Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Publication date Defect number Description
2016-05-10 SOLNESS-8558 When installing or upgrading to Splunk Enterprise Security 4.0.3 running on OS X, if the installer UI displays a blank grey screen the setup will not complete. Workaround: Restart the ES installation using the CLI. To initiate an ES install or upgrade, at the command line type:
./splunk search '| essinstall' -auth admin:password
The installation or upgrade process is logged in:
$SPLUNK_HOME/var/log/splunk/essinstaller2.log
2015-11-10 SOLNESS-7977 When installing or upgrading to Splunk Enterprise Security 4.0.0, the installer UI can stop on Disabling Apps and will not finish. Workaround: Restart the ES installation using the CLI on the search head. To initiate an ES install or upgrade, at the command line type:
./splunk search '| essinstall' -auth admin:password
On WINDOWS use
splunk search "| essinstall" -auth admin:password
The installation or upgrade process is logged in:
$SPLUNK_HOME/var/log/splunk/essinstaller2.log
4.0.0 SOLNESS-7630 When stopping or restarting the splunkd service, the service may crash in Crashing thread: Shutdown. To resolve, upgrade Splunk Enterprise to 6.3.2.

Hardware prerequisites

Publication date Defect number Description
Pre-3.2
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.

This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See "Errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting Manual.

Incident Review

Publication date Defect number Description
2016-09-29 SOLNESS-10540 Incident Review default time range set to "All time".
3.2.1
Immediately after upgrading Enterprise Security, the Incident Review dashboard may not display notable events. The migration process from a .csv file to the KV Store feature implements a brief wait time to initialize the system. The first time ES comes up after the post-setup restart, there is a period where Incident Review will be unusable. The dashboard will become usable in a couple minutes after the migration completes.
Pre-3.2 SOLNESS-2508 The Incident Review dashboard feature does not work on the Solaris operating system.
Pre-3.2 SOLNESS-5072 The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
2016-06-09 SOLNESS-8167 When sorting notable events by Urgency, if the total number of notable events on the page exceeds 1000 some notable events will not be displayed.
Workaround: Change the limits.conf setting max_events_per_bucket default to a value greater then 1000.
2014-11-19 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
2015-01-15 SOLNESS-6054 The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2.1, update your audit search as needed and add the latest extractions. Example:
index=_audit sourcetype=incident_review |  rex  field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)"
3.2.1 SOLNESS-7415 The list of users that can be assigned a notable event may be incomplete if ES is accessed using SAML authentication. To see a full list of users that can be assigned a notable event, wait 10 minutes after logging in for the list of users to be refreshed.
2016-03-03 SOLNESS-8612 Using unicode characters when creating a notable event in the New Notable Event UI breaks the notable event Urgency.

Installation and Upgrade

Publication date Defect number Description
2016-07-27 SOLNESS-9553 Upgrade to 4.1 hangs on deprecating add-ons and generates a 400 error in the essinstaller2.log when attempting to disable apps.
Workaround: Try the upgrade again after changing the local app.conf setting of allows_disable = false to be allows_disable = true.
Pre-3.2 CIM-169 After installing the Enterprise Security app, the splunkd.log displays a warning message:
WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 13359 - data_source="/opt/splunk/var/log/splunk/remote_searches.log", data_host="*",
data_sourcetype="splunkd_remote_searches"

Workaround: Disable truncation on the indexers using the props.conf:
[splunkd_remote_searches]
TRUNCATE = 0
2016-02-02 SOLNESS-8433 During the installation of Enterprise Security, users on the search head can see and select Splunk Enterprise Security while the installation is still in progress. If selected, users will be presented with an empty dashboard.

Configuration

Publication date Defect number Description
2015-04-15 SOLNESS-6641 A search name containing a German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)..
Pre-3.2 SOLNESS-6900 Correlation search names cannot be longer than 80 characters long. This is expected behavior.
2016-05-23 SOLNESS-9420
Extreme search causing multiple core dump files
Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0. For example:
| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count

Dashboards and Reports

Publication date Defect number Description
2016-10-03 SOLNESS-10548 Identity_Management.Expired_User_Activity object does not take the _time of the event into account
2016-01-22 SOLNESS-8252 The dashboard report Traffic - Traffic Over Time By Bytes will fail to load if the calculated average number of bytes exceeds 20 characters.
Workaround: Modify the report to use megabytes instead of bytes.
  1. On Splunk Enterprise, open Settings > Searches and Reports.
  2. Set the app context to "Enterprise Security" and search for "Traffic Over Time By Bytes".
  3. On the Actions column, choose Clone.
  4. Update the search name field with "Traffic - Traffic Over Time By Megabytes".
  5. Replace the |eval statements with:
    | eval min(megabytes)=round('min(bytes)'/1024/1024) | eval max(megabytes)=round('max(bytes)'/1024/1024) | eval avg(megabytes)=round('avg(bytes)'/1024/1024) | fields - min(bytes) max(bytes) avg(bytes)
  6. Save the changes
  7. Update the dashboard to use the new report.
Pre-3.2
When using a drilldown from any dashboard panel, the drilldown displays results slower than the dashboard. This is expected behavior. A drilldown runs a historical search across all indexed events mapped to the data model, where the dashboard view uses only accelerated data model objects for a faster visual response.
Pre-3.2 SOLNESS-3536 In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:

Error in 'tstats' command: This command is not supported in a real-time search.

Workaround: Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.

Pre-3.2 SOLNESS-4387 When adding a report to a custom dashboard in Enterprise Security, the report's drilldown search may not produce the desired behavior. This includes predefined reports included with Enterprise Security. The drilldown behavior is dependent on the structure of the search, and the search commands being used.
As a workaround, you can test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.
Pre-3.2 SOLNESS-4631 When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:
Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv
Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv

This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.

Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. For more information, see "Edit the Per-Panel Filter list" in the Enterprise Security User Manual.

Inputs

Publication date Defect number Description
2015-12-28 SOLNESS-7659 The libtaxii library used by Enterprise Security does not support authenticated proxies. As a workaround, use an unauthenticated proxy if possible.
2016-08-04 SOLNESS-10052
lxml out-of-memory condition when parsing large TAXII feed documents
Workaround: Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the DA-ESS-ThreatIntelligence/local/inputs.conf file. For example:
[threatlist://hailataxii_torexit]
description = Hail a TAXII.com TOR LIST
disabled = false
interval = 86400
post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w"
type = taxii
url = http://hailataxii.com/taxii-data
[threat_intelligence_manager://sa_threat_local]
directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
disabled  = true
maxsize   = 52428800
sinkhole  = false

2016-10-06 SOLNESS-10603 lookup_modinput.py streaming_merge_task fails on import.
An error appears in python_modular_input.log warning that there is No module named identity.
Last modified on 12 October, 2016
Fixed issues for Splunk Enterprise Security   How to find answers and get help

This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters