Release Notes


Changelogs (what's been fixed) by version
Deprecated features

Known issues

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect number Description
2015-03-06SPL-95603Auto filling of user credentials causes login failure on Safari, Firefox, and Internet Explorer.
The PDF Report Server App, which was deprecated in version 6.0, has been removed. In Splunk 6.2, you cannot generate PDFs from dashboards that are implemented using advanced XML.
2014-10-30SPL-92596After an upgrade to 6.2 on Windows, the splunkweb service does not start automatically. Attempts to start it manually result in the following message: Error 1053: The service did not respond to the start or control request in a timely fashion. This is by design. While the splunkweb service does install, the splunkd service now handles all Splunk Web operations. See "The Splunk Web service installs but does not run" in "About Upgrading to 6.2."
Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk.
2014-10-28SPL-92435Forcing TLS1.2 or TLS1.1 in server.conf with SPLUNK_FIPS does not work.
2015-01-30SPL-95004Large delays in Windows Event logs being indexed. This could cause delays in Windows event logs being ingested by Splunk.
2015-03-17SPL-96265Orphan KVStore process stops Splunk from restarting.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Publication date Defect number Description
2014-10-28SPL-90648When you upgrade a Windows universal forwarder that runs as a domain user from version 6.1.3, the installer changes the service account to the Local System user. To work around the problem, upgrade the forwarder to 6.1.4 first, then upgrade to 6.2.
2014-10-28SPL-91835Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, remove the app before starting an upgrade. To prevent this issue from occurring, upgrade the app to version 1.1.5 before you upgrade Splunk Enterprise.
Pre-6.2SPL-89640If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
Pre-6.2SPL-75354Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf.
Pre-6.2SPL-73386Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect number Description
2014-10-28SPL-88396After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI.

Workaround: Create a server class, where you can see the client name, and use that group when you add data.

2014-10-28SPL-90527After gzipping a directory that has previously been indexed, a monitor reindexes the contents of the gzipped directory.
2014-10-28SPL-90738Monitoring a directory with an unknown sourcetype produces indexing errors.
Pre-6.2SPL-79421Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields (_*, _meta or _TCP_ROUTING)
Pre-6.2SPL-83068Default-index can be set to random index.
Pre-6.2SPL-34347wmi input default fields - with value including newlines doesn't search properly because of \r\n issue.
Pre-6.2SPL-73825, SPL-73826Hostname override/Regex on path not working correctly for compressed file inputs on Windows.
Pre-6.2SPL-74028Running splunk list wmi doesn't show active WMI collections, but splunk cmd btool wmi list does.
Pre-6.2SPL-74209Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.

Charting, reporting, and visualization issues

Publication date Defect number Description
2015-01-12SPL-94277 While creating a Pivot, when I split rows by time and select the format "Year", it returns this value: 2014-01-01 00:00:00.
2015-01-12SPL-94047 While creating a Pivot, when using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-10-28SPL-92432Chart in dashboard panel does not honor interval settings.

Workaround: In the panel XML, specify a larger height to use the correct interval settings.

Pre-6.2SPL-79768Changing map and tile parameters in the Vizualization Editor creates error in Console.
Pre-6.2SPL-80568Highcharts set Y-axis value based on first point outside visible range.
Pre-6.2SPL-81538When using pivot, stack mode is lost when "Scatter Chart" is selected. - loses stack mode.
Pre-6.2SPL-73846New reports are not displayed in the report list until you refresh the window.
Pre-6.2SPL-73569Pie maps do not have legend labels.

Indexers and indexer clustering issues

Publication date Defect number Description
2014-10-28SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

2014-10-28SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-10-28SPL-83636 If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong.
2014-10-28SPL-91567 Batch primary jobs are scheduled last. They should be scheduled first.
2014-10-28SPL-90983 In indexing cluster, found a few corrupted buckets from search peer that might affect the report summary getting correct results.
2014-10-28SPL-90661 Taking a peer offline with enforce counts on causes master to remain in fixup mode.
2014-10-28SPL-90659 Configure clusters with large numbers of buckets. For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

2014-10-28SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-10-28SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-10-28SPL-90331 Multi-site cluster doesn't meet replication factor/search head factor due to bucket issue.

Workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list.

2014-10-28SPL-84540 For search head pooling on a cluster master or clustered search_head, editing the cluster-config-mode clears replication_port.

Workaround: rename setting to shp_replication_port.

2014-10-28SPL-78688 Peer is able to change to an invalid (empty) replication port.
2014-10-14 Searches fail on corrupted journal.gz files. Workaround is to add that journal.gz to the input path's blacklist (vix.input.1.path.ignore = ....)
2014-10-28SPL-91432 On Windows when the master is down, the CLI command splunk offline hangs when run from one of the streaming target peers.
2014-10-28SPL-90770 Cumulative raw data size for indexes on the Index Clustering page is not accurate. It uses a division factor of 1000/1000/1000 instead of 1024/1024/1024.
2014-10-28SPL-90409 Removing excess buckets does not remove all the excess buckets and causes "fully searchable" criteria in the UI to fail.
2014-10-28SPL-88434Inaccurate message "Detected possible tampering with this source" may display for valid data.
Pre-6.2SPL-70433Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning.
Pre-6.2SPL-90932WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.2SPL-77792Different number of events returned for identical buckets on different sites because partial uncompressed slice exists on one peer's bucket but not on others
Pre-6.2SPL-81934For clusters, may be unable to open search results output file for search results in a cluster. Workaround is to write to a temp file and rename to the target file.
Pre-6.2SPL-81913Changing your configuration from multi site to non-multisite can result in unsearchable buckets.
Pre-6.2SPL-81955Multisite peer takes approximately six minutes to restart when site configuration is changed.
Pre-6.2SPL-82386Cluster master with distributed search disabled still dispatches searches to cluster peers.
Pre-6.2SPL-81972, SPL-81963For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites, and then restart the master. Otherwise, the buckets might not meet the new site_replication_factor or site_search_factor or be fully searchable. You can roll the buckets manually or by issuing a rolling-restart command.
Pre-6.2SPL-82038Cluster-config will not work if the parameter value has spaces in them.
Pre-6.2SPL-77954In clusters, primary copy of bucket is left in weird state with chunk of data not added to journal.gz. This can cause event counts to be off between peers with a common bucket.
Pre-6.2SPL-78797When buckets with a truncated journal.gz appear in a cluster, streaming targets are unable to make the bucket searchable when fsck attempts to rebuild the tsidx and other supporting files.
Pre-6.2SPL-73652Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit.
Pre-6.2SPL-74253Maintenance mode does not carry over across master restarts. To work around this issue, re-initiate maintenance mode after restarting the master.
Pre-6.2SPL-72484, SPL-74103Changing the server name on search head doesn't get reflected in the cluster master's cluster management page.
Pre-6.2SPL-63687Clustering dashboard displays the removed peer list indefinitely.

Data model and Pivot issues

Publication date Defect number Description
Pre-6.2SPL-80285In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. For more information, see Add lookup files to Splunk.
Pre-6.2SPL-80187In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. The workaround is to share the definition. For more information, see Add lookup files to Splunk
Pre-6.2SPL-82262Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
Pre-6.2SPL-81645Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
Pre-6.2SPL-81781Data Model Manager: Acceleration Status and Access Count fails to update when you click "Update."
Pre-6.2SPL-82133Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
Pre-6.2SPL-82238Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
Pre-6.2SPL-83686Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
Pre-6.2SPL-81701Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
Pre-6.2SPL-81781In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
Pre-6.2SPL-81856Show all lines does not work in data model editor preview.
Pre-6.2SPL-82164Migrating invalid data models from 6.0 to 6.1 fails.
Pre-6.2SPL-58585In a Cluster, report acceleration and data model acceleration summaries are not replicated, which cause high cpu consumption in case of peer down.
Pre-6.2SPL-77054Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Integrated PDF generation and PDF Report Server issues

Publication date Defect number Description
2015-03-19SPL-85497Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, see

Pre-6.2SPL-66213PDF Report Server App doesn't work with latest Xvfb. Workaround is to install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos.
Pre-6.2SPL-58744If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line.
Pre-6.2SPL-67491Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used.
Pre-6.2SPL-67268Not able to export PDF if dashboard has no row or empty row.
Pre-6.2SPL-73798Generating a PDF of scheduled search with quotes in the title results in an error and no search results in the report.
Pre-6.2SPL-73029Heat maps are not printed.

Search, saved search, alerting, scheduling, and job management issues

Publication date Defect number Description
2015-02-02SPL-94792The Patterns tab breaks in implementations that use search head clustering. If you are using search head clustering, the patterns tab can be disabled for any given role by removing the pattern_detect capability from that role.
2014-12-22SPL-94910The replace function does not apply to fields names with an underscore in it. The workaround is to rename the fields to remove the underscores before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13SPL-93039The relevancy search command does not work, always returning 0 or -inf.
2014-10-28SPL-92303Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
2014-10-28SPL-91778Dispatch disk usage incorrectly includes temporary CSV result files for large event searches, which can lead to job queueing.
2014-10-28SPL-80966eval function commands() fails search when a search can't be parsed.
2014-10-28SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-10-28SPL-90139[timestamp] does not display in the Patterns tab when searches are run in fast mode.
2014-10-28SPL-88228When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.
2014-10-28SPL-88230Because the Search RSS feed URIs do not include locale, clicking on them will lead to an error page.
2014-10-28SPL-89332Report acceleration summaries do now show in Settings when you have hundreds of reports accelerated.
2014-10-28SPL-79862When creating a tag on a field in an event listing, the tag is added but fails to show in event fields unless it is selected.
2014-10-28SPL-91110Scheduler Search page silently accepts incorrect cron scheduler format. Saved search then runs at an incorrect time.
2014-10-28SPL-90861If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. Not message is displayed, though the information is added to search.log.
Pre-6.2SPL-81103Username surrounded by dollar signs cannot create saved searches.
Pre-6.2SPL-82517Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
Pre-6.2SPL-78612Deleting a dashboard with a scheduled PDF does not also delete the scheduled view.
Pre-6.2SPL-79562Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned.
Pre-6.2SPL-83129Eval Function strptime does not return results when 1970 date is used
Pre-6.2SPL-79738, SPL-81136The iconify command fails to render icons in the event viewer.
Pre-6.2SPL-76798The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x
Pre-6.2SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.

Splunk Web and Home interface issues

Publication date Defect number Description
2015-01-22SPL-95745In search, when you choose dates in November using the Time & Date Range selector, the end date is shortened by one day after you click Apply. Workaround: Reselect the end date and click Apply.
2014-10-28SPL-92298The URL made for workflow actions does not encode the field values properly. As a result, a field value with special characters in the URL (for example, ampersands) will result in incorrect values being passed.
Pre-6.2SPL-80942Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
Pre-6.2SPL-58476Login screen shows expired license on expiration date before it is expires (i.e. same day).
Pre-6.2SPL-73818Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

Distributed deployment, forwarder, and deployment server issues

Publication date Defect number Description
2015-03-24SPL-98561Issuing splunk reload deploy-server can crash splunkd if serverclass.conf contains whitelist and/or blacklist that is out of sequence number. splunkd_stderr.log will report the appropriate stanza to review. Gap in numbered regexes: expected attribute=whitelist.1 not found (context: stanza='serverClass:myapp')
2014-10-28SPL-91648Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-10-28SPL-91273Splunk instrumentation misidentifies remote scheduled searches as historical searches, which can affect data displayed in the Distributed Management Console.
2014-10-28SPL-89333Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-10-28SPL-85739When running a high number of deployment clients for a server, memory growth may be excessive. To mitigate this, set forceHttp10=true.
Pre-6.2SPL-35700When deploying apps from a Windows deployment server to Unix deployment clients, scripts do not arrive with executable flag set
Pre-6.2SPL-81637Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
Pre-6.2SPL-75764Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
Pre-6.2SPL-82949When you add unsupported attributes to serverclass.conf in Forwarder Management, a blank page is displayed with no error that an unsupported attribute was added. Instead the message displays: FAILED_LOAD_DEPLOYMENT_SERVER.
Pre-6.2SPL-80215Duplicate entries in Forwarder Management for some of the Deployment Clients.
Pre-6.2SPL-28471Splunk Web becomes unreachable if an enabled deployment server in the same instance cannot access DNS.
Pre-6.2SPL-74427The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed search and search head clustering issues

Publication date Defect number Description
2015-01-09SPL-94522Search head cluster caches in-memory jobs, leading to increasing memory growth.

Workaround: Set status_cache_size = 2000 in etc/system/limits.conf.

2014-10-28SPL-89809Updates to $SPLUNK_HOME/var/run/*.csv via outputcsv are not replicated across the cluster.
2014-10-28SPL-89131In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-10-28SPL-91206In a search head cluster with KVStore, removing a member from the cluster does not remove it from the replica set.
2014-10-28SPL-90028Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-10-28SPL-91638For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2014-10-28SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

2014-10-28SPL-91780 In a search head cluster, saved search artifacts are not available to all search head cluster peers via loadJobs or bringJobs.
2014-10-28SPL-84540 For search head pooling on a cluster master or clustered search_head, editing the cluster-config-mode clears replication_port.

Workaround: rename setting to shp_replication_port.

2014-10-28SPL-97385$SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files
Pre-6.2SPL-86599When using search-head pooling, some email alert configurations from the alert_actions.conf are not applied, if they are in an app on the shared storage. Workaround, copy the configuration on the $SPLUNK_HOME/etc/system/local of each search-heads.
pre-6.2SPL-82244, SPL-90958Unexpected duplicate app: _cluster caused due to password hashing ().
Pre-6.2SPL-71149When a large number (>/=100) of users search concurrently on the same search head, some of them may see an error message about an unknown SID, and receive no results.

Windows-specific issues

Publication date Defect number Description
2015-03-20SPL-95121, SPL-93893Splunk 6.2 installer fails if msi database on the machine is partially corruputed. MSI log will contain the message: GetPreviousSettings: Error: DetermineContextForAllProducts failed witht: 0x65b.
2014-10-28SPL-73981FIPS mode in Win32 may case crash. To mitigate this, never attempt to enable FIPS on Win3.
2014-10-28SPL-60765Delta replication tends to fail on Windows due to file size "differences" caused by Windows-style line endings (\r\n).
Pre-6.2SPL-85389Upgrading of Splunk on Windows to 6.1.4 may throw pop-up “Splunk Installer was unable to set the CALS on the Splunk Files”. ExitCode=’13’ ”, this message can be ignored.
Pre-6.2SPL-80589On Windows Server 2012 and Server 2012 R2, an external bug causes the "% Processor_Time" counter to display 100 for multiple processes, even when the number of available CPU cores precludes that possibility.
Pre-6.2SPL-80630The Windows Network Monitoring input does not work on 32-bit Windows systems.
Pre-6.2MSAPP-2633An issue with Splunk Enterprise 6.1 caused the dashboards and menus in the Splunk App for Windows Infrastructure 1.0.1 update to not render. To fix the problem, download and install version 1.0.2 of the app.
Pre-6.2SPL-78984The 32 bit Windows version of the universal forwarder fails to properly upgrade from non-default location. Note: Installing a 32-bit version of any Splunk software on top of 64-bit version is neither supported nor recommended.
Pre-6.2SPL-83365Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
Pre-6.2SPL-78462Splunk Enterprise on Windows ignores the homePath.maxDataSizeMB and coldPath.maxDataSizeMB attributes in indexes.conf.
Pre-6.2SPL-77126The Registry data input incorrectly handles events with different cases in their paths.
Pre-6.2SPL-82357The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
Pre-6.2SPL-81489Version 6.* of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags.
Pre-6.2SPL-79009, SPL-79421The Splunk Windows universal forwarder does not forward Windows Event Log or performance monitor data to the correct indexer or forwarder group, as defined by the _TCP_ROUTING attribute in the inputs.conf stanza for the input. Other input types forward data properly.
Pre-6.2SPL-75116If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.x instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf.
Pre-6.2SPL-73826The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows.
Pre-6.2SPL-40332Splunk on Windows does not properly update or save lookup tables when it accesses them with a search.
Pre-6.2SPL-74209Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
Pre-6.2SPL-48342LDAP authentication does not work on Windows over the IPv6 protocol.
Pre-6.2SPL-73818Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

REST, Simple XML, and Advanced XML issues

Publication date Defect number Description
2014-10-28SPL-91211Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values.
2014-10-28SPL-32852Post process may not return expected events if the original job is truncated.
2014-10-28SPL-86226User cannot navigate from a dashboard to a prebuilt panel to fix a simple XML error in the panel.
2014-10-28SPL-91074(Mobile) Submit button does not render when instantiating a form using the client-side parser/factory.
2014-10-28SPL-91996Panel that uses a duplicate ID when referencing a base search silently fails to render.
Pre-6.2SPL-82233, SPL-76824Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event.
Pre-6.2SPL-78179REST /saved/searches App Names With Special Characters Have Invalid Links.
Pre-6.2SPL-66700The warmToColdScript<code> property is not supported by REST API.
Pre-6.2SPL-74151Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
Pre-6.2SPL-66511Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.
Pre-6.2SPL-65124Sorting as "asc" does not work for Dashboard of Panel Type: List.
Pre-6.2SPL-64489, SPL-32852HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events.
Pre-6.2SPL-67453When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Web Framework issues

Publication date Defect number Description
If you do not set the "value" property when you first create a TimeRange view, you get an error if you try to change "earliest_time" and "latest_time" properties later.

Unsorted issues

Publication date Defect number Description
2014-11-10SPL-92831A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ". The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).
2014-12-16SPL-93813If you enable FIPS and use the caCertPath setting in server.conf, KV store will not run.
2014-12-12SPL-94017mongod creates up to 65k files in /dev/shm/, using up to 500MB of space. Workaround is to "export MONGOC_DISABLE_SHM=1", or adding it to splunk-launch.conf.
2014-11-24SPL-93577The details per pool on the "License usage manager" view does not handle pools names with spaces in it. Workaround: access the search details and add double quotes around the pool="pool name with spaces" condition.
2014-10-28SPL-91346A user with a <code>non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page.
2014-10-28SPL-91709Splunkd timeouts on setting up ES app on Windows.
2014-10-28SPL-88427CronScheduler issues WARN messages on startup that can safely be ignored.
2014-10-28SPL-92162Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-10-28SPL-91396Splunk introspection for CPU time uses metrics that can result in a sum of cpu_systm_pct, cpu_idle_pct, and cpu_user_pct that is greater than 100%.
Pre-6.2SPL-81810License pool warning at license master keeps coming back after deleting it. The workaround is to delete the warnings on the peers first then the License Manager.
Pre-6.2SPL-77139Licenser pool usage gets reflected only after restarting Splunkd.
Pre-6.2SPL-82389server.conf In [httpServer] server stanza, maxThreads/maxSockets do not accept negative numbers.
Pre-6.2SPL-82699SSO: Acceleration icon fails to display in Searches, Reports, and Alerts pages.
Pre-6.2SPL-71645Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually.
Pre-6.2SPL-74337You cannot specify a destination folder when installing on OSX.
Pre-6.2SPL-72484Cannot use the CLI to delete an index with a capital letter in its name.
Pre-6.2SPL-68010The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.
Pre-6.2SPL-73636If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day.
Pre-6.2SPL-69304If license slaves are running <6.0 version, they do not have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN.
Pre-6.2SPL-43791Splunk does not report server status correctly when there is a problem with SSL/TLS configuration.
Pre-6.2SPL-38082BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order.

This documentation applies to the following versions of Splunk: 6.2.2 View the Article History for its revisions.

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!