Splunk® Enterprise Security

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2017-01-20 SOLNESS-11375 Simple XML: Editing dashboards via UI with Splunk platform 6.5.x+ results in malformed fieldset ("Search is waiting for input").

Workaround:
After editing some dashboards, such as the Access Center dashboard, modified dashboard panels could stop updating and instead show Search is waiting for input.
  1. On a dashboard, click Edit to edit the dashboard.
  2. Make changes in the default UI edit mode.
  3. Click Submit to save the changes.
  4. Click Edit to reopen the dashboard editor.
  5. Click Source to edit the XML directly.
  6. Make a copy of the source to back up your changes.
  7. In every location in the XML file where there is an <input type="dropdown">, add <default></default> to the code block. For example:
    <input type="dropdown" token="special">
    <default></default>
    </input>
  8. Click Submit to save your changes.


2016-10-25 SOLNESS-10729 Unable to access the Setup page for ES 4.5.0 on Splunk 6.5.0 Windows or 6.4.1 Linux

Workaround:

SplunkEnterpriseSecuritySuite\bin\install\deploy_modinput_refresh.py

Old:

import os
import time
from install import getSplunkDbDir

New:

import os
import sys
import time

from splunk.clilib.bundle_paths import make_splunkhome_path
sys.path.append(make_splunkhome_path(["etc", "apps",
    "SplunkEnterpriseSecuritySuite", "bin"]))
from install import getSplunkDbDir


2016-05-31 SOLNESS-9486 When using the Pushdown Predicates option, if a drilldown search references an evaluated field (example: src="unknown",) the replacement drilldown search will always return "No results found."

Workaround:
on the drilldown results page, remove the evaluated field from the search and run it again. Example: the pushdown predicate option changes the drilldown search to: | search (index=* OR index=_*) ((`cim_Web_indexes`) tag=web) src="unknown" Remove the evaluated field and run the search again | search (index=* OR index=_*) ((`cim_Web_indexes`) tag=web) (NOT src=* OR src="unknown")

Uncategorized issues

Date filed Issue number Description
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2018-03-28 SOLNESS-15033 contentinfo datamodel regex parser for tstats/from is incorrect
2018-01-12 SOLNESS-14140, SOLNESS-14154 Custom swimlane searches are not showing output on the investigator dashboards.
2018-01-09 SOLNESS-14034 Blank identitiy_lookup_expanded table stops ES identity data being updated
2017-10-06 SOLNESS-12461 ES installer performs operations on non-existent apps if app is present in state file
2017-09-25 SOLNESS-12420 corrupt csv header in identities_expanded.csv
2017-06-22 SOLNESS-12151 /services/shcluster calls fail under dev license.
2017-04-28 SOLNESS-12021, SOLNESS-12042 Asset and Identity merge issues due to whitespace in source files
2017-04-19 SOLNESS-11995 Extractions are not performed for an app imported by a disabled app

Workaround:
Enable the app or add-on that is disabled.


2017-03-23 SOLNESS-11818, CIM-526 rest with splunk_server=* does not return information from other search peers; use splunk_server=local

Workaround:
If you can't upgrade to 4.7.0, use the following workaround:
  1. Log in to each ES SH or ES SHC member in your environment. For each of those, perform the following steps.
    1. Select Audit > Threat Intelligence Audit.
    2. Click Edit and click Source.
    3. Locate all instances of splunk_server=* and replace them with splunk_server=local
    4. Save your changes.

This workaround prevents the REST search from being run on the peers that don't have a modular input endpoint, which is causing the harmless errors.


2017-03-22 SOLNESS-11808 contentinfo custom search command incorrectly listed as "deprecated"

Workaround:
Edit the "usage" field for the "contentinfo" custom search command in SA-Utils/local/searchbnf.conf to contain a value of "public".


[contentinfo-command]
usage       = public


2017-02-24 SOLNESS-11599 Alert emails contain links to non-visible app contexts

Workaround:
Modify a parameter for the search that produces the alert with the non-functional link.
  1. Edit the savedsearches.conf stanza for the search that produces the alert.
  2. Add the following parameter to the search:
    request.ui_dispatch_app = search
2017-02-23 SOLNESS-11587 Searches fail on Windows if the Splunk_server name is too long

Workaround:
Shorten the server name so that the file path used by the search is shorter than 256 characters.
2017-02-03 SOLNESS-11472 TA-ueba saves outputs.conf to search app
2017-02-03 SOLNESS-11473 Asset and Identity Center Category Issue
2017-01-26 SOLNESS-11425 General Settings: settings with endpoint defined by different apps are not displayed
2017-01-13 SOLNESS-11296 SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+

Workaround:
Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
2017-01-08 SOLNESS-11253 STIX_Package xml fails to import for US-CERT Automated Indicator Sharing feed
2017-01-05 SOLNESS-11245, SOLNESS-11048 Threat Artifacts Showing 0 for File_Intel and IP_Intel
2016-12-19 SOLNESS-11175 The getDistance command included with Extreme Search returns out-of date results because the distance lookup file is out of date

Workaround:
Use the `globedistance` macro included with Enterprise Security for simple lat/long distance calculations instead.
2016-12-15 SOLNESS-11152 General settings: Link to edit asset and identity settings in manager results in a 404 error
2016-12-12 SOLNESS-11113 Incident Review: Edit Job Settings doesn't work
2016-12-02 SOLNESS-11005, SOLNESS-11146 Notable Event Statuses do not refresh properly on SHC environments

Workaround:
Make an explicit reload call on the SHC captain/master via /services/alerts/reviewstatuses/_reload
2016-11-22 SOLNESS-10935 Edit correlation searches page does not load when trying to edit correlation searches with special characters (e.g. Long Dash)

Workaround:
Use standard ASCII characters for correlation search names. Use hyphens instead of em-dashes (—) or en-dashes (–).
2016-11-08 SOLNESS-10848, SOLNESS-10843 Notable Event Suppressions only shows first 30 results

Workaround:
Upgrade to a version with this fixed issue (4.5.1 or later) or contact support.
2016-11-05 SOLNESS-10834, SOLNESS-11236 Configuration check not creating checkpoint file
2016-11-04 SOLNESS-10821, CIM-447, CIM-472 ES search commands should log in gmtime()
2016-10-27 SOLNESS-10762, APPSC-1916 KSIs without "display.visualizations.singlevalue.underLabel" set won't render in GlassTable

Workaround:
Add "display.visualizations.singlevalue.underLabel" to the savedsearch definition in savedsearches.conf.
2016-10-26 SOLNESS-10747 Lookup editor does not allow scrolling across columns or down rows
2016-10-24 SOLNESS-10720 Correlation search "Access - Inactive Account Usage - Rule" does not parse correctly
2016-10-14 SOLNESS-10668, SPL-130354 Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments
2016-10-13 SOLNESS-10660, SOLNESS-10863 Asset correlation missing "ip" field as output field
2016-10-12 SOLNESS-10654 ES installation should stop when there is failure at any stage
2016-10-11 SOLNESS-10643 Threat Activity: Search waiting for input on Splunk Enterprise 6.5.x

Workaround:
Click Submit.
2016-10-04 SOLNESS-10561 Notable Suppressions page doesn't display status field on IE11
2016-10-04 SOLNESS-10559, SOLNESS-10814 confcheck_failed_threat_download.py throws error stating that "A threat intelligence download has failed" even when the threat download was executed correctly.

Workaround:
Filter via DA-ESS-ThreatIntelligence/local/inputs.conf configuration check override:
 [configuration_check://confcheck_failed_threat_download]
 suppress = (Retrieved document from TAXII feed)
2016-09-29 SOLNESS-10531, SOLNESS-10862 Threat intelligence distributed by hailataxii.com TAXII feed may include invalid leading colons

Workaround:
Contact the TAXII feed provider to inform them of the malformed data.
2016-09-26 SOLNESS-10523 Parameter default value not displayed in ARF dialog
2016-09-23 SOLNESS-10521, APPSC-1769 Glass table: Ad hoc search does not show earliest time selector.
2016-09-22 SOLNESS-10514, SPL-129214 Editing a Splunk Enterprise Security dashboard on 6.5.0 spawns endless submit buttons with custom div
2016-09-21 SOLNESS-10507 Update Center panel Top Updates Needed gives an error when there isn't data
2016-09-20 SOLNESS-10490, SOLNESS-10405, SOLNESS-10844 Drilldown from Adaptive Responses table on Incident Review fails if a custom adaptive response action includes the drilldown_uri parameter in the param._cam JSON blob but leaves its value blank

Workaround:
If you do not want to specify a custom drilldown, remove the drilldown_uri parameter from your param._cam JSON block.
2016-09-20 SOLNESS-10468 Identity Correlation: KV store collection changes not detected.

Workaround:
Run the Lookup Gen search corresponding to the asset or identity source table that was updated manually:
for assets:

[Identity - Asset String Matches - Lookup Gen]
[Identity - Asset CIDR Matches - Lookup Gen]

for identities:

[Identity - Identity Matches - Lookup Gen]
2016-09-19 SOLNESS-10464 Edits to key security indicators do not update until page refresh

Workaround:
After editing the key indicators and saving the settings, refresh the page.
2016-09-15 SOLNESS-10443 General Settings does not load on Splunk platform versions before 6.5.0 when minify_js = False in web.conf

Workaround:
Replace the minify_js=False entry in web.conf with minify_js=True
2016-09-13 SOLNESS-10413, ADDON-11310 ES SHC Upgrade: Upgrading ES to 4.5.x results in Credential Management breaking

Workaround:
Remove the TA-nessus passwords.conf file from the deployer before applying the cluster bundle. $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_nessus/local/passwords.conf
2016-09-09 SOLNESS-10374, APPSC-1712 Glass table: Threshold editor saves state even when cancelled
2016-09-08 SOLNESS-10347 Adaptive response actions fail without a displayed error message
2016-08-04 SOLNESS-10052, SOLNESS-9508 lxml out-of-memory condition when parsing large TAXII feed documents

Workaround:
Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the DA-ESS-ThreatIntelligence/local/inputs.conf file. For example:
[threatlist://hailataxii_torexit]
description = Hail a TAXII.com TOR LIST
disabled = false
interval = 86400
post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w"
type = taxii
url = http://hailataxii.com/taxii-data
[threat_intelligence_manager://sa_threat_local]
directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
disabled  = true
maxsize   = 52428800
sinkhole  = false
2016-07-26 SOLNESS-9979 Asset and Identity Correlation Setup page open unreliably due to config.js error in Firefox

Workaround:
Reload the page until it works.
2016-07-06 SOLNESS-9845 Glasstable: After upgrading an imported glass table the user has to delete the glasstable in the lister, disable, and enable the imported GT app for the upgrade to take effect.
2016-06-29 SOLNESS-9824 Glasstable importer: After deleting a glasstable that was imported the user can't import it again

Workaround:
To restore a glass table that was imported as part of an app and then deleted:
  1. Disable the app.
  2. Wait a few minutes for the app importer to run.
  3. Enable the app.

The glass table reappears.

2016-06-10 SOLNESS-9571 The "pushdown predicates" setting does not affect drilldown searches when the `datamodel` macro is not followed by `drop_dm_object_name`
2016-05-18 SOLNESS-9391, SOLNESS-8975 Notable events created on assets/identity investigator are missing link back to investigator page
2016-05-11 SOLNESS-9311, SOLNESS-11247 Incident Review: form tokens aren't passed to the URL when filtering dashboard.
2016-03-18 SOLNESS-8868 Guided Correlation Search editor: aggregates can overwrite each other (Stats view)
2016-03-09 SOLNESS-8721 Files attached to an unsaved Note are stored in the KV Store before the user saves the note to the investigation.
2016-01-15 SOLNESS-8345 "Edit All Matching Events" getting timeout error when trying to edit large number of events

Workaround:
Increase the splunkdConnectionTimeout value from the default of 30 seconds in web.conf.
[settings]
splunkdConnectionTimeout=120
2015-04-16 SOLNESS-6641 A search name containing a German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)
2015-03-09 SOLNESS-7415 When assigning a notable events, the list of users may be incomplete when using SAML authentication

Workaround:
Wait 10 minutes after logging in to Splunk Enterprise Security for the list of users to be refreshed.
2014-10-20 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
2014-10-09 SOLNESS-5610 Dashboard view shows error 'DistributedSearchResultCollectionManager': Operating system thread limit reached; search could not be run.

Workaround:
Modify the max user processes ulimit to be less restrictive. See "I get errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting manual.
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0


Comments

Thanks, @Rdjoraev. Fixed.

Andrewb splunk, Splunker
April 10, 2017

There is typo in the inputs.conf name under Workaround section for bug
SOLNESS-10814, SOLNESS-10559
Please change it from:
Filter via DA-ESS-ThreatIntelligence/local/input.sconf
To:
Filter via DA-ESS-ThreatIntelligence/local/inputs.conf

Rdjoraev splunk, Splunker
April 10, 2017

Thanks @christianfaltoni!
I promoted the issue to a highlighted issue, and added your feedback.
Thanks!
Sarah

Smoir splunk, Splunker
October 31, 2016

We had the same issue (SOLNESS-10729) with Splunk for Linux Version 6.4.1
After upgrading ES to 4.5.0, starting using the wizard for configuration, ES gave a blank page.
The workaround described worked. Thanks.

Christianfaltoni
October 31, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters