Known issues

Known issues

The following are issues and workarounds for this version of Splunk.

Data input issues

• monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
• When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294)
• Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
• Splunk does not support execution with the python-modifying variable PYTHONCASEOK set. (SPL-31866)
• A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start. (SPL-33760)
• The universal forwarder changes capitalization of the hostname (pulls from server.conf instead of inputs.conf) and Splunk Web now displays two hosts. (SPL-38141)
• A file monitor blacklist set to a NULL value ("blacklist = " in inputs.conf) results in all files for that input being blacklisted and therefore not indexed. (SPL-38750)
• When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name. (SPL-43865)
• The file browser in Data Preview will display an error and only part of the file system when trying to load large numbers of subdirectories (100+) and files (1000+). (SPL-46503)

Splunk Web and Manager interface issues

• If you have cookies disabled or if the server and/or client CPU time are not in sync, you will be returned to the login page. Both machines must have the correct time set when the cookie timestamp is verified. (SPL-22393)
• Using the browser's Back button to get back to a form view doesn't work properly; you have to re-run the search to redisplay the graph. (SPL-27179)
• Zooming out in the flash timeline only zooms out the previous time region, not the subsequent one. (SPL-18126)
• Splunk Web still thinks your license is expired if you replace it behind the scenes. To work around this issue, choose 'Enter a new license number' and then log in. (SPL-28582)
• The success message when uploading a file in Splunk Web does not correctly display the filename. (SPL-29855)
• Using jquery before 1.3.2 with changeset 6268 results in false activeX warnings (see http://dev.jquery.com/changeset/6268/trunk). A patch is available, to apply the patch:
  • Download the patch file.
  • Unzip the patch file.
  • cd $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/contrib
  • patch jquery-1.3.2.js jquery-activex.patch
  • Because Splunk Web aggressively caches content, you must change the URI signature:
  • Open http://localhost:8000/_bump
  • Click the 'bump version' button.
• Splunk Web does not notify you if you specify an invalid port number in web.conf. (SPL-25584)
• The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index. (SPL-34123)
• On iPads, the drop-down menu for selecting events does not wrap correctly. (SPL-44678)
• Splunk Web modal dialog boxes are not compatible with protected web environments that use proxies and application layer gateways. (SPL-43365)
• In Manager > Data inputs > Remote event log collections, the enabled/disabled banner message does not display the correct status. (SPL-45692)
• When using drag-and-drop resizing for dashboard panels in Internet Explorer 6, the panel will only drag to a larger size. If you drag the corner to make it smaller again, the display does not update. If you reload the whole page, the chart will display the smaller size. (SPL-45801)
• Dashboard panels in Internet Explorer 6 do not render their contents at an optimal size, resulting in unnecessary white space. (SPL-45800)
• The SSOMode=permissive setting does not allow Splunk Web access if the incoming client IP does not have a match in the trustedIP list. (SPL-46047)
• Dashboard panels with Flash charts do not rearrange properly. (SPL-46019)
• If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change take effect immediately. The retrieved events will be in the correct time zone but the timeline will not. Wait 30 seconds and reload the page to see the updated timeline. (SPL-46852)
• Under Firefox 3.5 via Splunk Web's Manager > Access Control > Users to save a new user record, a banner message displays indicating: Your entry was not saved. The following error was reported: server abort. This message can be ignored as the user record is created. Firefox 3.6.10, 7.0.1, 8.0.1 do not reproduce this behavior. (SPL-47195)

Charting and drill-down issues

• When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)

Search, saved search, alerting, scheduling, and job management issues

• When running a search with 'use starthoursago', the displayed time range message is misleading (although the results are correct). (SPL-33409)
• There is no way to escape an asterisk (*) in the search language. (SPL-30079)
• CLI search doesn't warn on stderr when results were truncated due to the maxout limit. (SPL-35478)
• Error message when searching for an invalid search string doesn't dissapear when executing a valid search. (SPL-34144)
• Email alert sends attachment in csv despite format=plain being set in alert_actions.conf or action.email.format=plain in savedsearches.conf. (SPL-38858)
• On Windows, lookup tables populated by scheduled searches could fail to be updated if there is a search running and using the lookup at the time of the update attempt. (SPL-40332)
• Internet Explorer is not displaying multilined events preceded with spaces such as Windows Event log events, WMI events or XML. (SPL-40354)
• The spath command does not correctly recognize and extract nested XML elements unless you list every element above the one you want to extract. (SPL-46890)
• Leaving a browser open on the summary dashboard of the search app for a long time can cause the system to run out of memory. This is caused by a memory leak affecting real-time metadata searches such as those that the search app's summary dashboard runs. (SPL-45901) For work-around instructions, see this Splunk Answer.

Localization, internationalization, and character set issues

• Certain Japanese language OSes, including most versions of Windows, use the ¥ (Yen) symbol to denote backslashes in path names. This can cause issues when monitoring or spooling files, and may require custom regex configurations where a file path is part of the dataset. (SPL-23307)
• Splunk throws the following error message when data input tar.gz file contains Simplified Chinese characters (GB2312): Input is not proper UTF-8, indicate encoding! (SPL-38488) Workaround: manually extract the CSV files from the tar.gz file and put them in the same data input file path. Splunk will recognize all the CSV files with Chinese file names and all events will be read into Splunk correctly.
• Time zone extraction can conflict if time zone strings match (for example, EST as US Eastern Standard Time and Australian Eastern Standard Time). Workaround: use an explicit time prefix, a time format that does not include the time zone, or explicitly specify the time zone. (SPL-45509)

Dashboard and app development issues

• Old modules, templates, and other app components are not deleted on upgrade. (SPL-22494)
• If you specify more than the 3-column maximum for layoutPanel, the error message is not very helpful. (SPL-29295)
• You can create/update/clone/delete 'Navigation menus', but Splunk Web only uses default.xml. (SPL-30024)
• On Windows, ServerSideInclude modules cannot use relative paths in their source parameter ("../../myinclude.html"). (SPL-35552)
• Real time search dashboard intermittently stops updating short of the actual # of events received. (SPL-37461)
• As of 4.2.1, Splunk has removed support for illegal characters in URIs. Apps that add explicit links to the view XML that contain unsafe URL characters that are unencoded will fail with a 500 error.

Windows-specific issues

• The Message field is not extracted and is therefore missing from imported Windows event log file (.evt) data. (SPL-24947)
• Timestamps are not set correctly for comment lines in W3C (aka Internet Information Server (IIS) and Exchange) log files. (SPL-29111)
• The splunkd.exe executable on Windows generates about 4,000 page faults/sec when running the Windows app (only) with all the inputs turned on. This is not necessarily a real problem, since most of the page faults will be cache hits and won't end up as hard (on-disk) page faults. However, if the machine is under memory pressure (perhaps from another RAM-hungry app) then splunkd's behavior may cause lots of hard page faults/sec. (SPL-30343)
• On Windows XP and Server 2003 systems, Event Log checkpointing fails if you stop Splunk, clean the events, and restart Splunk. To work around this issue, don't stop Splunk when you clean the events. (SPL-29594)
• The Windows Service Control Manager will interrupt the shutdown of the splunkd or splunkweb processes if it doesn't complete in the allotted 30 seconds. This will result in an unclean shutdown and Splunk will prompt the administrator to perform fast recovery on the indexes on the next splunkd start. (SPL-37653)
• Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows. (SPL-42212)
• The Universal Forwarder installer on Windows does not copy certificates from Windows/Samba shared directories. (SPL-45590)
• In Data Preview, empty lines can appear if the empty line is the first item in a 4KB segment. (SPL-46010)
• If you upgrade a Splunk instance with Windows Registry monitoring inputs enabled from 4.2 to 4.3, the behavior of those inputs might change due to the way Splunk now handles default Registry monitoring configurations. To restore default behavior, either install the Windows app or technology add-on (TA), or make changes to regmon-filters.conf as shown in "Workaround for Registry Monitoring configuration issue." (SPL-46805, SPL-46844, SPL-46912)

CLI issues

• The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. (SPL-38182) To work around this, specify the destination index manually in inputs.conf.
• The CLI export command does not return results when flags are added for filtering. (SPL-45694)
• The server.conf spec indicates that you can set requireClientCert = true in order to require that HTTPS clients connecting to the splunkd process present a certificate signed by the CA whose public certificate is defined in caCertFile. Because the Splunk CLI cannot be configured to present an SSL certificate, setting requireClientCert = true in server.conf breaks its ability to communicate with splunkd. (SPL-47585)

Distributed deployment, forwarder, deployment server, and deployment monitor issues

• Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
• Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
• When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
• You can't use Manager to specify an app for deployment server to deploy, you can only specify server classes. (SPL-29903)
• Light forwarders are unable to load-balance UDP incoming data across several indexers using autoLB. In this situation the data will be forwarded to one indexer only. A "heavy", or full forwarder is currently needed achieve this. (SPL-32708)
• Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
• If you install a universal forwarder on the same *nix machine as a regular Splunk installation, they overwrite each other's services upon running "enable boot-start". (SPL-36032)
• Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
• Distributed search bundle replication from *nix to Windows with illegal Windows file name characters in file name can cause bundle extraction to fail. This operation can loop and cause unwanted disk space to be used that is normally used for bundle extraction. (SPL-39464)
• Charts in the deployment monitor do not show data if the increment selected is 30 minutes or less. To work around this issue, when searching over timeranges of 30 min or less, use forwarder_metrics and per_index_metrics macros to run searches against the logs rather than against summaries. For example:
  • The search that populates the forwarder summary index is: `forwarder_metrics` | eval lastReceived = if(kb>0, _time, null) | `forwarder_lookup_stats("max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps")`.
  • The search that populates the indexer summary index is `per_index_metrics` | stats sum(kb) as kb by splunk_server | join type="outer" splunk_server [ search `indexer_queue_stats`] | rename splunk_server as my_splunk_server (SPL-39701)
• The TCP input processor sometimes writes confusing but harmless messages in the splunkd.log of an indexer : "ERROR TcpInputProc - Error encountered for connection from src=xxx.xxx.xxx. Success". These can be safely ignored. (SPL-34584)
• Deleting application from deployment server does not honour restartSplunkd = true and restartSplunkWeb = true variables in serveclass.conf. Workaround: manually restart splunk on affected deployment clients (SPL-41345)
• Round-robin load balancing does not work. Note/workaround: round-robin load balancing was deprecated in Splunk 4.2 and automatic load balancing is now the default. (SPL-46856)

Startup and shutdown issues

• On shutdown, many WARN lines are displayed in splunk.log that should actually be INFO. These lines can be safely ignored. (SPL-24862)
• If the splunk stop command is run while the splunk start command is still in the process of completing, Splunk may shut down uncleanly and lose data. (SPL-37510)
• When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception. (SPL-36819)
• A crash of splunkd can occur on start-up due the DispatchReaper thread failing to properly parse a search artifact in the search dispatch directory. The work-around is to delete the contents of the dispatch directory ($SPLUNK_HOME/var/run/splunk/dispatch/) and start Splunk again. (SPL-47232)

Unsorted issues

• Splunk doesn't run on FreeBSD with ZFS. (SPL-30317)
• BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
• PDF Server App is outputting PDF Reports with some overlapping panels. (SPL-38101)
• Rpm package verification " rpm -V splunk-xxx-xxx.rpm" returns a message "missing splunk-launch.conf.default" even though the content does not have a problem. (SPL-35181)
• Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)

• Was this topic useful?
• Post a comment