Known Issues
The following are issues and workarounds for this version of the Splunk App for Enterprise Security.
Highlighted issues
Publication date | Defect number | Description |
2015-04-22 | SOLNESS-6664 | Do not disable Enterprise Security unless the search head is running on Splunk Enterprise version 6.2.3. Disabling the SplunkEnterpriseSecuritySuite or SA-ThreatIntelligence apps removes all data collected in the KVStore collections. The KVStore collection data in those apps includes Notable Event status changes created on the Incident Review dashboard. |
2015-04-02 | SPL-99059 | Modifying a data model's acceleration settings from the Settings > Data models > Edit Acceleration UI will remove any advanced configuration settings on the selected data model, such as
acceleration.manual_rebuilds
and
acceleration.backfill_time .
Workaround: Change data model acceleration settings through direct editing of the datamodels.conf files. |
3.2.1 | — |
Some workflow actions have been removed from this release of the Enterprise Security App. For information about creating new workflow actions, see "Create and maintain workflow actions in Splunk Web" in the Splunk Enterprise Knowledge Manager Manual. |
3.2.1 | — |
Immediately after upgrading the Enterprise Security app, the Incident Review dashboard may not display notable events. The migration process from a .csv file to the KV Store feature implements a brief wait time to initialize the system. The first time ES comes up after the post-setup restart, there is a period where Incident Review will be unusable. The dashboard will become usable in a couple minutes after the migration completes.
|
Pre-3.2 | CIM-169 | After installing the Enterprise Security app, the splunkd.log displays a warning message:
Workaround: Disable truncation on the indexers using the
|
Configuration
Publication date | Defect number | Description |
2016-05-23 | SOLNESS-9420 |
Extreme search causing multiple core dump files Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0 . For example:| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count |
2015-04-15 | SOLNESS-6641 | Search name containing German umlaut cannot be opened in the Edit Correlation Search view. JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)..
|
Dashboards
Publication date | Defect number | Description |
Pre-3.2 | SOLNESS-4387 | When working with individual Reports (Search > Reports), some drill down functionality may not produce desired behavior. This is dependent on the structure of the search, and the search commands being used. This should not affect shipped dashboards. If adding a report to ones own dashboard, for best results use Simple XML to define explicit drill down. |
Pre-3.2 | SOLNESS-5752 | When using the Account Management dashboard to view Account Lockouts, a drilldown to investigate events runs slowly. This is expected behavior. A drilldown will run a historical search across all events in a data model, where the dashboard view uses only accelerated data for faster visual response. |
Pre-3.2 | SOLNESS-4631 | When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:
This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening. Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. For more information, see "Edit the Per-Panel Filter list" in the Enterprise Security User Manual. |
2014-11-19 | SOLNESS-5676 | The Create Notable Event workflow action may result in a truncated notable event with missing fields. |
Hardware prerequisites
Publication date | Defect number | Description |
Pre-3.2 | SOLNESS-4256 | Running Splunk Enterprise on Windows with under-provisioned virtualized hardware may cause Enterprise Security setup to fail. If the instance meets the "virtualized hardware" specifications, retry the setup if it fails the first time. |
Pre-3.2 | — |
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.
This is expected behavior when the |
Incident Review
Publication date | Defect number | Description |
Pre-3.2 | SOLNESS-1784 | Contributing events from any notable event in the Incident Review dashboard will default to "All Time" and may take a long time to return results. To workaround this issue, cancel the search and rerun with the desired time window. |
Pre-3.2 | SOLNESS-2508 | The Incident Review dashboard feature does not work on the Solaris operating system. |
Pre-3.2 | SOLNESS-5072 | The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket , and can be changed as required.
|
2015-03-11 | SOLNESS-6376 | Disabling a field action through the workflow_actions.conf will not remove the workflow action from the Incident Review dashboard.
Workaround: In the fields setting of the disabled workflow stanza, remove the asterisk and replace it with random text. |
2015-05-26 | SOLNESS-6878 | When saving the changes to a selection of more than 1000 notable events, the update will fail with the error The update failed:ResultSet.iter – timed out while waiting on data; expected 100 events, only got 0; count=xxxx . This is the expected behavior set by default in the limits.conf setting max_events_per_bucket , and can be changed as required.
|
Inputs
Publication date | Defect number | Description |
Pre-3.2 | SOLNESS-4785 | The threat list emerging_threats_malvertisers_blocklist has been obsoleted]. The input has been removed from the available threat lists. For more details see the notice at the threat list site (http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules).
|
Pre-3.2 | SOLNESS-4254 | While configuring or editing a modular input for a threat list, the "Interval" parameter cannot be specified through the UI.
Workaround: Configure all other input parameters through the UI, and change the run "Interval" from the command line. |
Pre-3.2 | SOLNESS-5401 | A threat list download attempt from an HTTPS URL may fail to download if proxy authentication is in use. Checking the $SPLUNK_HOME/var/log/splunk/python_modular_input.log shows an authentication failure:
A patch to the Python libraries
|
Reports
Publication date | Defect number | Description |
Pre-3.2 | SOLNESS-3536 | In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:
Workaround: Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes. |
Pre-3.2 | SOLNESS-4387 | When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app.
Workaround: Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired. |
2015-01-15 | SOLNESS-6054 | The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2.1, update your audit search as needed and add the latest extractions. Example:
|
2015-04-24 | SOLNESS-6670 | When the correlation search Potential Gap in Data is enabled, the search will report false positive matches. Workaround: Update the contents of the search.
|
Search Head Clustering
Publication date | Defect number | Description |
2015-01-09 | SPL-94522 | Search head cluster caches in-memory jobs, leading to increasing memory growth.
Workaround: Reduce the
|
2015-03-04 | SOLNESS-6315 | The localprocess_tracker.csv file can grow too large for successful replication.
Workaround: Update the
|
Search Head Pooling
Publication date | Defect number | Description |
Pre-3.2 | —
|
Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps/* resides on the pool, and is no longer tied to the relative path $SPLUNK_HOME.
Example:
In
|
Fixed Issues | Learn More and how to get help |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.2.2
Feedback submitted, thanks!