Known issues

Known issues

The following are issues and workarounds for this version of Splunk.

Data input issues

• monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
• When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294)
• Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
• Splunk does not support execution with the python-modifying variable PYTHONCASEOK set. (SPL-31866)
• A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start. (SPL-33760)
• The universal forwarder changes capitalization of the hostname (pulls from server.conf instead of inputs.conf) and Splunk Web now displays two hosts. (SPL-38141)
• When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name. (SPL-43865)
• The file browser in Data Preview will display an error and only part of the file system when trying to load large numbers of subdirectories (100+) and files (1000+). (SPL-46503)
• After Splunk restarts, it reindexes *.gz files, resulting in duplicate events. (SPL-51091)
• Latest time/earliest time boundaries are mismatched between metadata and bucket directory for buckets rebuilt by splunk fsck. (SPL-51016)
• The .sizeManifest4.1 file reports a smaller total size than reality for buckets rebuilt by splunk fsck. (SPL-51366)

Splunk Web and Manager interface issues

• If you have cookies disabled or if the server and/or client CPU time are not in sync, you will be returned to the login page. Both machines must have the correct time set when the cookie timestamp is verified. (SPL-22393)
• Using the browser's Back button to get back to a form view doesn't work properly; you have to re-run the search to redisplay the graph. (SPL-27179)
• Zooming out in the flash timeline only zooms out the previous time region, not the subsequent one. (SPL-18126)
• Splunk Web still thinks your license is expired if you replace it behind the scenes. To work around this issue, choose 'Enter a new license number' and then log in. (SPL-28582)
• The success message when uploading a file in Splunk Web does not correctly display the filename. (SPL-29855)
• Using jquery before 1.3.2 with changeset 6268 results in false activeX warnings (see http://dev.jquery.com/changeset/6268/trunk). A patch is available, to apply the patch:
  • Download the patch file.
  • Unzip the patch file.
  • cd $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/contrib
  • patch jquery-1.3.2.js jquery-activex.patch
  • Because Splunk Web aggressively caches content, you must change the URI signature:
  • Open http://localhost:8000/_bump
  • Click the 'bump version' button.
• Splunk Web does not notify you if you specify an invalid port number in web.conf. (SPL-25584)
• The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index. (SPL-34123)
• On iPads, the drop-down menu for selecting events does not wrap correctly. (SPL-44678)
• Splunk Web modal dialog boxes are not compatible with protected web environments that use proxies and application layer gateways. (SPL-43365)
• When using drag-and-drop resizing for dashboard panels in Internet Explorer 6, the panel will only drag to a larger size. If you drag the corner to make it smaller again, the display does not update. If you reload the whole page, the chart will display the smaller size. (SPL-45801)
• Dashboard panels in Internet Explorer 6 do not render their contents at an optimal size, resulting in unnecessary white space. (SPL-45800)
• The SSOMode=permissive setting does not allow Splunk Web access if the incoming client IP does not have a match in the trustedIP list. (SPL-46047)
• Dashboard panels with Flash charts do not rearrange properly. (SPL-46019)
• If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change take effect immediately. The retrieved events will be in the correct time zone but the timeline will not. Wait 30 seconds and reload the page to see the updated timeline. (SPL-46852)
• Intermittently the flashtime search events list displays empty result rows. Rerun the same search and all the event content will appear. This is not a data issue as the table view confirms the set of raw data exists. (SPL-49330)
• HiddenSavedSearch results cannot be post-processed and displayed in JSChart. (SPL- 50300)

Charting and drill-down issues

• When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)

Search, saved search, alerting, scheduling, and job management issues

• When running a search with 'use starthoursago', the displayed time range message is misleading (although the results are correct). (SPL-33409)
• There is no way to escape an asterisk (*) in the search language. (SPL-30079)
• CLI search doesn't warn on stderr when results were truncated due to the maxout limit. (SPL-35478)
• Email alert sends attachment in csv despite format=plain being set in alert_actions.conf or action.email.format=plain in savedsearches.conf. (SPL-38858)
• The Create Alert and Schedule Search dialog boxes in the Search app, under "send email," are missing the option to include search results as PDF. Workaround: Enable PDF email alerts in Manager > Searches and reports. (SPL-46832)
• On Windows, lookup tables populated by scheduled searches could fail to be updated if there is a search running and using the lookup at the time of the update attempt. (SPL-40332)
• Internet Explorer is not displaying multilined events preceded with spaces such as Windows Event log events, WMI events or XML. To work around this, turn off "Wrap results" in the Options menu. (SPL-40354)
• Sparklines do not display in email alerts. The email will display the backing data rather than rendering the sparklines. Workaround: Use the PDF Server app to email a PDF of the report. (SPL-48265)
• _time format is not human-readable when you export events using the Export button. Workaround: use the cTime_convert function. (SPL-48611)
• Searches using cidrmatch may cause crashes, workaround, replace: 'cidrmatch(A, B)' with: 'if(typeof(B, "String"), cidrmatch(A, B), null())'(SPL-49828)
• Export with Unlimited for csv, xml or json in the Advanced Charting view will generate a zero(0) byte file (SPL-51334). Workaround: Manager > User Interface > Views > charting, replace the text "event" with "result" in the following XML entry and Save. A restart is not necessary : <module name="Export"><param name="exportType">event</param></module>

Localization, internationalization, and character set issues

• Certain Japanese language OSes, including most versions of Windows, use the ¥ (Yen) symbol to denote backslashes in path names. This can cause issues when monitoring or spooling files, and may require custom regex configurations where a file path is part of the dataset. (SPL-23307)
• Splunk throws the following error message when data input tar.gz file contains Simplified Chinese characters (GB2312): Input is not proper UTF-8, indicate encoding! (SPL-38488) Workaround: manually extract the CSV files from the tar.gz file and put them in the same data input file path. Splunk will recognize all the CSV files with Chinese file names and all events will be read into Splunk correctly.
• Time zone extraction can conflict if time zone strings match (for example, EST as US Eastern Standard Time and Australian Eastern Standard Time). Workaround: use an explicit time prefix, a time format that does not include the time zone, or explicitly specify the time zone. (SPL-45509)

Dashboard and app development issues

• Old modules, templates, and other app components are not deleted on upgrade. (SPL-22494)
• If you specify more than the 3-column maximum for layoutPanel, the error message is not very helpful. (SPL-29295)
• You can create/update/clone/delete 'Navigation menus', but Splunk Web only uses default.xml. (SPL-30024)
• On Windows, ServerSideInclude modules cannot use relative paths in their source parameter ("../../myinclude.html"). (SPL-35552)
• Real time search dashboard intermittently stops updating short of the actual # of events received. (SPL-37461)
• As of 4.2.1, Splunk has removed support for illegal characters in URIs. Apps that add explicit links to the view XML that contain unsafe URL characters that are unencoded will fail with a 500 error.
• showsource=1 to convert a simple xml dashboard to advanced xml sometimes generate incorrect advanced xml. (SPL-48485)

Windows-specific issues

• The Message field is not extracted and is therefore missing from imported Windows event log file (.evt) data. (SPL-24947)
• Timestamps are not set correctly for comment lines in W3C (aka Internet Information Server (IIS) and Exchange) log files. (SPL-29111)
• The splunkd.exe executable on Windows generates about 4,000 page faults/sec when running the Windows app (only) with all the inputs turned on. This is not necessarily a real problem, since most of the page faults will be cache hits and won't end up as hard (on-disk) page faults. However, if the machine is under memory pressure (perhaps from another RAM-hungry app) then splunkd's behavior may cause lots of hard page faults/sec. (SPL-30343)
• On Windows XP and Server 2003 systems, Event Log checkpointing fails if you stop Splunk, clean the events, and restart Splunk. To work around this issue, don't stop Splunk when you clean the events. (SPL-29594)
• The Windows Service Control Manager will interrupt the shutdown of the splunkd or splunkweb processes if it doesn't complete in the allotted 30 seconds. This will result in an unclean shutdown and Splunk will prompt the administrator to perform fast recovery on the indexes on the next splunkd start. (SPL-37653)
• Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows. (SPL-42212)
• The universal forwarder installer on Windows does not copy certificates from Windows/Samba shared directories. (SPL-45590)
• In data preview, empty lines can appear if the empty line is the first item in a 4KB segment. (SPL-46010)
• Universal Forwarder for Windows is unable to automatically extract the date_* fields from Windows events. The workaround is to use a search time extraction on the indexer. (SPL-51303)
• Reading of the Message field for Windows Event Log data will frequently fail, showing a message such as "Splunk could not get the description for this event." instead of the correct message text. As a temporary workaround continue using 4.3.1 or earlier on windows forwarders gathering this data. (SPL-51312)

CLI issues

• The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. (SPL-38182) To work around this, specify the destination index manually in inputs.conf.
• The CLI export command does not return results when flags are added for filtering. (SPL-45694)
• The server.conf spec indicates that you can set requireClientCert = true in order to require that HTTPS clients connecting to the splunkd process present a certificate signed by the CA whose public certificate is defined in caCertFile. Because the Splunk CLI cannot be configured to present an SSL certificate, setting requireClientCert = true in server.conf breaks its ability to communicate with splunkd. (SPL-47585)
• The $SPLUNK_HOME/bin/bloom utility creates duplicate buckets in the warm and cold directories of an index. Spunk does not recommend using this utility until this issue is fixed. (SPL-50742)

Distributed deployment, forwarder, deployment server, and deployment monitor issues

• Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
• Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
• When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
• You can't use Manager to specify an app for deployment server to deploy, you can only specify server classes. (SPL-29903)
• Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
• If you install a universal forwarder on the same *nix machine as a regular Splunk installation, they overwrite each other's services upon running "enable boot-start". (SPL-36032)
• Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
• Distributed search bundle replication from *nix to Windows with illegal Windows file name characters in file name can cause bundle extraction to fail. This operation can loop and cause unwanted disk space to be used that is normally used for bundle extraction. (SPL-39464)
• Charts in the deployment monitor do not show data if the increment selected is 30 minutes or less. To work around this issue, when searching over timeranges of 30 min or less, use forwarder_metrics and per_index_metrics macros to run searches against the logs rather than against summaries. For example:
  • The search that populates the forwarder summary index is: `forwarder_metrics` | eval lastReceived = if(kb>0, _time, null) | `forwarder_lookup_stats("max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps")`.
  • The search that populates the indexer summary index is `per_index_metrics` | stats sum(kb) as kb by splunk_server | join type="outer" splunk_server [ search `indexer_queue_stats`] | rename splunk_server as my_splunk_server (SPL-39701)
• The TCP input processor sometimes writes confusing but harmless messages in the splunkd.log of an indexer : "ERROR TcpInputProc - Error encountered for connection from src=xxx.xxx.xxx. Success". These can be safely ignored. (SPL-34584)
• Deleting application from deployment server does not honour restartSplunkd = true and restartSplunkWeb = true variables in serveclass.conf. Workaround: manually restart splunk on affected deployment clients (SPL-41345)
• Round-robin load balancing was deprecated in Splunk 4.2 and automatic load balancing is now the default. (SPL-46856)
• "Deployment Monitor" app's "MB Indexed" dashboard reports incorrect volume if other Splunk instances are sending metrics.log to search peers (SPL-48887)
• "Deployment Monitor" app's "By License Pool" report shows nearly double the daily usage than "By Indexer" Report. (SPL-49519)

Startup and shutdown issues

• On shutdown, many WARN lines are displayed in splunk.log that should actually be INFO. These lines can be safely ignored. (SPL-24862)
• If the splunk stop command is run while the splunk start command is still in the process of completing, Splunk may shut down uncleanly and lose data. (SPL-37510)
• When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception. (SPL-36819)

Unsorted issues

• Splunk doesn't run on FreeBSD with ZFS. (SPL-30317)
• BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
• PDF Server App is outputting PDF Reports with some overlapping panels. (SPL-38101)
• PDF Server App does not print a test page if splunkd is configured to listen on IPv6 while splunkweb is not configured for IPv6. Error in python.log: "(400) Remote host does not look like a Splunk server; aborting PDF." Emailed PDFs still work. (SPL-45876)
• Rpm package verification " rpm -V splunk-xxx-xxx.rpm" returns a message "missing splunk-launch.conf.default" even though the content does not have a problem. (SPL-35181)
• Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)

• Was this topic useful?
• Post a comment