Splunk® Enterprise

Release Notes

Download manual as PDF

Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect number Description
2016-4-21 SPL-119575 In 6.4.x, adding a search peer with a higher version number fails or issues a warning when using the REST API.
2016-04-05 SPL-109427 LDAP SSL does not work in Splunk 6.3 (and later) for Windows 2003. Workaround is as follows:

1) obtain Ciphers configured on Windows AD 2003 server. 2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.

2014-10-28
Due to a vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk.
2014-10-28 SPL-92435 Forcing TLS1.2 or TLS1.1 in server.conf with SPLUNK_FIPS does not work.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Publication date Defect number Description
2014-10-28 SPL-91835 Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, remove the app before starting an upgrade. To prevent this issue from occurring, upgrade the app to version 1.1.5 before you upgrade Splunk Enterprise.
Pre-6.2 SPL-89640 If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
Pre-6.2 SPL-73386 Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect number Description
2016-08-03 SPL-12570 Archive Processor cannot handle zip files containing entries with non-ascii utf8 chars in their filenames
2015-11-12 SPL-109362 When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage
2015-10-09 SPL-107716 Splunk UF doesn't process newly created files in the monitored directory (reparse point)
2015-05-22 SPL-101981 GDI: Sourcetype name with quotes
2015-04-16 SPL-99796 Universal Forwarder Crashing thread: Main Thread - Access violation, cannot read at address.
Workaround: WinRegMon is using modular input in 6.2. If an old script-input configuration is migrated to 6.2.x, i.e.,

{noformat} [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] {noformat} user should remove such misconfigured stanza.

2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day
Workaround: [Root cause]: The root cause is that their fishbuckets got too big (500MBbytes in size and estimated more than 6M entries) and the UFs spent a lot time traversing the fish bucket in checkpoint() routine, which is hard-coded to be called every hour, and this caused TCP sending to be blocked.

[Workaround]: Configuration change to reduce ""file_tracking_db_threshold_mb" of [inputproc] stanza to lower value in limits.conf. In this case, the "file_tracking_db_threshold_mb" is changed to be 50. Customer applied the change and the UFs are back to normal.

2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL. Workaround: Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

2014-03-10 SPL-81637 Splunkd preview runs indefinitely
2013-10-29 SPL-75764 Forwarder forwards duplicate data after props.conf in place for cross platform scenario
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza
Workaround: There is an easy workaround on this one. Find the stanzas in inputs.conf that have WinRegMon://default and just replace default with something else, restart splunk.
2013-09-10 SPL-74209 modinputs: Persistent queues won't be created on Windows for stanzas that contain unusual characters

Search issues

Publication date Defect number Description
2016-03-17 SPL-116082 Release Note - user-specific commands will be ignored after upgrade to Galaxy
2015-06-17 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted.
2015-06-01 SPL-102405 Search operator outputcsv provides no explanation for the rejection of a file name with OS separators: "/" or "\"Workaround: Do not incorporate / or \ into the name of your outputlookup filename.
2015-04-03 SPL-99110 Distributed search fails intermittently to a subset of peers with an unhelpful "Unknown error"
2014-12-22 SPL-94910 replace function fails for columns name that contains an underscore
Workaround: Known issue : The replace function does not apply to fields names with an underscore in it. (SPL-94910). the workaround is to rename the fields before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13 SPL-93039 |relevancy command does not work.
2014-10-22 SPL-92303 Some events are line broken improperly when forwarding from UF to Splunk Enterprise, leading to a event count mismatch with expected results.
2014-10-15 SPL-91996 No error if ref panel can't render because of ID collision.
2014-10-02 SPL-91638 Empty search jobs on SHC member (non-captain)
2014-09-15 SPL-90861 User is not notified if search skipped events due to corruption
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used
2014-04-04 SPL-82650 as per SPL-81526, a report created and scheduled by admin cannot be embedded by a power user
2014-03-27 SPL-82357 "Splunk clean all -f" doesn't remove data from main index on Windows platform
2014-03-15 SPL-81934 Unable to open output file in clustering SearchResults
2014-02-21 SPL-80942 flashtimeline: 500 Internal Server Error when paste long URL into panel name
2013-12-18 SPL-78179 REST /saved/searches App Names With Special Characters Have Invalid Links
2013-09-06 SPL-74151 SimpleXML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search
2010-07-21 SPL-32852 Post process does not return expected events if the original job is truncated.

Saved search, alerting, scheduling, and job management issues

Publication date Defect number Description
2015-11-15 SPL-109471 : Real Time Scheduled Search Being triggered twice or Multiple Times
2014-08-15 SPL-89332 report acceleration summaries are not showing up in the console when you have 100s of such reports accelerated
2014-08-05 SPL-88396 fwd input mgt: not showing clientName
2014-05-01 SPL-83686 DM Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns
2014-03-24 SPL-82262 pivot search command fails for an admin trying to pivot on a Private Datamodel created by an User
2014-03-20 SPL-82164 Migrating invalid data models from Bubbles to Cupcake fails
2014-03-19 SPL-82133 Regression:Should not allow to uploaded invalid JSON (who has fieldnames with spaces)
2014-03-10 SPL-81645 sticky UI when transaction group by object name has a single character
2013-11-26 SPL-77054 Data Model Backend: object names that start with "_" should not be allowed

Charting, reporting, and visualization issues

Publication date Defect number Description
2016-07-27 SPL-12512 The dashboard parser throws an error when non-integer value is used for the <sampleRatio> option
2015-03-31 SPL-98890 PDF: maps printed from report page do not honor custom zoom and center
2015-02-23 SPL-97193 "initial value" for "multiselect" input does not display properly in Viz Editor if input has empty string
2014-10-24 SPL-92432 Chart in dashboard panel does not honor interval settings
2014-10-15 SPL-91996 Show error if ref panel can't render because of ID collision
2014-09-19 SPL-91074 Submit button does not get rendered when instantiating a form via the client-side parser/factory
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range
2014-01-30 SPL-79768 Changing map and tile parameters in Viz Editor reports error in Console
2014-01-27 SPL-79562 Cloned dashboard is not getting scheduled but looks like it is
2014-01-03 SPL-78612 Deleting a dashboard with a scheduled pdf does not delete the scheduled view
2013-11-20 SPL-7682 It causes 400 error if given string value of attribute is empty (expects integer value)
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza
Workaround: There is an easy workaround on this one. Find the stanzas in inputs.conf that have WinRegMon://default and just replace default with something else, restart splunk.
2013-09-06 SPL-7415 SimpleXML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
2013-08-22 SPL-73569= pie maps should have legends
2010-07-21 SPL-32852 Post process does not return expected events if the original job is truncated.

Data model and pivot issues

Publication date Defect number Description
2014-12-08 SPL-94047 Pivot Editor: _time as Split Column not formatted properly
2014-05-01 SPL-83686 DM Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns
2014-05-01 SPL-83686 DM Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns
2014-03-24 SPL-82262 pivot search command fails for an admin trying to pivot on a Private Datamodel created by an User
2014-03-20 SPL-82164 Migrating invalid data models from Bubbles to Cupcake fails
2014-03-19 SPL-82133 Regression:Should not allow to uploaded invalid JSON (who has fieldnames with spaces)
2014-03-11 SPL-81701 Legend Position and Stack Mode changes to default settings after second X/Y-Axis change
2014-03-10 SPL-81645
sticky UI when transaction group by object name has a single character
2014-03-07 SPL-81538 pivot - choosing scatter chart - loses stack mode
2013-11-26 SPL-77054 Data Model Backend: object names that start with "_" should not be allowed

Indexer and indexer clustering issues

Publication date Defect number Description
2016-07-27 SPL-125153 Corrupt bucket fails to freeze and prevents other cold buckets in index from rolling
Workaround: Move the corrupt bucket out of the colddb. This immediately resolved the issue.
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
2016-06-07 SPL-122154 CSV Streaming Parser crashing for quoted empty strings followed by a space and Windows newline
2016-06-06 SPL-122057 DNS Host Matching failure for IPv6 addresses
2015-05-11 SPL-101289 Indexing throughput decreases when number of pipelinesets is greater than four.
2015-05-08 SPL-101184 Rolling restart may not be successful if oneshot command is also running.
2015-05-06 SPL-100980 Single Indexer does not scale when receiving parsed data from multiple PipelineSets
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.
2014-10-13 SPL-91861 Windows indexer splunk-optimize crashed on Main Thread on ec2 instance only on buckets on "Temporary Drive z:\", but never on c:\
2014-09-29 SPL-91432 Clustering - Windows peer "splunk offline" cli command hangs when master is down
2014-09-17 SPL-90983 Corrupted buckets in indexing cluster
2014-09-09 SPL-90661 offline with --enforce-counts on a peer goes forever as master struck in fixup
2014-09-09 SPL-90659 Clustering - change service_interval at runtime
2014-09-08 SPL-90630 No warning is given when search head names are the same
2014-08-29 SPL-90331 Clustering: Bucket missing copy - not in replication factor fixups
2014-08-06 SPL-88434 msg 'Detected possible tampering with this source.' displays for valid data
2014-07-29 SPL-87816 pass4SymmKey cannot be set in for clustering/shclustering
2014-07-14 SPL-86799 splunkd hangs on restart
2014-05-27 SPL-84540 SHP + Clustered - edit cluster-config -mode clears away replication_port in server.conf, should rename setting to shp_replication_port
2014-05-01 SPL-83693 Clustering manager reports data not searchable though search factor is met
2014-04-29 SPL-83636 Multisite: Wrong error msgs when trying to edit cluster-config of master with default RF/SF.
2014-04-17 SPL-83169 On Windows, if peers' Windows explorer not closed for long enough time, adding a new index still requres a peer restart, not reload
2014-04-14 SPL-83068 default-index can be set to random index
2014-03-18 SPL-82038 Multisite: Cluster-config will not work if the parameter value has spaces in them
2014-03-17 SPL-81972 Clustering: Changing site policy on the master - adding a site does not fixup existing hot buckets
2014-03-17 SPL-81955 Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed.
2014-03-14 SPL-81913 multisite: going from multisite->non multisite can result in unsearchable buckets
2014-01-31 SPL-79842 Indexer doesn't accept new connections on splunktcpin port after queue blockage is resolved
2014-01-06 SPL-78688 Peer is able to change to an invalid (empty) replication port
2013-12-30 SPL-78462 homePath.maxDataSizeMB and coldPath.maxDataSizeMB being ignored on Windows
2013-12-11 SPL-77792 Different # events returned for identical buckets on different sites because partial uncompressed slice exists on one peer's bucket but not on others
2013-08-28 SPL-73826 Windows: hostname override not working properly
2013-08-06 SPL-72484 changing servername on searchhead doesn't get reflected in master's ui
2013-07-25 SPL-71645 The creation of the report summary folder fails silently when the path is invalid
2013-07-03 SPL-70433 Poor containment of application data in slave-apps when users need to write to apps that reside in slave-apps
2010-10-08 SPL-34347 wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue

Distributed search and search head clustering issues

Publication date Defect number Description
2016-08-05 SPL-125817 Splunk incorrectly reports that historical concurrent system-wide searches had been reached
2016-07-17 SPL-124443 Incorrect user level concurrent search calculation causes user searches to be skipped
2016-06-22 SPL-123305 loadjob not working - statusCode=403, Forbidden
2015-11-15 SPL-109471 Real Time Scheduled Search Being triggered twice or Multiple Times
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files. Workaround: The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is: [Endpoint - Local Processes Tracker - Lookup Gen]

2014-08-25 SPL-90028 inputcsv dispatch=true probably doesn't work on rsa_* replicated artifacts
2014-08-15 SPL-89334 REGRESSION - Thread exhaustion: Many concurrent ad-hoc searches with 10k source types (same test case "worked" in cupcake)
2014-08-14 SPL-89131 With SHClustering, search Job management page on SHC member doesn't reflect 'isSaved' state after you click 'save' for multiple seconds, leading to a sub-par/confusing user experience in UI
2014-08-02 SPL-88228 RSS feed not pool aware
2014-05-27 SPL-84540 SHP + Clustered - edit cluster-config -mode clears away replication_port in server.conf, should rename setting to shp_replication_port

Distributed deployment, forwarder, deployment server issues

Publication date Defect number Description
2014-10-02 SPL-91648 Forwarder Inputs - Unable to push scripted input to linux deployment client from windows deployment server. Workaround: 1) For any and all instances : change perms manually ...duh!

2) For non-UF ie instances with python shipped: Add one py file "installit.py" under $SPLUNK_HOME/etc/deployment-apps/unix/installit.py with these contents:

  1. !/usr/bin/python

logfile = open("/tmp/installit.log", "a") logfile.write("I am alive!\n") import time logfile.write("It is now: %s" % time.asctime()) import sys logfile.write("I believe my name is %s\n" % sys.argv[0]) import os logfile.write("My cwd is %s\n" % os.getcwd()) path_to_script = os.path.join(os.getcwd(), sys.argv[0]) logfile.write("My path is %s\n" % path_to_script) dir_to_target = os.path.join(os.path.dirname(path_to_script), "bin") logfile.write("My target is %s\n" % dir_to_target) import stat execute_everyone = stat.S_IXUSR | stat.S_IRUSR | stat.S_IRGRP | stat.S_IXGRP \

                | stat.S_IXOTH | stat.S_IROTH

for filename in os.listdir(dir_to_target): path_to_target = os.path.join(dir_to_target, filename) os.chmod(path_to_target, execute_everyone)

2014-08-15 SPL-89333 Forwarder Management with 7700 clients : Client filtering on UI causes ~3.3GB Virtual Memory ~1.7GB Resident Memory increase in splunkd memory
2014-06-20 SPL-85739 Regression in splunkd Memory: Deployment Server with 700 clients
2014-04-10 SPL-82949 Regression: Forw. Mngm: Blank page appears when add unsupported attribute to serverclass.comf

Data Management Console Issues

Publication date Defect number Description
2016-08-01 SPL-125461 When creating a new index from an app context, the current app is not selected in the app dropdown on new index page
2016-02-08 SPL-113843 "Splunk TCP Input Performance: Deployment" doesn't work with pipelinesets
2016-02-08 SPL-113844 "Splunk TCP Input Performance: Instance" doesn't work with pipelinesets
2016-02-08 SPL-113843 "Splunk TCP Input Performance: Deployment" doesn't work with pipelinesets
2015-05-11 SPL-101270 sort button overlaps with the column separator
2014-10-26 SPL-92435 Forcing TLS 1.1 or TLS1.2 with FIPS mode ON does not work
2014-04-07 SPL-82699 SSO: Acceleration icon fails to display in Searches, reports, and alerts page

Splunk Web and interface issues

Publication date Defect number Description
2016-04-05 SPL-117137 When using appServerPorts = 0 and SSL Splunkweb will not start in 6.4.0. Workaround: Set Template:AppServerPorts to its default value of 8065 (or to any other non-zero value).

- or - Apply fix made in this jira which is to remove the import of PROTOCOL_SSLv2 from python-site/splunk/appserver/mrsparkle/root.py {code}

           if global_cfg.get('sslVersions'):

- from ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1, PROTOCOL_TLSv1_1, PROTOCOL_TLSv1_2, OP_NO_SSLv2, OP_NO_SSLv3 + from ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1, PROTOCOL_TLSv1_1, PROTOCOL_TLSv1_2, OP_NO_SSLv2, OP_NO_SSLv3

               if global_cfg.get('sslVersions') == 'all':
                   global_cfg['server.ssl_version'] = PROTOCOL_SSLv23
-               elif global_cfg.get('sslVersions') == 'ssl2':
-                   global_cfg['server.ssl_version'] = PROTOCOL_SSLv2

{code}

2015-11-09 SPL-109165, SPL-109165 Interactive Field Extractor Hangs when using "^" as delimiter. Workaround: Use props and transforms to specify the delimiter of your choice.
2015-06-30 SPL-103701 Actions' links should be removed for "Apps Browser"
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml). Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>
2014-09-26 SPL-91346 A user with a non-admin role and has edit_user capability gets error on Roles page: There was an error retrieving the configuration, can not process this page.
2014-07-16 SPL-87015 No metadata/ result when drilldown on count, percent columns
2014-04-04 SPL-82650 as per SPL-81526, a report created and scheduled by admin cannot be embedded by a power user
2014-02-26 SPL-81103 Username surrounded by dollar signs cannot create saved searches
2013-11-20 SPL-76798 time range picker is not customizable via times.conf the same as version 5 or as suggested by docs.
2013-08-28 SPL-73818 Splunk Home Page does not even load on Win8 - IE10
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Windows-specific issues

Publication date Defect number Description
2015-04-23 SPL-100199 (Dash) - When evt_dc_name is not specified for Wineventlog input (and SID resolution) is enabled, use the local DC (not PDC) for SID resolution
2015-04-14 SPL-99687 Splunk UF is 7-10 days behind recent Windows Security and system log events. Workaround: In inputs.conf:

{code} [WinEventLog://Security] evt_resolve_ad_obj = 0 {code}

2015-04-01 SPL-98978 Security Event reports Latency UF-6.2.2 and Indexer-5.0.1
Workaround: After up running more than 9 months, Windows system performance is degraded and event log system is not responsive. Restarting Windows system is the workaround.
2014-09-25 SPL-91279 Customer has discovered that Splunk UF on Windows (specifically splunk-perfmon.exe) is not releasing Key Handles
Workaround: See the following page for the ms bug:

http://support.microsoft.com/kb/2677323/en-us including info to download the patch.

2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza
Workaround: There is an easy workaround on this one. Find the stanzas in inputs.conf that have WinRegMon://default and just replace default with something else, restart splunk.

Rest, Simple XML, and Advanced XML issues

Publication date Defect number Description
2013-05-15 SPL-67453 Custom splunkd endpoint receives modified XML

Authentication and Authorization issues

Publication date Defect number Description
2016-07-26 SPL-125052 Sole Admin can demote his/herself to Power without path of recovery in GUI
Workaround: Through the command line, you can open notepad and modify the password file to regain 'Admin' status.
2016-01-07 SPL-111952 WARN LMDirective - directive cmd=D_set_feature_state args='SAMLAuth,ENABLED' failed: reason='feature='SAMLAuth' is invalid'
Workaround: upgrade the LS to the same version as LM
2015-11-13 SPL-109427 LDAP SSL no longer working in Splunk 6.3 (and later) for Windows 2003. Workaround: The issue is due to a limitation of AD2003. Here is an external link about the issue: http://openssl.6102.n7.nabble.com/openssl-1-0-2d-default-SSL-handshake-fails-td59469.html.

Workaround: 1) obtain Ciphers configured on Windows AD 2003 server. 2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it. The following is a working TLS_CIPHER_SUITE for one of the customers: {noformat} TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5 {noformat}

2012-02-22 SPL-48342 Ldap strategy host field cannot work with ipv6 format address but computer name is okay

PDF issues

Publication date Defect number Description
2015-03-31 SPL-98890 PDF: maps printed from report page do not honor custom zoom and center
2014-06-16 SPL-85497 Unable to save generated PDFs from Chrome internal PDF viewer
Workaround: You can use the browser's print function and print to a PDF that way.
2013-05-16 SPL-67491 PDF report: Events format settings like List, Table, Max lines, Wrapping.. don't' apply to PDF report
2012-11-26 SPL-58744 Area chart is not filled if the points are unconnected

Admin and CLI issues

Publication date Defect number Description
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-03-11 SPL-97942 Capability defined in an app does not take affect when assigned to a role.

Unsorted issues

Publication date Defect number Description
2016-07-11 SPL-123991, SPL-123990, SPL-123989, SPL-123988, SPL-123987 Clustered indexers frequently crashing in TimeoutHeap::checkClockSkew
2016-06-30 SPL-123723 diag fails when index path directory names are shorter than SPLUNK_HOME
2016-05-25 SPL-121429 License related searches need to use source=*license_usage.log* instead of source=*license_usage.log
2016-01-07 SPL-111952 WARN LMDirective - directive cmd=D_set_feature_state args='SAMLAuth,ENABLED' failed: reason='feature='SAMLAuth' is invalid'
Workaround: upgrade the LS to the same version as LM
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink
Workaround: Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-06-01 SPL-102362 Dynamic indexer discovery only supports one input
2015-05-24 SPL-102008 Error/Warning message should be displayed when user is not able to login due to timezone difference on IE browser
2015-05-21 SPL-101886 Login page logo displays incorrectly in IE9 when SSL is enabled and trusted 3rd party certificate is in place.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day
Workaround: [Root cause]: The root cause is that their fishbuckets got too big (500MBbytes in size and estimated more than 6M entries) and the UFs spent a lot time traversing the fish bucket in checkpoint() routine, which is hard-coded to be called every hour, and this caused TCP sending to be blocked. Workaround:

Configuration change to reduce ""file_tracking_db_threshold_mb" of [inputproc] stanza to lower value in limits.conf. In this case, the "file_tracking_db_threshold_mb" is changed to be 50. Customer applied the change and the UFs are back to normal.

2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day
Workaround: [Root cause]: The root cause is that their fishbuckets got too big (500MBbytes in size and estimated more than 6M entries) and the UFs spent a lot time traversing the fish bucket in checkpoint() routine, which is hard-coded to be called every hour, and this caused TCP sending to be blocked. Workaround:

Configuration change to reduce ""file_tracking_db_threshold_mb" of [inputproc] stanza to lower value in limits.conf. In this case, the "file_tracking_db_threshold_mb" is changed to be 50. Customer applied the change and the UFs are back to normal.

2015-03-25 SPL-98594 Routing events to two different groups not working as expected. Workaround: 1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2014-11-10 SPL-92831 License warnings with 6.2 license-master and older license-slaves
Workaround: The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).
2014-10-17 SPL-92162 Running outputlookup into mongo takes up to 13G of memory
2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restart. Workaround: chown the directory to the user Splunk runs as after upgrade and before restart.
2014-04-22 SPL-83365 On Windows no error message is shown when a user with no edit_license capability tries to add a license through CLI
2014-03-12 SPL-81810 Licensing - license pool warning at license master keeps coming back after deleting it
2013-11-27 SPL-77139 Licenser pool usage gets reflected only after restarting Splunkd
2013-09-18 SPL-74427 Solaris Sol10 pkg Splunk UF does not add Splunk user
2013-06-13 SPL-69304 Remove warning text in UI about idx field in License Usage view
2013-05-25 SPL-68010 inability to connect to splunkbase/.../checkforupdate is not an ERROR; please lower log severity level
2013-05-02 SPL-66511 on case-insensitive filesystem: creating a new view with same name, but different casing overwrites an existing view

Uncategorized issues

Publication date Defect number Description
2015-10-07 SPL-107606 Inconsistency between summary and datamodel_summary files
2015-06-10 SPL-103010 Indexing thruput on forwarder with four pipelinesets drops 30% compared to two pipelinesets.
2015-02-26 SPL-97389 Should the scheduler respect "null" for latest_time?
2015-01-30 SPL-96091 SimpleXML: cannot use token in <option name="count">$token$</option>
2015-01-08 SPL-95144 Indexed message for Windows security event logs shows "FormatMessage error"
Workaround: Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.
2014-11-10 SPL-92870 Token not visible in Visualizations Editor if the token contains "$" character.
2014-10-31 SPL-92596 Attempting to manually start the Splunk Web service on Windows results in a confusing error from the Windows service manager
Workaround: Ignore the error.

Splunk Answers - http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html

2014-09-11 SPL-90738 error in indexing when added monitor with unknown source type
2014-08-26 SPL-90139 Patterns: no when running search in fast mode
2014-06-30 SPL-86226 User should have ability to navigate to Panel in case of error
2014-04-01 SPL-82517 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings
2014-03-23 SPL-82238 Datamodel fails to Drilldown further when you select same attribute for Split Rows and Split Columns
2014-03-13 SPL-81856 Show all lines does not work in data model editor preview
2014-03-12 SPL-81781 DM Manager: Acceleration Status and Access Count fails to update on Update click
2014-02-07 SPL-80285 DM Editor: Edit Lookup page will be displayed blank if Lookup shared only in Lookup Defenitions
2014-02-06 SPL-80187 DM Editor: Display some message when user navigated to Lookup Edit page without provided Defenition Permission
2013-09-13 SPL-74337 cannot specify destination folder during install with OSX
2013-04-30 SPL-66213 PDF server app is not working with latest Xvfb
PREVIOUS
Welcome to Splunk Enterprise 6.4
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.4.3 View the Article History for its revisions.


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters