Splunk Cloud Platform

Release Notes

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Known and fixed issues for

This page lists selected known issues and fixed issues for .

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.

Version 9.0.2209

This version includes the following known issues:

Date filed or added Issue number Description
2024-06-04 SPL-237180 Saved searches on Splunk Cloud Platform that are owned by nobody are scheduled using the default time zone settings in the user-prefs.conf file instead of the system time zone in Splunk Cloud. But, searches are run internally as splunk-system-user, which is tied to system time in Splunk Cloud Platform and is based on UTC (Coordinated Universal Time).


The mismatch between the default time zone settings in the user-prefs.conf file and Splunk Cloud system time can lead to potential discrepancies in search results under certain conditions when the time zones for nobody and splunk-system-user get out of sync.

If you're experiencing mismatched time zones with nobody owned searches following migration from Splunk Enterprise to Splunk Cloud Platform, reassign searches to a user account attached to a role, so searches aren't assigned to nobody. An alternative workaround is to set the schedules for nobody-owned saved searches to UTC, which ensures that searches are the same as system time.

2024-02-11 SPL-250916 Add a filter to the GET SHs only of all deployment clients in check_bundles_ready of dc_helpers.py.
2023-10-20 SPL-241475 False positive message that a restart is required. User 'admin' triggered the '_reload' action on app 'splunk_monitoring_console', and completing an implicit app deletion requires restart. No restart is required and this message can be ignored.
2023-07-20 SPL-240969 props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.

Workaround:
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-07-07 SPL-241821 Data Model Accelerations that have Automatic Rebuilds enabled may lead to unbounded memory growth due to search expansion, resulting in Out of Memory errors

Workaround:
For a data model that is experiencing high memory usage, perform the following steps:
  1. On your Splunk platform deployment, in Splunk Web, select Settings and then Data Models.
  2. Select Edit for the data model that is experiencing high memory usage, and then select Edit Acceleration.
  3. Open Advanced Settings.
  4. Disable Automatic Rebuilds.

See Accelerate data models in the Knowledge Manager Manual.

Furthermore, applying index constraints to restrict the list of indexes searched for building a given DMA summary and applying tags allowlisting would help curtail the memory usage.

2023-06-29 SPL-241368 Updating HEC token in Splunk Web with upper case 'Default' as the index causes an empty index to be set.
2023-05-30 Not applicable ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1.
2023-05-22 SPL-240242 Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.
2023-05-09 SPL-239689 In transparent mode Federated Search for Splunk, custom search commands and the "outputlookup" command should run only on the local deployment. Instead they run on the remote deployment, leading to errors, incorrect results.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-28 SPL-239339 Workload Management ignores Place in Pool action.
2023-04-24 SPL-237902 Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy.

Workaround: Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include latest=now in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected: index=main earliest=-10s latest=now.

Running the same search without including latest=now might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches. See Specify earliest relative time offset and latest time in ad hoc searches in the Splunk platform Search Manual.

2023-04-17 SPL-238767 Standard mode federated search with longer-than-a-minute from command searches might encounter socket ReadWrite errors when the federated provider points to a cloud load balancer, due to idle timeout on the LoadBalancer config

Workaround: If you encounter this issue, update the federated provider definition (created on the federated search head in Splunk Web), so that its Remote Host points to a remote deployment cluster member instead of to the remote deployment cluster load balancer.

2023-03-30 SPL-238029 Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.
2023-03-14 SPL-237265 Sometimes when a search is aborted by workload rule, 'wlm_terminated' information message is not written to audit log
2023-03-07 SPL-233037 For a KVStore autolookup with `case_sensitive_match` set to default/true, when the SPL searches for a case sensitive field value (that is, <field name as in props.conf>=<case sensitive field value>) the reverse lookup is performed incorrectly. The root cause is the default value of `reverse_lookup_honor_case_sensitive_match` being changed from true to false.
2023-01-26 SPL-235416 Case sensitive sourcetypes in Ingest Actions UI preview won't fetch results
2022-12-14 SPL-234045 "Invalid value" for earliest/latest in time token in "Advanced" time range section.

Workaround: Replace the Earliest/Latest values in the Advanced section of the time range picker. This temporary workaround must be done each time the dashboard is opened.

2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.

Version 9.0.2208

This version includes the following known issues:

Date filed or added Issue number Description
2023-07-20 SPL-240969 props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.

Workaround:
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-05-22 SPL-240242 Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-28 SPL-239339 Workload Management ignores Place in Pool action.
2023-03-30 SPL-238029 Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.
2022-12-14 SPL-234045 "Invalid value" for earliest/latest in time token in "Advanced" time range section.

Workaround: Replace the Earliest/Latest values in the Advanced section of the time range picker. This temporary workaround must be done each time the dashboard is opened.

2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.

Workaround: To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens:

  1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle.
  2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed or added Issue number Description
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.

Version 9.0.2205

This version includes the following known issues:

Date filed or added Issue number Description
2022-05-23 SPL-240242 Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-28 SPL-239339 Workload Management ignores Place in Pool action.
2023-03-30 SPL-238029 Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.
2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.

Workaround: To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens:

  1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle.
  2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2022-08-19 SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-07-21 SPL-227163 Frequent disable and enable updates of ssg_enable_modular_input causes search head instability and configuration file replication delays.

Workaround: Disable the splunk_secure_gateway app.

2022-03-17 SPL-220932 On the Classic Experience, private app upload fails without any error message even when the AppInspect field check_that_app_passes_slim_validation_for_cloud triggers a warning.

Workaround:
Validate with AppInspect report that this check (check_that_app_passes_slim_validation_for_cloud) is triggering a warning. Address the warning to pass this section. Errors are typically related to SLIM and the manifest file(s) packaged within the app.

Version 8.2.2203

This version includes the following known issues:

Date filed or added Issue number Description
2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-08-19 SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.

Workaround: To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens:

  1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle.
  2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment.
2022-07-21 SPL-227163 Frequent disable and enable updates of ssg_enable_modular_input causes search head instability and configuration file replication delays.

Workaround: Disable the splunk_secure_gateway app.

2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-03-17 SPL-220932 On the Classic Experience, private app upload fails without any error message even when the AppInspect field check_that_app_passes_slim_validation_for_cloud triggers a warning.

Workaround:
Validate with AppInspect report that this check (check_that_app_passes_slim_validation_for_cloud) is triggering a warning. Address the warning to pass this section. Errors are typically related to SLIM and the manifest file(s) packaged within the app.
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2022-05-02 SPL-223508 When trying to load a Studio dashboard, the page shows "Splunk Cloud is currently under maintenance."
2022-01-19 SPL-217505 Federated searches fail when table command is used

Workaround:
Fix a federated search that runs into this issue by appending | noop search_optimization.replace_table_with_fields=f to the search string.

Version 8.2.2202

This version includes the following known issues:

Date filed Issue number Description
2022-08-19 SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-05-02 SPL-223508 When trying to load a Studio dashboard, the page shows "Splunk Cloud is currently under maintenance."

Workaround:

  • Restarting the search head fixes the issue temporarily.
  • A more permanent workaround is to set set enforce_dashboards_csp=false under the [settings] stanza in etc/system/local/web.conf. After changing this setting, a restart will be required to take effect.
2022-03-17 SPL-220932 On the Classic Experience, private app upload fails without any error message even when the AppInspect field check_that_app_passes_slim_validation_for_cloud triggers a warning.

Workaround:
Validate with AppInspect report that this check (check_that_app_passes_slim_validation_for_cloud) is triggering a warning. Address the warning to pass this section. Errors are typically related to SLIM and the manifest file(s) packaged within the app.
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-22 PAPP-23255 In version 4.1.73 of Phantom App on Splunk, there is an erroneous error message when syncing workbooks. The sync performs successfully, but upon completion, the error message states that the sync failed. You can safely ignore this error message. A fix will be included in the next GA release of Phantom App on Splunk.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed Issue number Description
2022-03-17 SPL-220924 On the Victoria Experience, the Uploaded Apps UI page fails to load if a Splunk managed app is uploaded with same Id and version number through the self-service UI.

Workaround:
Contact Splunk Support to reinstall the app.

Version 8.2.2201

This version includes the following known issues:

Date filed Issue number Description
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-22 PAPP-23255 In version 4.1.73 of Phantom App on Splunk, there is an erroneous error message when syncing workbooks. The sync performs successfully, but upon completion, the error message states that the sync failed. You can safely ignore this error message. A fix will be included in the next GA release of Phantom App on Splunk.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed Issue number Description
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head

Version 8.2.2112

This version includes the following known issues:

Date filed Issue number Description
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed Issue number Description
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.

Version 8.2.2111

This version includes the following known issues:

Date filed Issue number Description
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following Issues:

Date filed Issue number Description
2021-10-21 SPL-213892 Splunkbase apps installed via self-service cannot be upgraded in Victoria Experience version 8.2.2109.

The following error message appears: An error occurred while installing the app:400

Version 8.2.2109

This version includes the following known issues:

Date filed Issue number Description
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.
2021-10-21 SPL-213892 Splunkbase apps installed via self-service cannot be upgraded in Victoria Experience version 8.2.2109.

The following error message appears: An error occurred while installing the app:400

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following Issues:

Date filed Issue number Description
2021-08-12 SPL-210244 No default value selected on radio buttons in Simple XML dashboards
2021-08-05 SPL-209879 Unable to upload private apps in .tar.gz format on Victoria Experience.

Workaround:
Upload the app in .tar format

Version 8.2.2107

This version includes the following known issues:

Date filed Issue number Description
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-08-12 SPL-210244 No default value selected on radio buttons in Simple XML dashboards
2021-08-05 SPL-209879 Unable to upload private apps in .tar.gz format on Victoria Experience.

Workaround:
Upload the app in .tar format
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

Version 8.2.2106

This version includes the following known issues:

Date filed Issue number Description
2021-08-05 SPL-209879 Unable to upload private apps in .tar.gz format on Victoria Experience.

Workaround:
Upload the app in .tar format
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following Issues:

Date filed Issue number Description
2021-06-29 SPL-207228 Invalid UTF-8 bytes (stats search corruption) in audit.log search results break search head cluster heartbeat communication
2021-05-13 SPL-205645 Index deletion fails in deployments on Victoria Experience
2021-05-11 SPL-205528 manager/search/datainputstats only displays a maximum of 30 modular inputs

Version 8.2.2105

This version includes the following known issues:

Date filed Issue number Description
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy
2021-05-13 SPL-205645 Index deletion fails in deployments on Victoria Experience
2021-05-11 SPL-205528 manager/search/datainputstats only displays a maximum of 30 modular inputs
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed Issue number Description
2021-06-30 SPL-207554 Savedsearches.conf not in sync/not replicating to all SHC members

Version 8.2.2104

This version includes the following known issues:

Date filed Issue number Description
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy


Version 8.1.2103

This version includes the following known issues:

Date filed Issue number Description
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy

This version fixes the following issues:

Date filed Issue number Description
2021-04-21 SPL-201945 streamstats command not functioning as expected after upgrade

Version 8.1.2101

This version includes the following known issues:

Date filed Issue number Description
2021-04-21 SPL-201945 streamstats command not functioning as expected after upgrade
Last modified on 19 September, 2024
New features   Splunk Cloud Platform Field alias behavior change

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters