Release Notes

 


Known issues

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues:

  • Splunk indexing and search performance can be reduced significantly on *nix and Linux systems that have Transparent Huge Pages (THP) memory management enabled. For a detailed explanation, read "Splunk and Transparent Huge Pages" in this manual. (SPL-75912)
  • Simple XML dashboards can be significantly longer to load on a pooled search-head in Splunk 6. A work-around is available upon request to Splunk Support. (SPL-80944)

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "About upgrading to 6.0 READ THIS FIRST" in the Installation Manual.

  • Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:
1. Create a special power/admin user who can run scheduled searches.
2. Assign this user ownership of the scheduled searches .
3. Share the searches at the app level and grant read/write permission to the correct set of users. (SPL-73386)
  • Bundle replication fails when serverName or search head pool GUID has a final segment containing only digits. This can affect users upgrading from pre 6.0.x versions of Splunk. (SPL-73797)
  • Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf. (SPL-75354, SPL-75647)

Data input issues

  • Splunk does not correctly determine the source type for Internet Information Server (IIS) version 7 or later automatically. To work around this issue, explicitly specify the IIS source type when defining your IIS input. (SPL-73756)
  • Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition. (SPL-74209)
  • Running splunk list wmi doesn't show active WMI collections, but splunk cmd btool wmi list does. (SPL-74028)
  • Hostname override/Regex on path not working correctly for compressed file inputs on Windows. (SPL-73825, SPL-73826)
  • Post Upgrade to Splunk 6.0 IIS log fail to index with TRUNCATE = 0( SPL-82811)

Charting, reporting, and visualization issues

  • Pie maps do not have legend labels. (SPL-73569)
  • New reports are not displayed in the report list until you refresh the window. (SPL-73846)
  • "In handler 'savedsearch': Error while dispatching search" may display due to searches being queued or could not run real time due to concurrency limits (SPL-81881)

Index replication issues

  • Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, with the consequence that the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then you subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled, will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets, however, also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master. (SPL-52901)
  • The generation ID for peers shown in the clustering UI is their original base generation ID, not that the current/latest generation. (SPL-71264)
  • Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit. (SPL-73652)
  • Clustering dashboard displays the removed peer list indefinitely. (SPL-63687)
  • Running splunk remove excess-buckets does not remove excess hot buckets. (SPL-74001)
  • Changing the server name on search head doesn't get reflected in the cluster master's cluster management page. (SPL-72484, SPL-74103)
  • Cannot push bundles if the number of peers configured is below the replication factor. (SPL-71556)
  • Maintenance mode does not carry over across master restarts. To work around this issue, re-initiate maintenance mode after restarting the master. (SPL-74253)
  • Master's cluster management page does not sort peer names correctly. (SPL-65862)
  • If a peer is down while pushing a bundle, all peers will always restart. (SPL-73968)
  • Manually modifying indexes.conf to add a new index stanza and running splunk apply cluster-bundle can cause peer(s) to unexpectedly restart rather than reload (SPL-82152)
  • Unexpected duplicate app: _cluster caused due to password hashing (SPL-82244)

Data model and Pivot issues

  • Constraints for two objects (Alerts and Summary Indexing Searches) in the sample data model Splunk's Internal Server Logs are wrong, so objects return 0 events. (SPL-74189)
  • Accelerated data models only return results in Pivot for objects in the first event object hierarchy. All other objects in subsequent object hierarchies (whether event-based or not) erroneously return 0 results. (SPL-74415)
  • Items in the Edit drop-down menu stop working after permissions for a data model are changed to App/All Apps and then are set back to Owner. To work around this issue, exit the data model editor and start over. (SPL-73214)
  • Edit buttons do not appear once permissions set to private for an accelerated data model. (SPL-74267)
  • Accelerated data model disappears from list after permissions are changed. (SPL-74239)
  • Single value display in a data model is not updating with real-time data. (SPL-74291)
  • If there are two or more models with the same name but in different apps, only one of them will be listed in the All Apps list. (SPL-69772)
  • Limits in filters on the Pivot interface have several known issues including error messages when the stats function is edited in Splunk Web. (SPL-74163)
  • Expanding the App drop-down menu in the Create New Data Model dialog box will create data model. (SPL-74648)
  • Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. (SPL-77054)
  • Indexers/search-head/cluster-masters with a large number of indexes : a large number of SummaryDirector searches are triggered and the instances are becoming unresponsive. Workaround [[1]]. (SPL-76956)

Integrated PDF generation and PDF Report Server issues

  • Schedule PDF delivery for email of a dashboard that includes post processing runs as a separate search process and provides 0 results (SPL-82301)
  • Heat maps aren't printed. (SPL-73029)
  • Generating a PDF of scheduled search with quotes in the title results in an error and no search results in the report. (SPL-73798)
  • Not able to export PDF if dashboard has no row or empty row. (SPL-67268)
  • Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used. (SPL-67491)
  • If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line. (SPL-58744)
  • Alert emails sent in PDF result format have some info missing compared to text or csv results. (SPL-60975)
  • PDF Report Server App: Printing PDF on debug/pdf page is broken. (SPL-73938)
  • PDF Report Server App doesn't work with latest Xvfb. (SPL-66213) Workaround: install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos

Search, saved search, alerting, scheduling, and job management issues

  • Splunk indexing and search performance can be reduced significantly on *nix and Linux systems that have Transparent Huge Pages (THP) memory management enabled. For a detailed explanation, read "Splunk and Transparent Huge Pages" in this manual. (SPL-75912)
  • If you use | reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated. (SPL-67642)
  • Drilldown on tstats output is incorrect and no error message is thrown. (SPL-74244)
  • The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x (SPL-76798)
  • Slient failure: No warning recorded when a shared scheduled search's scheduled time changes to None due to the owner/user being deleted (SPL-79341)
  • The iconify command fails to render icons in the event viewer. (SPL-79738, SPL-81136)
  • Error "The process cannot access the file because it is being used by another process" in splunkd.log in reference to dispatch search.log. Error does not affect search. (SPL-82288)

Splunk Web and Home interface issues

  • The indexing status dashboard's Index health graph and Analysis of index bucket do not work for multiple indexes, only a single index. (SPL-34123)
  • Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521. (SPL-73818)
  • When browsing an Active Directory tree with a depth over 39 nodes, no horizontal scroll bar is shown. (SPL-59980)
  • When you try to select a cell in a table to copy the content, Splunk Web interprets the copy as a click and drills down. (SPL-74243)
  • Data Model Editor, Reports, Alerts, Dashboards > Actions > Edit Permissions display for App or All Apps only list first 31 roles (SPL-78961)
  • Chrome browser may not display text on login screen nor dashboard fully. Workaround [[2]]. (SPL-81263)
  • Upgrade an app from Manager -> Manage Apps return error: An error occurred while installing the app: 302 (SPL-81977) Workaround: download the app from splunkbase and install from file.

Distributed deployment, forwarder, and deployment server issues

  • The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer. (SPL-74427)
  • Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
  • Splunk Web becomes unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
  • High REST response times on search peers due to system resource contention cause user-facing search timeouts on search-head but fail to be reported on peers. (SPL-74220)
  • Not all clients appear in the deployment server UI when they have the same host. (SPL-66453)
  • When a large number (>/=100) of users search concurrently on the same search head, some of them may see an error message about an unknown SID, and receive no results. (SPL-71149)
  • SSL compression settings in web.conf fail to disable compression and compression is turned OFF irrespective of useSplunkdClientSSLCompression setting in server.conf. (SPL-64934)
  • Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
  • When you attempt to install the Splunk universal forwarder for Windows with the /quiet argument, it does not enable any Windows inputs. This is due to the fact that the Splunk Add-on for Windows, which is required to enable the inputs, does not install. To work around the issue, specify DISPLAY_WINDOWS_TA_DIALOG=1 in the installation command. (SPL-75974)
  • The splunkd.log file was growing quite large as every two minutes Deployment Server and Deployment Client were logging detail INFO logging. These level of detail should be moved to DEBUG.(SPL-78499)
  • Duplicate entries in Forwarder Management for some of the Deployment Clients(SPL-80215)

Windows-specific issues

  • Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521. (SPL-73818)
  • LDAP authentication does not work on Windows over the IPv6 protocol. (SPL-48342)
  • Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition. (SPL-74209)
  • Splunk on Windows does not properly update or save lookup tables when it accesses them with a search. (SPL-40332)
  • The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows. (SPL-73826)
  • If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.0 instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf. (SPL-75116)
  • When you attempt to install the Splunk universal forwarder for Windows with the /quiet argument, it does not enable any Windows inputs. This is due to the fact that the Splunk Add-on for Windows, which is required to enable the inputs, does not install. To work around the issue, specify DISPLAY_WINDOWS_TA_DIALOG=1 in the installation command. (SPL-75974)
  • When you upgrade your Splunk forwarders to version 6.0, the indexers that those forwarders send data to begin crashing. You can work around this issue by following the instructions in "I upgraded my distributed environment to Splunk 6.0 and now my indexers are crashing" on Splunk Answers. (SPL-75796)
  • On Windows Server 2003, the WinEventLog input generates sourcetypes in all lower case, for example, WinEventLog:security versus WinEventLog:Security. This can cause filters that have been set up in props.conf to not match, which can ultimately result in unexpected indexing of data. To work around the problem, follow the instructions in "Windows Event Log filters fail" on Splunk Answers. (SPL-78726)
  • The Splunk Windows universal forwarder does not forward Windows Event Log or performance monitor data to the correct indexer or forwarder group, as defined by the _TCP_ROUTING attribute in the inputs.conf stanza for the input. Other input types forward data properly. (SPL-79009)
  • Indexers don't accept new connections on the splunktcpin port even after a queue blockage has been resolved. (SPL-79842)
  • Version 6.0.2 of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags. (SPL-81489)
  • Windows 32-bit new Universal Forwarder default installation directory will be C:\SplunkUniversalForwarder vs 64-bit at C:\Program Files\SplunkUniversalForwarder (SPL/79572, SPL-83067)

REST, Simple XML, and Advanced XML issues

  • When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard><foo></dashboard>the endpoint actually receives:<dashboard><foo></dashboard>. (SPL-67453)
  • HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events. (SPL-64489, SPL-32852)
  • Sorting as "asc" does not work for Dashboard of Panel Type: List. (SPL-65124)
  • In Simple XML, an empty paragraph tag is injected into HTML blocks. (SPL-74031)
  • Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view. (SPL-66511)
  • Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page. (SPL-74151)
  • Setting Rows Per Page causes empty panel in Events panel. (SPL-73835)
  • Setting charting.axisLabelsX.majorTickVisibility to hide does not work. (SPL-73743)
  • The warmToColdScript property not supported by REST API. (SPL-66700)

Web Framework issues

  • If you don't set the "value" property when you first create a TimeRange view, you'll get an error if you try to change "earliest_time" and "latest_time" properties later.

Unsorted issues

  • BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
  • Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)
  • Bloomfilters are sometimes not created in bloomHomePath after restart. (SPL-51553)
  • If license slaves are running <6.0 version, they don't have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN. (SPL-69304)
  • If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day. (SPL-73636)
  • The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO. (SPL-68010)
  • Can't use the CLI to delete an index with a capital letter in its name. (SPL-72484)
  • You cannot specify a destination folder when installing on OSX. (SPL-74337)
  • Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually. (SPL-71645)
  • In the setting pages for the indexes list, the counter for the "Latest event" is not refreshing for events in the hot buckets (SPL-78585)
  • In server.conf, setting maxThreads or maxSockets in the httpServer stanza to a value of -1 results in an effective value of 0, contrary to what server.conf.spec says (SPL-82389).

This documentation applies to the following versions of Splunk: 6.0.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!