This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
| Publication date | Issue number | Description |
|---|---|---|
| 2016-05-09 | SOLNESS-9159 | On a search head running Splunk Enterprise 6.3.x: after the 4.1 upgrade is complete, using the Content Management page in ES to select objects from the "SplunkEnterpriseSecuritySuite" app will be redirected to the Enterprise Security post-install configuration page. |
| 4.1.0 | SOLNESS-8806 | When installing or upgrading to Splunk Enterprise Security 4.1.0 on Windows, the installer UI can stop on Disabling Apps and will not finish. Workaround: Restart the ES installation using the CLI on the search head. To initiate an ES install or upgrade at the command line, type: splunk search "| essinstall" -auth admin:passwordThe installation or upgrade process is logged in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log |
| 4.1.0 | SOLNESS-8781 | When upgrading ES, any enabled correlation searches that were custom configured to skip notable event creation will revert to creating notable events by default. For example, a correlation search that creates a risk modifier or sends an email will now create a risk modifier and a notable event, or send an email and create a notable event. Workaround: Before upgrading, note enabled correlation searches that do not create notable events. Use this search:
After upgrading, disable notable event creation for those correlation searches. |
| 4.1.0 | SOLNESS-8919 | Some searches provided with Enterprise Security will not work on buckets with reduced TSIDX files. For a list of the searches, see TSIDX reduction compatibility in the Splunk Enterprise Security Installation and Upgrade Manual. |
Hardware prerequisites
| Publication date | Issue number | Description |
|---|---|---|
| Pre-3.2 | — |
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See "Errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting Manual.
|
Incident Review
| Publication date | Issue number | Description |
|---|---|---|
| 2016-10-03 | SOLNESS-10552 | Incident Review default time range set to "All time". |
| 3.2.1 | — |
Immediately after upgrading Enterprise Security, the Incident Review dashboard may not display notable events. The migration process from a .csv file to the KV Store feature implements a brief wait time to initialize the system. The first time ES comes up after the post-setup restart, there is a period where Incident Review will be unusable. The dashboard will become usable in a couple minutes after the migration completes.
|
| Pre-3.2 | SOLNESS-2508 | The Incident Review dashboard feature does not work on the Solaris operating system. |
| Pre-3.2 | SOLNESS-5072 | The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
|
| 2016-06-09 | SOLNESS-8167 | When sorting notable events by Urgency, if the total number of notable events on the page exceeds 1000 some notable events will not be displayed. Workaround: Change the limits.conf setting max_events_per_bucket default to a value greater then 1000.
|
| 2014-11-19 | SOLNESS-5676 | The Create Notable Event workflow action may result in a truncated notable event with missing fields. |
| 2015-01-15 | SOLNESS-6054 | The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2.1, update your audit search as needed and add the latest extractions. Example:
index=_audit sourcetype=incident_review | rex field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)" |
| 3.2.1 | SOLNESS-7415 | The list of users that can be assigned a notable event may be incomplete if ES is accessed using SAML authentication. To see a full list of users that can be assigned a notable event, wait 10 minutes after logging in for the list of users to be refreshed. |
| 4.1.0 | SOLNESS-8345 | "Edit All Matching Events" gets a timeout error when trying to edit a large number of events. Workaround: Increase the splunkdConnectionTimeout value from the default of 30 seconds in web.conf. |
Installation and Upgrade
| Publication date | Issue number | Description |
|---|---|---|
| 2016-09-29 | SOLNESS-10532 | Indentation error preventing app_imports_update.py modular input from starting |
| 2016-09-29 | SOLNESS-10532 | Error in app_imports_update.py script causes content to be imported improperly or not at all. Workaround: Edit file: /opt/splunk/etc/apps/SA-Utils/bin/app_imports_update.py Line to change: 56. Remove one space so that def lines up with @ on Line 55. |
| 2016-07-27 | SOLNESS-9553 | Upgrade to 4.1 hangs on deprecating add-ons and generates a 400 error in the essinstaller2.log when attempting to disable apps. Workaround: Try the upgrade again after changing the local app.conf setting of allows_disable = false to be allows_disable = true.
|
| 2016-05-06 | SOLNESS-9227 | After completing the upgrade of Enterprise Security, the Correlation Search Editor can display configurations inconsistent with pre-upgrade settings if the search migration process is still running. To review the status of the migration operation, search:
|
| Pre-3.2 | CIM-169 | After installing the Enterprise Security app, the splunkd.log displays a warning message:
[splunkd_remote_searches] TRUNCATE = 0 |
Configuration
| Publication date | Issue number | Description |
|---|---|---|
| 2016-05-23 | SOLNESS-9420 |
Extreme search causing multiple core dump files Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0. For example:| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count |
| 2015-04-15 | SOLNESS-6641 | A search name containing a German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)..
|
| Pre-3.2 | SOLNESS-6900 | Correlation search names cannot be longer than 80 characters long. This is expected behavior. |
Dashboards and Reports
| Publication date | Issue number | Description |
|---|---|---|
| 2016-09-29 | SOLNESS-10534 | Identity_Management.Expired_User_Activity object does not take the _time of the event into account |
| 4.1.0 | SOLNESS-8468 | Some dashboards return “no search provided” when using the Export to PDF button. Use the browser print menu to save as PDF. The following dashboards are affected: Risk Analysis, User Activity, UBA Anomalies, Threat Activity, Threat Artifacts, URL Length Analysis, Traffic Size Analysis, New Domain Analysis, HTTP User Agent Analysis, Update Center, Endpoint Changes, Time Center, System Center, Malware Operations, Default Accounts, Account Management, Access Tracker, Access Center, Network Changes, Web Center, Vulnerability Operations, Traffic Center, Session Center, and Forwarder Audit. |
| 4.1.0 | SOLNESS-8665 | Not all drill down links included for UBA Anomalies are valid for Splunk UBA version 2.1.2. |
| 4.1.0 | SOLNESS-8536 | Some UBA anomalies that display in ES cannot be found in Splunk UBA after drilling down to Splunk UBA. |
| 4.1.0 | SOLNESS-8721 | Files attached to an unsaved Note are stored in the KV Store before the user saves the note to the investigation. |
| 4.1.0 | SOLNESS-8782 | After removing an attachment from a note, the list view for the timeline still shows an attachment icon. |
| Pre-3.2 | — |
When using a drilldown from any dashboard panel, the drilldown displays results slower than the dashboard. This is expected behavior. A drilldown runs a historical search across all indexed events mapped to the data model, where the dashboard view uses only accelerated data model objects for a faster visual response. |
| Pre-3.2 | SOLNESS-3536 | In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:
|
| Pre-3.2 | SOLNESS-4387 | When adding a report to a custom dashboard in Enterprise Security, the report's drilldown search may not produce the desired behavior. This includes predefined reports included with Enterprise Security. The drilldown behavior is dependent on the structure of the search, and the search commands being used. As a workaround, you can test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired. |
| Pre-3.2 | SOLNESS-4631 | When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:
Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening. Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. For more information, see "Edit the Per-Panel Filter list" in the Enterprise Security User Manual. |
| 2016-04-27 | SOLNESS-8895 | The asset lookup fields configured to INDEXED_VALUE = false such as host_bunit, and host_category will slow down searching.
|
Inputs
| Publication date | Issue number | Description |
|---|---|---|
| 2015-12-28 | SOLNESS-7659 | The libtaxii library used by Enterprise Security does not support authenticated proxies. As a workaround, use an unauthenticated proxy if possible.
|
| 2016-08-04 | SOLNESS-10052 |
lxml out-of-memory condition when parsing large TAXII feed documents Workaround: Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the DA-ESS-ThreatIntelligence/local/inputs.conf file. For example:
[threatlist://hailataxii_torexit] description = Hail a TAXII.com TOR LIST disabled = false interval = 86400 post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w" type = taxii url = http://hailataxii.com/taxii-data [threat_intelligence_manager://sa_threat_local] directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel disabled = true maxsize = 52428800 sinkhole = false |
Last modified on 12 October, 2016
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.2
Download manual
Feedback submitted, thanks!