On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
Known issues for DSP
This version of the Splunk Data Stream Processor has the following known issues and workarounds.
If no issues appear here, no issues have yet been reported.
|Date filed||Issue number||Description|
|2020-10-21||DSP-28545||After upgrading from DSP 1.1 to 1.2, scheduled Collect service jobs fail due to an ImagePullBackoff error.|
Manually apply a specific service account to the service that triggers Collect service jobs. Work with Professional Services to get this service account spec.
|2020-09-18||DSP-26954||Activated pipelines cannot be reactivated after upgrading.|
Reactivate your pipelines with "Skip Restore State" enabled. Since "Skip Restore State" discards the saved state of your pipeline, your pipeline ignores any data ingested while it is deactivated causing data loss.
|Date filed||Issue number||Description|
|2021-12-03||DSP-43606||Server can be attacked by slow clients during TLS handshake|
|2021-09-02||DSP-41953||DSP's messaging bus does not write to a write-ahead log by default. In some cases, this may cause data loss.|
|2021-08-04||DSP-41040||Checkpoint cleanup for pull-based connectors cause performance issues.|
|2021-06-21||DSP-39621||Network policies can prevent legitimate internal service communication|
Rarely, internal network policies can be incorrectly generated leading to disruption of internal cluster communications. Symptoms include persistent Connection Reset and Connection Timeout messages between services that should normally be allowed to communicate.
If affected by this issue, internal service communication should be restored almost immediately. Note that network policy objects will be restored after running ./deploy. The above command should be re-applied after ./deploy.
|2021-06-01||DSP-38591||Subseconds are not sent to Firehose|
|2021-05-26||DSP-38394||Multi node clusters do not work on RHEL 8.3 running on VMWare|
A regression introduced into the RHEL 8.3 linux kernel prevents multi node DSP clusters from working properly on VMWare infrastructure when the DSP VMs are scheduled across multiple ESX hosts.
To workaround, disable checksum offloading for impacted DSP network interfaces.
Note: this must be run on every node in the cluster and every system boot. The system should recover within a few minutes.
More information about the nature of the issue is found at https://access.redhat.com/solutions/5881451
|2021-02-24||DSP-34067||DSP 1.2.0 fails preflight checks on RHEL/Centos 8.3|
Install DSP 1.2.0 on a supported OS as listed here: https://docs.splunk.com/Documentation/DSP/1.2.0/Admin/Compatibility
|2021-02-23||DSP-34031||In HEC sink, unhandled exception causes pipeline restarts|
|2021-02-04||DSP-33028||Ingest-s2s pods in a potential deadlock state|
|2021-01-20||DSP-32261, DSP-28080||Pipeline fails intermittently while parsing a date format in an Apply Timestamp Extraction function|
|2020-12-17||DSP-31299, DSP-31300, DSP-31322||Splunk App for DSP: Improve dropdown filtering when collecting metrics from multiple clusters|
|2020-12-15||DSP-31160||HEC sink leaks memory when ACK is disabled|
|2020-12-09||DSP-30903||HEC Sink throws ArrayOutOfBoundException eventually|
|2020-11-20||DSP-29917||KV store lookups caching should be on by default|
Set the cache_expiry_after_write to a positive value in milliseconds, such as 300000 (5 minutes), to set cache expiry for each value after it was loaded into the cache.
|2020-11-09||DSP-29322, DSP-34095||Under low throughput conditions, records batched in batch_bytes, batch_records, and splunk_enterprise_indexes do not get flushed using the default timeout.|
Set the millis argument in
|2020-10-22||DSP-28602||SignalFX sink and lookups fails to checkpoint when event has a map field.|
The SignalFX sink functions and lookup function when using the KV Store connectors will fail to checkpoint if there is a Map in an event field. To resolve this issue ensure that events have no Map objects in any of their fields or convert any existing Map objects to an alternative type. For example using " | eval map = to_json(map)" on a field with a Map object will convert that field to a string.
|2020-10-22||DSP-28649||After upgrading from 1.1 to 1.2, you cannot create new DSP HEC tokens.|
|2020-10-19||DSP-28395, DSP-28139||You cannot reactivate a pipeline if you do a round-trip toggle from Canvas -> SPL -> Canvas.|
If you are editing a pipeline that has been activated before, stay in the Canvas builder.
|2020-10-19||DSP-28423||The connection_id dropdown does not work for pipelines migrated from 1.1 that use the splunk_enterprise_indexes or splunk_enterprise sink functions.|
1. Deactivate the pipeline
2. Click on the Ellipsis (More Options menu) next to "Activate Pipeline" and expand the Streams JSON Import/Export menu.
3. Update the resolvedId of the affected functions.
For splunk_enterprise_indexes, update the value of "resolvedId" to "into_splunk_enterprise_indexes:collection<record<R>>:connection-id:expression<string>:expression<string>"
For splunk_enterprise, update the value of "resolvedId" to "into_splunk_enterprise:collection<record<R>>:connection-id:expression<string>:expression<bytes>"
4. Save the updated metadata.
5. Save and reactivate the pipeline.
|2020-10-14||DSP-28179, DSP-28408||After upgrading from 1.1 to 1.2, pipelines with stats functions are stuck in "RESTARTING" mode.|
A performance improvement for the stats function prevents recovery of state. Pipelines that are stuck in "RESTARTING" need to be reactivated using the "Skip Restore State" setting in the UI (skipRestoreState in the API). Restarting with skip restore state will result in some amount of data loss.
|2020-10-07||DSP-27878||Apply Line Break function metrics show twice the number of records.|
|2020-10-05||DSP-27716||Large batch size when using a clustered KV Store behind a GCP load balancer causes HTTPs requests to exceed allowed size (status code 431).|
Reduce the batch size limit to make the request under 16KB.
|2020-09-30||DSP-27483||On macOS, you cannot accept the warning for the self-signed TLS certificate|
Type "thisisunsafe" in the browser window to accept the certificate.
|2020-09-18||DSP-26912||Generated SPL can erroneously duplicate statement names when statement names of the form statement_n are hard-coded in the Pipeline JSON.|
Change the hard-coded statement names in the Pipeline JSON to something that does not match statement_n.
|2020-09-10||DSP-26551||DSP installation pre-flight check for disk space should check the correct volume/directory.|
For example, if you use
|2020-08-31||DSP-26064||Upgrading DSP gives a "HTTPS Status 500 - Internal Server Error" on initial login.|
Clear your browser cache and then try logging back into DSP.
|2020-08-17||DSP-25339||DSP does not run on an operating system that has FIPS mode enabled.|
|2020-04-30||DSP-20769||Migration prompt continues to show up after an active pipeline is migrated to a new API version.|
|2020-04-21||DSP-20380||When toggling between the Canvas Builder and SPL2 Builder, function configurations are unexpectedly populated with default values.|
Configure every function so the UPL is valid.
|2020-04-21||DSP-20379||User named functions are lost when toggling between the Canvas and the SPL2 Builders.|
|2020-04-08||DSP-19759||DSP does not properly ingest sourcetypes with INDEXED_EXTRACTIONS=true.|
New features for DSP
Fixed Issues for DSP
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0