Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Known Issues

The following are issues and workarounds for this version of the Splunk App for Enterprise Security.

Highlighted issues

Publication date Defect number Description
3.3.1 SOLNESS-7055 When stopping or restarting the splunkd service, the service may crash in Crashing thread: IdataDO_Collector. Workaround: Disable the introspection logging on the node experiencing the crash. Validate the inputs are disabled by searching:

| rest /services/configs/conf-server | eval app='eai:acl.app' | table title disabled | search title=introspection*

Note: Disabling the introspection log settings will prevent the Distributed Management Console from reporting upon the status of that node.

2015-05-28 SOLNESS-6811 The threat list spyeye_ip_blocklist has been obsoleted. To disable the input, browse to Configure > Data Enrichment > Threat Intelligence Downloads, find the spyeye_ip_blocklist threat list, and select Disable.

Hardware prerequisites

Publication date Defect number Description
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.

This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See "Errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting Manual.

Incident Review

Publication date Defect number Description
Immediately after upgrading the Enterprise Security app, the Incident Review dashboard may not display notable events. The migration process from a .csv file to the KV Store feature implements a brief wait time to initialize the system. The first time ES comes up after the post-setup restart, there is a period where Incident Review will be unusable. The dashboard will become usable in a couple minutes after the migration completes.
Pre-3.2 SOLNESS-2508 The Incident Review dashboard feature does not work on the Solaris operating system.
Pre-3.2 SOLNESS-5072 The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
2014-11-19 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
2015-01-15 SOLNESS-6054 The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2.1, update your audit search as needed and add the latest extractions. Example:

index=_audit sourcetype=incident_review | rex field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)"

Installation and Upgrade

Publication date Defect number Description
Pre-3.2 CIM-169 After installing the Enterprise Security app, the splunkd.log displays a warning message:
WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 13359 - data_source="/opt/splunk/var/log/splunk/remote_searches.log", data_host="nom_nom_nom", data_sourcetype="splunkd_remote_searches"

Workaround: Disable truncation on the indexers using the props.conf:



2016-01-21 SOLNESS-8243 App import settings are not correctly replicated across search heads in a search head cluster. When this happens, the app import settings will replicate without the import information, then update to include the correct information, then replicate again without the import information.


  1. Set up a staging server with the apps and add-ons that should be enabled and installed in your environment.
  2. Let app_imports_update.py run once on the staging server. Use the following search to determine when the script last ran.

    index=_internal source="*python_modular_input.log" file="app_imports_update.py*" "Meta-data updated" | stats latest(_time) by input | `uitime(latest(_time))`

  3. Disable the app_imports_update.py script. This generates a clean and correct list of apps.
  4. Copy the contents of the etc/apps directory on the staging server to the etc/shcluster/apps directory on the SHC deployer.
  5. Deploy the configurations.


Publication date Defect number Description
2016-05-23 SOLNESS-9420
Extreme search causing multiple core dump files
Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0. For example:
| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count

2015-04-02 SPL-99059 Modifying a data model's acceleration settings from the Settings > Data models > Edit Acceleration UI will remove any advanced configuration settings on the selected data model, such as 


Workaround: Change data model acceleration settings through direct editing of the datamodels.conf files.

2015-04-15 SOLNESS-6641 A search name containing German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)..

Dashboards and Reports

Publication date Defect number Description
When using a drilldown from any dashboard panel, the drilldown displays results slower than the dashboard. This is expected behavior. A drilldown runs a historical search across all indexed events mapped to the data model, where the dashboard view uses only accelerated data model objects for a faster visual response.
Pre-3.2 SOLNESS-3536 In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:

Error in 'tstats' command: This command is not supported in a real-time search.

Workaround: Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.

Pre-3.2 SOLNESS-4387 When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app. The drilldown behavior is dependent on the structure of the search, and the search commands being used.
Workaround: Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.
Pre-3.2 SOLNESS-4631 When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:

Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv

Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv

This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.

Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. For more information, see "Edit the Per-Panel Filter list" in the Enterprise Security User Manual.

2015-07-08 SOLNESS-7054 After adding a new swimlane in the Enterprise Security app using the UI, a restart will display a stdout error for savedsearches.conf:
Invalid key in stanza [Category - My New Swimlane - MySwimlane] in /etc/apps/DA-ESS-AccessProtection/local/savedsearches.conf, line 24: actions (value: swimlane)

Workaround: Edit the savedsearches.conf stanza noted in the error message, removing the line actions = swimlane.

2015-08-28 SOLNESS-7041 When selecting an event under New Attacks in the Security Domains > Network > Intrusion Center navigation, the drill down will not work if the selected event is not within the timerange of the New Attacks view.


Publication date Defect number Description
Pre-3.2 SOLNESS-4254 While configuring or editing a modular input for a threat list, the "Interval" parameter cannot be specified through the UI.

Workaround: Configure all other input parameters through the UI, and change the interval setting by editing the inputs.conf directly.

2015-07-24 SOLNESS-7132 The identities list fields startDate and endDate do not handle the date format "%m/%d/%Y" properly.
2015-08-28 SOLNESS-7090 Commas in a local threatlist description prevent the file from being parsed.
2015-04-29 SOLNESS-6695 An invalid threat list stanza will leave temporary files in the path $SPLUNK_HOME\var\run\splunk\lookup_tmp and throw errors in the python_modular_input.log
Sample: status="Unknown exception when reading input files" exc='NoneType' object has no attribute 'startswith'.
2015-12-28 SOLNESS-7659 The libtaxii library used by Enterprise Security does not support authenticated proxies. As a workaround, use an unauthenticated proxy if possible.
2016-08-04 SOLNESS-10052
lxml out-of-memory condition when parsing large TAXII feed documents
Workaround: Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the DA-ESS-ThreatIntelligence/local/inputs.conf file. For example:
description = Hail a TAXII.com TOR LIST
disabled = false
interval = 86400
post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w"
type = taxii
url = http://hailataxii.com/taxii-data
directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
disabled  = true
maxsize   = 52428800
sinkhole  = false

Search Head Pooling

Publication date Defect number Description
Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps/* resides on the pool, and is no longer tied to the relative path $SPLUNK_HOME.

Example: In SA-ThreatIntelligence/local/inputs.conf [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = true

Lookup is on the search head pool shared storage. Changed path below: [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = false
index = _audit
sourcetype = incident_review
Last modified on 06 August, 2016
Fixed Issues
Learn More and how to get help

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters