Fixed Issues

The following issues have been fixed in this release.

• When you select a standard deviation greater than the value, and the data includes a negative Z value, the new analysis dashboards are not properly filtering the data. (SOLNESS-3452)

• Newly created correlation searches created using the Correlation Search editor cannot be suppressed in the Incident Review dashboard. For workaround, see "Enable non-administrators to edit a blocklist" in the Installation and Configuration Manual. (SOLNESS-2709)

• In search head pooling configuration, the user is unable to save a lookup after making a modification. It is possible to write to the shared storage interactively. The workaround is to edit the lookup file on the filesystem. (SOLNESS-3383)

• When you create a new blocklist (Configure > Blocklists > New), the blocklist name cannot contain any spaces. You can use hyphens or under bars to separate words. (SOLNESS-3556)

• The Advanced Filter in the Network Analysis dashboards is not visible to user roles other than admin by default. This capability must be configured for each user role. See "Configure user roles for Advanced Filter" in the Installation and Configuration Manual (SOLNESS-3398).

• When drilling down from a chart where data is plotted over time, the drill-down results may not match the chart summary. The transition from summary to detail forces a search against the raw data, which may have been updated or new data loaded. No workaround exists. (SOLNESS-1096)

• No search progress indicator: After you click the Search button, no indication is given that a search is being performed (even though the search is in fact running). This is a known core Splunk issue (SPL-51660). The table or report remains empty until the results of the search are complete. (SOLNPCI-728)

• Some real-time searches have been discovered to trigger large amounts of memory consumption on Splunk versions 4.2.5 and 4.3. Splunk version 4.3.2 or higher is recommended. (SOLNESS-2221)

• If you are using the "conventions" feature with the automatic Identity Correlation feature to specify multiple, commonly used formats for user identities, you will not be able to specify any conventions in the identityLookup.conf file that consist of more than one replacement string (for instance, "first().last()" ). However, conventions that consist of only a single replacement string (such as "first()" or "last()") will work properly. If you require this functionality, please contact Splunk Support for a patch and reference SOLNESS-3404. (SOLNESS-3404)

• The restart button on the upgrade screen is not visible in the browser on smaller monitors. Scroll to the bottom of the web page to see the button. (SOLNESS-2039)

• After upgrading, the new analysis dashboards do not show up in the Network drop-down menu. You need to manually enable them. See "Enable the new dashboards" in the Installation and Configuration Manual for details. (SOLNESS-3448)

• When using Splunk with Internet Explorer, disable "Enable XSS Filter" in the security settings for IE. If the XSS filter is not disabled, the Correlation Search editor has been known to fail when XSS protection is enabled. Add Splunk to the list of trusted sites and only disable XSS protection on trusted sites. (SOLNESS-3210)

• When the Incident Review dashboard is being used to manage notable events, all updates to notable events will restart searches. If using a real-time search, the search will need to be finalized for more information. (SOLNESS-959)

• Searches must be finalized before interacting with notable events in the Incident Review dashboard. Otherwise, warning messages may be shown when clicking on interactive features. Click Finalize on the right side of the Search Timeline to avoid these warning messages. This behavior caused by the continual update of search results with new results from the real-time search. (SOLNESS-787)