Release Notes

 


Deprecated features

Known issues

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect number Description
10/28/2014
Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk.
10/28/2014SPL-92435Forcing TLS1.2 or TLS1.1 in server.conf with SPLUNK_FIPS does not work.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Publication date Defect number Description
10/28/14SPL-90648When you upgrade a Windows universal forwarder that runs as a domain user from version 6.1.3, the installer changes the service account to the Local System user. To work around the problem, upgrade the forwarder to 6.1.4 first, then upgrade to 6.2.
10/28/14SPL-91835Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, remove the app before starting an upgrade. Do not restore the app after you upgrade, or the "Forwarded Inputs" section will disappear again.
10/28/14SPL-92490web.conf setting for updateCheckerBaseURL=0 now displays "Your Browser could not connect to Splunk.com...need to be connected to the Internet to find out when updates to your Splunk software are available". It does not disable Splunk automatic checking for new versions.
Pre-6.2SPL-89640If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
Pre-6.2SPL-75354Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf.
Pre-6.2SPL-73386Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect number Description
10/28/2014SPL-88396After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI.

Workaround: Create a server class, where you can see the client name, and use that group when you add data.

10/28/2014SPL-90527After gzipping a directory that has previously been indexed, a monitor reindexes the contents of the gzipped directory.
10/28/2014SPL-90738Monitoring a directory with an unknown sourcetype produces indexing errors.
Pre-6.2SPL-79421Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields (_*, _meta or _TCP_ROUTING)
Pre-6.2SPL-83068Default-index can be set to random index.
Pre-6.2SPL-34347wmi input default fields - with value including newlines doesn't search properly because of \r\n issue.
Pre-6.2SPL-73825, SPL-73826Hostname override/Regex on path not working correctly for compressed file inputs on Windows.
Pre-6.2SPL-74028Running splunk list wmi doesn't show active WMI collections, but splunk cmd btool wmi list does.
Pre-6.2SPL-74209Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.

Charting, reporting, and visualization issues

Publication date Defect number Description
10/28/2014SPL-92432Chart in dashboard panel does not honor interval settings.

workaround: In the panel XML, specify a larger height to use the correct interval settings.

Pre-6.2SPL-79768Changing map and tile parameters in the Vizualization Editor creates error in Console.
Pre-6.2SPL-80568Highcharts set Y-axis value based on first point outside visible range.
Pre-6.2SPL-81538When using pivot, stack mode is lost when "Scatter Chart" is selected. - loses stack mode.
Pre-6.2SPL-73846New reports are not displayed in the report list until you refresh the window.
Pre-6.2SPL-73569Pie maps do not have legend labels.

Indexers and indexer clustering issues

Publication date Defect number Description
10/28/2014SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

10/28/2014SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
10/28/2014SPL-83636 If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong.
10/28/2014SPL-91732 After upgrade to 6.2, search for large data (100k+ count) on a search peer results in incorrect count on search head and master.
10/28/2014SPL-91567 Batch primary jobs are scheduled last. They should be scheduled first.
10/28/2014SPL-90983 In indexing cluster, found a few corrupted buckets from search peer that might affect the report summary getting correct results.
10/28/2014SPL-90661 Taking a peer offline with enforce counts on causes master to remain in fixup mode.
10/28/2014SPL-90659 Configure clusters with large numbers of buckets. For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

10/28/2014SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
10/28/2014SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
10/28/2014SPL-90331 Multi-site cluster doesn't meet replication factor/search head factor due to bucket issue.

workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list.

10/28/2014SPL-84540 For search head pooling on a cluster master or clustered search_head, editing the cluster-config-mode clears replication_port.

workaround: rename setting to shp_replication_port.

10/28/2014SPL-78688 Peer is able to change to an invalid (empty) replication port.
10/28/2014SPL-91432 On Windows when the master is down, the CLI command splunk offline hangs when run from one of the streaming target peers.
10/28/2014SPL-90770 Cumulative raw data size for indexes on the Index Clustering page is not accurate. It uses a division factor of 1000/1000/1000 instead of 1024/1024/1024.
10/28/2014SPL-90409 Removing excess buckets does not remove all the excess buckets and causes "fully searchable" criteria in the UI to fail.
10/28/2014SPL-88434Inaccurate message "Detected possible tampering with this source" may display for valid data.
Pre-6.2SPL-70433Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning.
Pre-6.2SPL-90932WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.2SPL-77792Different number of events returned for identical buckets on different sites because partial uncompressed slice exists on one peer's bucket but not on others
Pre-6.2SPL-81934For clusters, may be unable to open search results output file for search results in a cluster. Workaround is to write to a temp file and rename to the target file.
Pre-6.2SPL-81913Changing your configuration from multi site to non-multisite can result in unsearchable buckets.
Pre-6.2SPL-81955Multisite peer takes approximately six minutes to restart when site configuration is changed.
Pre-6.2SPL-82386Cluster master with distributed search disabled still dispatches searches to cluster peers.
Pre-6.2SPL-81972, SPL-81963For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites, and then restart the master. Otherwise, the buckets might not meet the new site_replication_factor or site_search_factor or be fully searchable. You can roll the buckets manually or by issuing a rolling-restart command.
Pre-6.2SPL-82038Cluster-config will not work if the parameter value has spaces in them.
Pre-6.2SPL-77954In clusters, primary copy of bucket is left in weird state with chunk of data not added to journal.gz. This can cause event counts to be off between peers with a common bucket.
Pre-6.2SPL-78797When buckets with a truncated journal.gz appear in a cluster, streaming targets are unable to make the bucket searchable when fsck attempts to rebuild the tsidx and other supporting files.
Pre-6.2SPL-73652Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit.
Pre-6.2SPL-82244Unexpected duplicate app: _cluster caused due to password hashing
Pre-6.2SPL-74253Maintenance mode does not carry over across master restarts. To work around this issue, re-initiate maintenance mode after restarting the master.
Pre-6.2SPL-72484, SPL-74103Changing the server name on search head doesn't get reflected in the cluster master's cluster management page.
Pre-6.2SPL-74001Running splunk remove excess-buckets does not remove excess hot buckets.
Pre-6.2SPL-63687Clustering dashboard displays the removed peer list indefinitely.
Pre-6.2SPL-52901Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, with the consequence that the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then you subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled, will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets, however, also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master.

Data model and Pivot issues

Publication date Defect number Description
Pre-6.2SPL-80285In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. For more information, see Add lookup files to Splunk.
Pre-6.2SPL-80187In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. The workaround is to share the definition. For more information, see Add lookup files to Splunk
Pre-6.2SPL-82262Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
Pre-6.2SPL-81645Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
Pre-6.2SPL-81781Data Model Manager: Acceleration Status and Access Count fails to update when you click "Update."
Pre-6.2SPL-82133Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
Pre-6.2SPL-82238Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
Pre-6.2SPL-83686Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
Pre-6.2SPL-81701Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
Pre-6.2SPL-81781In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
Pre-6.2SPL-81856Show all lines does not work in data model editor preview.
Pre-6.2SPL-82164Migrating invalid data models from 6.0 to 6.1 fails.
Pre-6.2SPL-77054Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Integrated PDF generation and PDF Report Server issues

Publication date Defect number Description
Pre-6.2SPL-66213PDF Report Server App doesn't work with latest Xvfb. Workaround is to install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos.
Pre-6.2SPL-73938PDF Report Server App: Printing PDF on debug/pdf page is broken.
Pre-6.2SPL-58744If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line.
Pre-6.2SPL-67491Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used.
Pre-6.2SPL-67268Not able to export PDF if dashboard has no row or empty row.
Pre-6.2SPL-73798Generating a PDF of scheduled search with quotes in the title results in an error and no search results in the report.
Pre-6.2SPL-73029Heat maps are not printed.

Search, saved search, alerting, scheduling, and job management issues

Publication date Defect number Description
10/28/2014SPL-92303Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
10/28/2014SPL-91778Dispatch disk usage incorrectly includes temporary CSV result files for large event searches, which can lead to job queueing.
10/28/2014SPL-80966eval function commands() fails search when a search can't be parsed.
10/28/2014SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
10/28/2014SPL-90139[timestamp] does not display in the Patterns tab when searches are run in fast mode.
10/28/2014SPL-88228When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.
10/28/2014SPL-88230Because the Search RSS feed URIs do not include locale, clicking on them will lead to an error page.
10/28/2014SPL-89332Report acceleration summaries do now show in Settings when you have hundreds of reports accelerated.
10/28/2014SPL-79862When creating a tag on a field in an event listing, the tag is added but fails to show in event fields unless it is selected.
10/28/2014SPL-91110Scheduler Search page silently accepts incorrect cron scheduler format. Saved search then runs at an incorrect time.
10/28/2014SPL-90861If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. Not message is displayed, though the information is added to search.log.
Pre-6.2SPL-81103Username surrounded by dollar signs cannot create saved searches.
Pre-6.2SPL-82517Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
Pre-6.2SPL-78612Deleting a dashboard with a scheduled PDF does not also delete the scheduled view.
Pre-6.2SPL-79562Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned.
Pre-6.2SPL-83129Eval Function strptime does not return results when 1970 date is used
Pre-6.2SPL-79738, SPL-81136The iconify command fails to render icons in the event viewer.
Pre-6.2SPL-76798The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x
Pre-6.2SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.

Splunk Web and Home interface issues

Publication date Defect number Description
10/28/14SPL-92298The URL made for workflow actions does not encode the field values properly. As a result, a field value with special characters in the URL (for example, ampersands) will result in incorrect values being passed.
Pre-6.1.5SPL-86219Too many custom timeranges in the UI, can cause the default ranges to not be displayed in the droplist.
Pre-6.2SPL-80942Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
Pre-6.2SPL-58476Login screen shows expired license on expiration date before it is expires (i.e. same day).
Pre-6.2SPL-82581Admin user can not check other's private alert result.
Pre-6.2SPL-73818Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

Distributed deployment, forwarder, and deployment server issues

Publication date Defect number Description
10/28/2014SPL-89333Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage
10/28/2014SPL-91273Spunk instrumentation misidentifies remote scheduled searches as historical searches, which can affect data displayed in the Distributed Management Console.
10/28/2014SPL-91648Forwarder unable to push scripted inputs to a linux deployment client from a Windows deployment server.
10/28/2014SPL-85739When running a high number of deployment clients for a server, memory growth may be excessive. To mitigate this, set forceHttp10=true.
Pre-6.2SPL-35700When deploying apps from a Windows deployment server to Unix deployment clients, scripts do not arrive with executable flag set
Pre-6.2SPL-81637Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
Pre-6.2SPL-75764Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
Pre-6.2SPL-82949When you add unsupported attributes to serverclass.conf in Forwarder Management, a blank page is displayed with no error that an unsupported attribute was added. Instead the message displays: FAILED_LOAD_DEPLOYMENT_SERVER.
Pre-6.2SPL-80215Duplicate entries in Forwarder Management for some of the Deployment Clients.
Pre-6.2SPL-28471Splunk Web becomes unreachable if an enabled deployment server in the same instance cannot access DNS.
Pre-6.2SPL-74427The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed search and search head clustering issues

Publication date Defect number Description
10/28/2014SPL-89809Updates to $SPLUNK_HOME/var/run/*.csv via outputcsv are not replicated across the cluster.
10/28/2014SPL-89131In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
10/28/2014SPL-91206In a search head cluster with KVStore, removing a member from the cluster does not remove it from the replica set.
10/28/2014SPL-90028Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
10/28/2014SPL-91638For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
10/28/2014SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

10/28/2014SPL-91780 In a search head cluster, saved search artifacts are not available to all search head cluster peers via loadJobs or bringJobs.
10/28/2014SPL-84540 For search head pooling on a cluster master or clustered search_head, editing the cluster-config-mode clears replication_port.

workaround: rename setting to shp_replication_port.

Pre-6.2SPL-86599When using search-head pooling, some email alert configurations from the alert_actions.conf are not applied, if they are in an app on the shared storage. Workaround, copy the configuration on the $SPLUNK_HOME/etc/system/local of each search-heads.
Pre-6.2SPL-71149When a large number (>/=100) of users search concurrently on the same search head, some of them may see an error message about an unknown SID, and receive no results.

Windows-specific issues

Publication date Defect number Description
10/28/2014SPL-73981FIPS mode in Win32 may case crash. To mitigate this, never attempt to enable FIPS on Win3.
10/28/2014SPL-60765Delta replication tends to fail on Windows due to file size "differences" caused by Windows-style line endings (\r\n).
Pre-6.2SPL-85389Upgrading of Splunk on Windows to 6.1.4 may throw pop-up “Splunk Installer was unable to set the CALS on the Splunk Files”. ExitCode=’13’ ”, this message can be ignored.
Pre-6.2SPL-90932WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.2SPL-80589On Windows Server 2012 and Server 2012 R2, an external bug causes the "% Processor_Time" counter to display 100 for multiple processes, even when the number of available CPU cores precludes that possibility.
Pre-6.2SPL-80630The Windows Network Monitoring input does not work on 32-bit Windows systems.
Pre-6.2SPL-83043Installation of Windows Universal Forwarder 6.0 or later version under Windows 2003 32-bit, can fail with "Splunk Installer was unable to launch Splunk's First Time Run. Error Code 1" or "Splunk Installer was unable to launch Splunk's Pre Flight Checks. Error Code: -1073741795". Workaround: install earlier Windows UF 5.0.8
Pre-6.2MSAPP-2633An issue with Splunk Enterprise 6.1 caused the dashboards and menus in the Splunk App for Windows Infrastructure 1.0.1 update to not render. To fix the problem, download and install version 1.0.2 of the app.
Pre-6.2SPL-78984The 32 bit Windows version of the universal forwarder fails to properly upgrade from non-default location. Note: Installing a 32-bit version of any Splunk software on top of 64-bit version is neither supported nor recommended.
Pre-6.2SPL-83365Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
Pre-6.2SPL-78462Splunk Enterprise on Windows ignores the homePath.maxDataSizeMB and coldPath.maxDataSizeMB attributes in indexes.conf.
Pre-6.2SPL-77126The Registry data input incorrectly handles events with different cases in their paths.
Pre-6.2SPL-82357The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
Pre-6.2SPL-81489Version 6.* of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags.
Pre-6.2SPL-79009, SPL-79421The Splunk Windows universal forwarder does not forward Windows Event Log or performance monitor data to the correct indexer or forwarder group, as defined by the _TCP_ROUTING attribute in the inputs.conf stanza for the input. Other input types forward data properly.
Pre-6.2SPL-75116If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.x instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf.
Pre-6.2SPL-73826The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows.
Pre-6.2SPL-40332Splunk on Windows does not properly update or save lookup tables when it accesses them with a search.
Pre-6.2SPL-74209Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
Pre-6.2SPL-48342LDAP authentication does not work on Windows over the IPv6 protocol.
Pre-6.2SPL-73818Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

REST, Simple XML, and Advanced XML issues

Publication date Defect number Description
10/28/14SPL-91211Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values.
10/28/14SPL-32852Post process may not return expected events if the original job is truncated.
10/28/14SPL-91711Failure with Schedule PDF for a panel with a search containing a table or other transforming commands. Returns "No matching events found."
10/28/14SPL-86226User cannot navigate from a dashboard to a prebuilt panel to fix a simple XML error in the panel.
10/28/14SPL-91074(Mobile) Submit button does not render when instantiating a form using the client-side parser/factory.
10/28/14SPL-91996Panel that uses a duplicate ID when referencing a base search silently fails to render.
Pre-6.2SPL-82636Not able to use "Edit Source" menu from Dashbord list.
Pre-6.2SPL-82233, SPL-76824Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event.
Pre-6.2SPL-78179REST /saved/searches App Names With Special Characters Have Invalid Links.
Pre-6.2SPL-66700The warmToColdScript<code> property is not supported by REST API.
Pre-6.2SPL-74151Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
Pre-6.2SPL-66511Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.
Pre-6.2SPL-65124Sorting as "asc" does not work for Dashboard of Panel Type: List.
Pre-6.2SPL-64489, SPL-32852HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events.
Pre-6.2SPL-67453When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Web Framework issues

Publication date Defect number Description
Pre-6.2
If you do not set the "value" property when you first create a TimeRange view, you get an error if you try to change "earliest_time" and "latest_time" properties later.

This is a known issue on Windows starting in Ace (when delta replication was introduced), all the way up to the current day. Delta replication tends to fail on Windows because we get a bit confused by file size "differences" caused by Windows-style line endings (\r\n). Bundle replication still works, as we fall back to "full" baseline replications. splunkd.log can get pretty polluted by these warnings, though.

Unsorted issues

Publication date Defect number Description
10/28/2014SPL-91346A user with a <code>non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page.
10/28/2014SPL-91709Splunkd timeouts on setting up ES app on Windows.
10/28/2014SPL-88427CronScheduler issues WARN messages on startup that can safely be ignored.
10/28/2014SPL-92162Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
10/28/2014SPL-91396Spunk introspection for CPU time uses metrics that can result in a sum of cpu_systm_pct, cpu_idle_pct, and cpu_user_pct that is greater than 100%.
Pre-6.2SPL-85036roleMap's attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf<code> by command "splunk reload auth" or restarting Splunk when <code>bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local.
Pre-6.2SPL-81810License pool warning at license master keeps coming back after deleting it. The workaround is to delete the warnings on the peers first then the License Manager.
Pre-6.2SPL-77139Licenser pool usage gets reflected only after restarting Splunkd.
Pre-6.2SPL-82389server.conf In [httpServer] server stanza, maxThreads/maxSockets do not accept negative numbers.
Pre-6.2SPL-80918Datapreview: endpoint doesn't allow for deleting sourcetype properties.
Pre-6.2SPL-82699SSO: Acceleration icon fails to display in Searches, Reports, and Alerts pages.
Pre-6.2SPL-71645Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually.
Pre-6.2SPL-74337You cannot specify a destination folder when installing on OSX.
Pre-6.2SPL-72484Cannot use the CLI to delete an index with a capital letter in its name.
Pre-6.2SPL-68010The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.
Pre-6.2SPL-73636If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day.
Pre-6.2SPL-69304If license slaves are running <6.0 version, they do not have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN.
Pre-6.2SPL-43791Splunk does not report server status correctly when there is a problem with SSL/TLS configuration.
Pre-6.2SPL-38082BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order.

This documentation applies to the following versions of Splunk: 6.2.0 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!