Splunk® Enterprise

Release Notes

Download manual as PDF

Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Data input issues

Date filed Issue number Description
2015-11-12 SPL-109362 When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage
2015-05-22 SPL-101981 Field extractions do not work when sourcetypes use quotes in the Getting Data In interface.
2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL
Workaround: Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

2014-03-10 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
2013-10-29 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza
Workaround: Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.
2013-09-10 SPL-74209, SPL-74167 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).
Workaround: Specify the persistentQueue explicitly in the input definition.

Search issues

Date filed Issue number Description
2016-03-31 SPL-116930, SPL-111939 The report "save as report" and "edit search" dialogs allow to accelerate a search that uses macros, eventtypes or tags even though we do not fully support that
2016-03-17 SPL-116082 Release Note - user-specific commands will be ignored after upgrade to Galaxy
2016-01-07 SPL-111939, SPL-116929, SPL-116931, SPL-116930 The report "save as report" and "edit search" dialogs allow to accelerate a search that uses macros, eventtypes or tags even though we do not fully support that
2016-01-06 SPL-111800 A backslash preceding a whitespace causes a DELIM-based field extraction to not consider the whitespace as a valid delimiter.
Workaround: The workaround is to use a REGEX.
2015-06-17 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted.
2015-04-03 SPL-99110 Distributed search fails intermittently to a subset of peers with an unhelpful "Unknown error".
Workaround: To work around this, edit /etc/sysctl.conf to modify the following lines:

net.core.rmem_max = 134217728 net.core.wmem_max = 134217728 net.ipv4.tcp_rmem = 16384 87380 67108864 net.ipv4.tcp_wmem = 16384 87380 67108864 Restart splunkd. Repeat above steps for SH and the Indexer. Run sysctl -p for changes to take effect. Sometimes sysctl -p may not work due to caching and rebooting is a better option. Restart indexer.

2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in them.
Workaround: Rename the fields before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13 SPL-93039 |relevancy command does not work.
2014-10-22 SPL-92303 Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
2014-10-02 SPL-91638, SPL-107375 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2014-09-15 SPL-90861, SPL-90396, SPL-90886 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-03-27 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
2014-03-15 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster.
Workaround: Write to a temp file and rename to the target file.
2014-02-21 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
2013-12-18 SPL-78179 REST /saved/searches App names with special characters have invalid links.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search
Workaround: 1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

2010-07-21 SPL-32852 HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2016-09-23 SPL-129285 The search scheduler (SavedSplunker) has severe scaling problems with high user count and external auth systems (SAML & LDAP)
2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice.
2015-10-07 SPL-107585 Summary-generating search can become stuck in infinite loop when processing large multi-line events.
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2
Workaround: Reduce length of name of the app and report acceleration searches will run properly within the context of the app.
2014-08-15 SPL-89332 Report acceleration summaries do now show in Settings when you have hundreds of reports accelerated.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI
Workaround: Create a server class, where you can see the client name, and use that group when you add data.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.
Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-10 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Charting, reporting, and visualization issues

Date filed Issue number Description
2016-07-27 SPL-125123 The dashboard parser throws an error when non-integer value is used for the <sampleRatio> option
2016-04-26 SPL-118856, SPL-115970 Number of values returned to a sparkline for a 7-day range search does not have enough granularity
2016-03-16 SPL-115970, SPL-114823, SPL-118852, SPL-118857, SPL-118856 Number of values returned to a sparkline for a 7-day range search does not have enough granularity
2015-03-31 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2015-02-23 SPL-97193 The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string.
2014-10-24 SPL-92432, SPL-99583 Chart in dashboard panel does not honor interval settings.
Workaround: In the panel XML, specify a larger height to use the correct interval settings.
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range.
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range.
2014-01-03 SPL-78612 Deleting a dashboard with a scheduled PDF does not also delete the scheduled view.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza
Workaround: Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.
2013-08-22 SPL-73569 Pie maps do not have legend labels.
2010-07-21 SPL-32852 HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events.

Data model and pivot issues

Date filed Issue number Description
2014-12-08 SPL-94047, SPL-98628 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.
Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.
Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-11 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
2014-03-10 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
2014-03-07 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Indexer and indexer clustering issues

Date filed Issue number Description
2016-08-25 SPL-127353 Data rebalance finishes early when one peer is the source for all buckets
Workaround: when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time
2016-07-14 SPL-124243 indexer cluster data rebalance does not balance primary copies by index
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
2015-05-11 SPL-101289 When the number of indexing pipeline sets is greater than four, indexing throughput decreases.
2015-05-08 SPL-101184 Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer.
2015-05-06 SPL-100980 Single indexer does not scale when receiving parsed data from multiple PipelineSets.
2015-05-04 SPL-100792 There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals.
Workaround: Searches that key off these lines need to select their desired name=x category in order to see a single thruput value.
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.
Workaround: The workaround is to remove the duplicated bucket.
2014-10-13 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-09-29 SPL-91432 On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers.
2014-09-08 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-08-29 SPL-90331 Multi-site indexer cluster doesn't meet replication factor/search head factor due to bucket issue.
Workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list.

endpoint: https://[host]:[port]/services/cluster/master/buckets/{bucket_id}/fix

2014-07-29 SPL-87816 When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza.
Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.
2014-07-14 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-04-29 SPL-83636 If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong.
2014-04-17 SPL-83169 on Windows, if peers' Windows explorer not closed for long enough time, adding a new index still requres a peer restart, not reload
2014-04-14 SPL-83068 Default index can be set to random index.
2014-03-18 SPL-82038 Cluster-config will not work if the parameter value has spaces in them.
2014-03-17 SPL-81955 Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed.
2014-03-14 SPL-81913 Changing your configuration from multi site to non-multisite can result in unsearchable buckets.
2014-01-31 SPL-79842 Indexer doesn't accept new connections on splunktcpin port after queue blockage is resolved
2014-01-06 SPL-78688 Peer is able to change to an invalid (empty) replication port
2013-08-28 SPL-73826 Windows: hostname override not working properly
2013-08-06 SPL-72484 You cannot use the CLI to delete an index with a capital letter in its name.
2013-07-25 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if thehomePath of the index is at the root of the filesystem, (homePath=D:\myindex orhomePath=/myindex).
Workaround: Create the folder manually.
2013-07-03 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps.
2010-10-08 SPL-34347 wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue

Distributed search and search head clustering issues

Date filed Issue number Description
2016-07-17 SPL-124443 Incorrect user level concurrent search calculation causes user searches to be skipped
2016-06-22 SPL-123305, SPL-123479, SPL-123375 loadjob not working - statusCode=403, Forbidden
2016-06-13 SPL-122602, SPL-128604, SPL-128605 Memory leak triggered by reloading splunkd SSL servers without restarting the process.
Workaround: Two options:

1. Update db_connect app. 2. Add the following to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/server.conf:

[shclustering] conf_replication_include.inputs = false

2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice.
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.
Workaround: The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

2014-08-25 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-08-14 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-08-02 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.

Universal forwarder issues

Date filed Issue number Description
2016-06-16 SPL-122917, SPL-119172 ERROR AuditTrailManager - Private key error Error opening private.pem: The system cannot find the path specified.
Workaround: This message should be benign, particularly on a forwarder.

If you need them for signedAudit=true stanzas in inputs.conf, create the audit keys: splunk createssl audit-keys

  • OR*

if you don't need to sign any events, emove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.

2015-04-14 SPL-99687 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.
Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day
Workaround: In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2014-10-22 SPL-92303 Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI
Workaround: Create a server class, where you can see the client name, and use that group when you add data.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.
Workaround: To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2014-10-02 SPL-91648, SPL-91358 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-08-15 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-06-20 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive.
Workaround: To mitigate this, set forceHttp10=always.

Data Management Console Issues

Date filed Issue number Description
2016-08-01 SPL-125461 When creating a new index from an app context, the current app is not selected in the app dropdown on new index page
2014-10-26 SPL-92435, SPL-126295 Forcing TLS 1.1 or TLS1.2 with FIPS mode ON does not work
2014-04-07 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page.

Splunk Web and interface issues

Date filed Issue number Description
2016-04-06 SPL-117217, SPL-117137 When using appServerPorts = 0 and SSL Splunkweb will not start in 6.4.0
Workaround: Set Template:AppServerPorts to its default value of 8065 (or to any other non-zero value).
2016-03-31 SPL-116930, SPL-111939 The report "save as report" and "edit search" dialogs allow to accelerate a search that uses macros, eventtypes or tags even though we do not fully support that
2016-03-22 SPL-116263, SPL-116110 German dropdowns for Alert Expiration have incorrect wording
Workaround: 1. Take backup of messages.mo and messages.po in:

/Applications/Splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/de_DE/LC_MESSAGES/

2. In file "messages.po" search for :

Nach 2 Stunden Nach 7 Stunden

And replace with:

Nach 2 Tagen Nach 7 Tagen

3. Recompile messages.po file into a new messages.mo (can use http://po2mo.net/. NOTE this is just a test, do not know what else this site adds to the .mo file).

4. Copy the new messages.mo into :

/Applications/Splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/de_DE/LC_MESSAGES/

6. restart splunk.

Now dropdown appears with correct translation

2016-01-07 SPL-111939, SPL-116929, SPL-116931, SPL-116930 The report "save as report" and "edit search" dialogs allow to accelerate a search that uses macros, eventtypes or tags even though we do not fully support that
2015-11-09 SPL-109165 Interactive Field Extractor hangs when using "^" as delimiter.
Workaround: Use props and transforms to specify the delimiter of your choice.
2015-11-09 SPL-109165 Interactive Field Extractor hangs when using "^" as delimiter.
Workaround: Use props and transforms to specify the delimiter of your choice.
2015-06-30 SPL-103701 Actions links should be removed for "Apps Browser"
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml)
Workaround: Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
2014-07-16 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-02-26 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
2013-11-20 SPL-76798 Time range picker is not customizable via times.conf the same as version 5 or as suggested by docs.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search
Workaround: 1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Windows-specific issues

Date filed Issue number Description
2015-04-14 SPL-99687 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.
Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-01 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time.
Workaround: To fix the problem, restart Windows on the forwarder.


2014-09-25 SPL-91279 Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles.
Workaround: See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza
Workaround: Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.

Rest, Simple XML, and Advanced XML issues

Date filed Issue number Description
2013-05-15 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard><foo></dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Authentication and Authorization issues

For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.

Date filed Issue number Description
2016-07-26 SPL-125052 Sole Admin can demote his/herself to Power without path of recovery in GUI
Workaround: Through the command line, you can open notepad and modify the password file to regain 'Admin' status.
2016-05-02 SPL-119333 SSO setup should not let the user to configure Duo2FA
2016-04-25 SPL-118713 SAML and SSO should be mutually exclusive
2015-11-13 SPL-109427 LDAP SSL no longer working in Splunk 6.3 (and later) for Windows 2003
Workaround:

The workaround is to 1) obtain Ciphers configured on Windows AD 2003 server. 2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it. The following is a working TLS_CIPHER_SUITE for one of the customers: {noformat} TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5 {noformat}

2012-02-22 SPL-48342 LDAP strategy host field cannot work with ipv6 format address but computer name is okay

PDF issues

Date filed Issue number Description
2015-03-31 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2014-06-16 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.
Workaround: Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.


2013-05-16 SPL-67491 PDF report: Events format settings like List, Table, MaxLines, and Wrapping don't apply to PDF report
2012-11-26 SPL-58744 Area chart is not filled if the points are unconnected

Admin and CLI issues

Date filed Issue number Description
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-03-11 SPL-97942 Capability defined in an app does not take affect when assigned to a role.
Workaround: The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

2013-05-02 SPL-66511 If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.

Unsorted issues

Date filed Issue number Description
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink
Workaround: Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-06-01 SPL-102362 Dynamic indexer discovery only supports one input.
2015-05-24 SPL-102008 On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference.
2015-03-25 SPL-98594 Routing events to two different groups not working as expected.
Workaround: 1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2014-11-10 SPL-92831 A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ."
Workaround: The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).


2014-10-17 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restart.
Workaround: Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
2014-04-22 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
2014-03-12 SPL-81810 Licensing - license pool warning at license master keeps coming back after deleting it.
Workaround: Delete the warnings on the peers first, then the License Manager.
2013-11-27 SPL-77139 Licenser pool usage gets reflected only after restarting splunkd.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.
Workaround: To work around this issue, create a splunk user on your system before attempting to run the installer.
2013-06-13 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN.
2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.

Uncategorized issues

Date filed Issue number Description
2016-09-27 SPL-129362 Syntax highlighting and other search IDE features fail to work with free license
2016-09-07 SPL-128260 Instrumentation: Opt-in modal not appear when login through proxy/sso
Workaround: Users can opt-in by visiting Settings->Instrumentation page
2016-08-31 SPL-127800 opting in to data sharing on a monitoring console produces duplicate data
2016-03-18 SPL-116110, SPL-116264, SPL-116261, SPL-116263 German dropdowns for Alert Expiration have incorrect wording
Workaround: 1. Take backup of messages.mo and messages.po in:

/Applications/Splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/de_DE/LC_MESSAGES/

2. In file "messages.po" search for :

Nach 2 Stunden Nach 7 Stunden

And replace with:

Nach 2 Tagen Nach 7 Tagen

3. Recompile messages.po file into a new messages.mo (can use http://po2mo.net/. NOTE this is just a test, do not know what else this site adds to the .mo file).

4. Copy the new messages.mo into :

/Applications/Splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/de_DE/LC_MESSAGES/

6. restart splunk.

Now dropdown appears with correct translation

2015-10-07 SPL-107606 Inconsistency between summary and datamodel_summary files.
2015-06-10 SPL-103010 Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets.
2015-02-26 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-01-08 SPL-95144, SPL-101986, SPL-101987, SPL-106884, SPL-107317 Indexed message for Windows security event logs shows "FormatMessage error"
Workaround: Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.
2014-10-31 SPL-92596 After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion."
Workaround: This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html
2014-09-11 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
2014-08-26 SPL-90139 <timestamp> does not display in the Patterns tab when searches are run in fast mode.
2014-04-01 SPL-82517 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
2014-03-23 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
2014-03-13 SPL-81856 Show all lines does not work in data model editor preview.
2014-03-12 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
2014-02-07 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions.
Workaround: For more information, see Add lookup files to Splunk.
2014-02-06 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared.
Workaround: Share the definition. For more information, see Add lookup files to Splunk.
2013-09-13 SPL-74337, BETA-496 You cannot specify a destination folder when installing on OSX.
2013-04-30 SPL-66213 PDF server app is not working with latest Xvfb
PREVIOUS
Welcome to Splunk Enterprise 6.5
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters