source=*web_service.log* "Splunk appserver version=UNKNOWN_VERSION build=000"

Refreshing the browser tab will temporarily resolve the issue. No root cause/fix has been identified yet.

• Remove any settings that define default values already set in the /default/distsearch.conf file.
• Removes comments preceded by a hash.
• Reorders the KV pairs alphanumerically within a stanza.
• Reorders stanzas within the file.

[1]

Upgrade to version 9.0.0.1 issue doesn't appear.

[2] The detailed workaround didn't solve the issue.

[3]

Upgrade to version 9.0.0.1 issue doesn't appear.

[4] The detailed workaround didn't solve the issue.

[5]

Upgrade to version 9.0.0.1 issue doesn't appear.

[6] The detailed workaround didn't solve the issue.

Customer claims that they were able to bypass the issue by using SPLUNKPASSWORD="" option during installation but I was not able to reproduce this example of user-seed.conf: https://drive.google.com/file/d/1GrypUL6719V0tGbw0Mv-u76jUYZ8LBS_/view?usp=sharing

autoBatch=false

[kvstore]
disabled = true

If you need useACK to prevent data loss, disabling autoBatch in outputs.conf can remediate the issue too, but it impacts throughput - no worse than 8.x, but no improvement for 9.0.

OR 2. Upgrade to Solaris 11.4

[feature:ingestion_latency]
indicator:ingestion_latency_lag_sec:yellow = 0
indicator:ingestion_latency_lag_sec:red = 0

Fix : upgrade Splunk to a fixed version

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

Customer claims that they were able to bypass the issue by using SPLUNKPASSWORD="" option during installation but I was not able to reproduce this example of user-seed.conf: https://drive.google.com/file/d/1GrypUL6719V0tGbw0Mv-u76jUYZ8LBS_/view?usp=sharing

- to reconfigure subscription type to RenderedText:

wecutil ss <subscription-name> /cf:RenderedText

- in order to work around a MS defect on the WindowsEventViewer causing field description resolution failures within the WindowsEventViewer, when configuring RenderedText contentFormat you might want to also change the subscription locale, if not already done, to en-US:

wecutil ss <subscription-name> /l:en-US

and the same also for the datetime format on the WEC server to English (United States), see also here:

https://serverfault.com/questions/606144/win2012r2-eventlog-subscription-dont-display-informations https://social.technet.microsoft.com/Forums/ie/en-US/3fd3d1fc-1194-4899-978c-3283085648bc/eventlog-forwarding-issues-either-the-component-that-raises-this-event-is-not-installed-on-your

- please make sure to install the most recent Windows add-on compatible with your Splunk release, following the official installation documentation:

https://docs.splunk.com/Documentation/AddOns/released/Windows/Install

- please configure inputs.conf on the splunk instance running on the WEC server as follows, in order to onboard the ForwardedEvents data in XML format:

[WinEventLog://ForwardedEvents]
renderXml = true

then save and restart splunk in order to apply the changes.

- last, but not least, unless renderXml was set to true already before installing/upgrading to a regressed version, you will need to rewrite your searches and reports in order to comply with the new/XML-specific field extractions shipped in the Windows add-on, since the data is now onboarded in XML format.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Federatedconf

To check the workaround is working, restart the instance to see if logs appear. (See attached image: Image-20221110-234300.png)

• Remove any settings that define default values already set in the /default/distsearch.conf file.
• Removes comments preceded by a hash.
• Reorders the KV pairs alphanumerically within a stanza.
• Reorders stanzas within the file.

| rest splunk_server=local /services/licenser/messages

If a high value is returned for that end point, you are likely affected. Log a support ticket with Splunk to obtain a license reset key, and apply the key to clear out any historical license warning messages. After the reset license is applied, the license management pages should load normally.

etc/system/local/limits.conf [input_channels] max_inactive=300001 lowater_inactive=300000 inactive_eligibility_age_seconds=120

etc/system/local/inputs.conf [splunktcp-ssl:9996] queueSize=100MB

note: ssl input port may be different on customer deployment

[7]

etc/system/local/limits.conf [input_channels] max_inactive=300001 lowater_inactive=300000 inactive_eligibility_age_seconds=120

etc/system/local/inputs.conf [splunktcp-ssl:9996] queueSize=100MB

note: ssl input port may be different on customer deployment

[8]

etc/system/local/limits.conf [input_channels] max_inactive=300001 lowater_inactive=300000 inactive_eligibility_age_seconds=120

etc/system/local/inputs.conf [splunktcp-ssl:9996] queueSize=100MB

note: ssl input port may be different on customer deployment

[9]

\[health_reporter] aggregate_ingestion_latency_health = \[0|1]

• A value of 0 disables the aggregation feature for ingestion latency health reporter.
• Default: 1 (enabled).

Disable that please. And the feature itself. \[feature:ingestion_latency] alert.disabled = 1

disabled = 1

https://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk_Python_modules

[introspection:distributed-indexes] https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Serverconf

useACK=false

1. Either remove non-ASCII/UTF-8 characters from your configuration files. 2. Or take a backup of '$SPLUNK_HOME/lib/python3.7/site-packages/splunk/clilib/cli_common.py' and in line 127: Add parameter to "line.decode" - either "errors='replace'", or "errors='ignore'". Eg: line.decode(errors='replace')

1. Remove the option grantableRoles = admin from authorize.conf - this is not permanent workaround and will need to be done every time admin role is modified.

2. Add any capabilities that the other user roles have to the "admin" role.

To resolve the issue if you encounter this: Disable or delete the workload rule that is associated with a workload pool that does not exist anymore.

category.AwsSDK=FATAL

under the [splunkd] stanza in log-local.cfg

To resolve, on the peer node, invoke the "/services/cluster/peer/buckets" endpoint, specifying the faulty bucket, setting "search_state=Searchable" to make the bucket searchable. You do not need to restart the peer node afterwards.

Here is the syntax for the required endpoint:

curl -k -u admin https://<peer_node_with_bucket>:<mgmt_port>/services/cluster/peer/buckets/<bucket_id>/change_bucket -d bucket_mask=0 -d search_state=Searchable -d generation_id=0 -d searchable_sources="peer,site,server_name,host_port_pair,replication_port,replication_use_ssl,searchable,bucket_mask"

Note that pairs of angle brackets indicate variables that must correspond to your instance and bucket.

After migration, revert the setting to the default of 8.