Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
|Date filed||Issue number||Description|
|2017-01-20||SOLNESS-11375||Simple XML: Editing dashboards via UI with Splunk platform 6.5.x+ results in malformed fieldset ("Search is waiting for input").|
After editing some dashboards, such as the Access Center dashboard, modified dashboard panels could stop updating and instead show Search is waiting for input.
|2016-10-25||SOLNESS-10729||Unable to access the Setup page for ES 4.5.0 on Splunk 6.5.0 Windows or 6.4.1 Linux|
import os import time from install import getSplunkDbDir
import os import sys import time from splunk.clilib.bundle_paths import make_splunkhome_path sys.path.append(make_splunkhome_path(["etc", "apps", "SplunkEnterpriseSecuritySuite", "bin"])) from install import getSplunkDbDir
|2016-05-31||SOLNESS-9486||When using the Pushdown Predicates option, if a drilldown search references an evaluated field (example: src="unknown",) the replacement drilldown search will always return "No results found."|
on the drilldown results page, remove the evaluated field from the search and run it again. Example: the pushdown predicate option changes the drilldown search to:
|Date filed||Issue number||Description|
|2019-07-04||SOLNESS-19368||iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security|
|2019-02-19||SOLNESS-18079||Port And Protocol Tracker Lookup Gen isn't tracking allowed ports|
|2018-03-28||SOLNESS-15033||contentinfo datamodel regex parser for tstats/from is incorrect|
|2018-01-12||SOLNESS-14140, SOLNESS-14154||Custom swimlane searches are not showing output on the investigator dashboards.|
|2018-01-09||SOLNESS-14034||Blank identitiy_lookup_expanded table stops ES identity data being updated|
|2017-10-06||SOLNESS-12461||ES installer performs operations on non-existent apps if app is present in state file|
|2017-09-25||SOLNESS-12420||corrupt csv header in identities_expanded.csv|
|2017-06-22||SOLNESS-12151||/services/shcluster calls fail under dev license.|
|2017-04-28||SOLNESS-12021, SOLNESS-12042||Asset and Identity merge issues due to whitespace in source files|
|2017-04-19||SOLNESS-11995||Extractions are not performed for an app imported by a disabled app|
Enable the app or add-on that is disabled.
|2017-03-23||SOLNESS-11818, CIM-526||rest with splunk_server=* does not return information from other search peers; use splunk_server=local|
If you can't upgrade to 4.7.0, use the following workaround:
This workaround prevents the REST search from being run on the peers that don't have a modular input endpoint, which is causing the harmless errors.
|2017-03-22||SOLNESS-11808||contentinfo custom search command incorrectly listed as "deprecated"|
Edit the "usage" field for the "contentinfo" custom search command in
[contentinfo-command] usage = public
|2017-02-24||SOLNESS-11599||Alert emails contain links to non-visible app contexts|
Modify a parameter for the search that produces the alert with the non-functional link.
|2017-02-23||SOLNESS-11587||Searches fail on Windows if the Splunk_server name is too long|
Shorten the server name so that the file path used by the search is shorter than 256 characters.
|2017-02-03||SOLNESS-11472||TA-ueba saves outputs.conf to search app|
|2017-02-03||SOLNESS-11473||Asset and Identity Center Category Issue|
|2017-01-26||SOLNESS-11425||General Settings: settings with endpoint defined by different apps are not displayed|
|2017-01-13||SOLNESS-11296||SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+|
Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
|2017-01-08||SOLNESS-11253||STIX_Package xml fails to import for US-CERT Automated Indicator Sharing feed|
|2017-01-05||SOLNESS-11245, SOLNESS-11048||Threat Artifacts Showing 0 for File_Intel and IP_Intel|
|2016-12-19||SOLNESS-11175||The getDistance command included with Extreme Search returns out-of date results because the distance lookup file is out of date|
Use the `globedistance` macro included with Enterprise Security for simple lat/long distance calculations instead.
|2016-12-15||SOLNESS-11152||General settings: Link to edit asset and identity settings in manager results in a 404 error|
|2016-12-12||SOLNESS-11113||Incident Review: Edit Job Settings doesn't work|
|2016-12-02||SOLNESS-11005, SOLNESS-11146||Notable Event Statuses do not refresh properly on SHC environments|
Make an explicit reload call on the SHC captain/master via /services/alerts/reviewstatuses/_reload
|2016-11-22||SOLNESS-10935||Edit correlation searches page does not load when trying to edit correlation searches with special characters (e.g. Long Dash)|
Use standard ASCII characters for correlation search names. Use hyphens instead of em-dashes (—) or en-dashes (–).
|2016-11-08||SOLNESS-10848, SOLNESS-10843||Notable Event Suppressions only shows first 30 results|
Upgrade to a version with this fixed issue (4.5.1 or later) or contact support.
|2016-11-05||SOLNESS-10834, SOLNESS-11236||Configuration check not creating checkpoint file|
|2016-11-04||SOLNESS-10821, CIM-447, CIM-472||ES search commands should log in gmtime()|
|2016-10-27||SOLNESS-10762, APPSC-1916||KSIs without "display.visualizations.singlevalue.underLabel" set won't render in GlassTable|
Add "display.visualizations.singlevalue.underLabel" to the savedsearch definition in savedsearches.conf.
|2016-10-26||SOLNESS-10747||Lookup editor does not allow scrolling across columns or down rows|
|2016-10-24||SOLNESS-10720||Correlation search "Access - Inactive Account Usage - Rule" does not parse correctly|
|2016-10-14||SOLNESS-10668, SPL-130354||Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments|
|2016-10-13||SOLNESS-10660, SOLNESS-10863||Asset correlation missing "ip" field as output field|
|2016-10-12||SOLNESS-10654||ES installation should stop when there is failure at any stage|
|2016-10-11||SOLNESS-10643||Threat Activity: Search waiting for input on Splunk Enterprise 6.5.x|
|2016-10-04||SOLNESS-10561||Notable Suppressions page doesn't display status field on IE11|
|2016-10-04||SOLNESS-10559, SOLNESS-10814||confcheck_failed_threat_download.py throws error stating that "A threat intelligence download has failed" even when the threat download was executed correctly.|
[configuration_check://confcheck_failed_threat_download] suppress = (Retrieved document from TAXII feed)
|2016-09-29||SOLNESS-10531, SOLNESS-10862||Threat intelligence distributed by hailataxii.com TAXII feed may include invalid leading colons|
Contact the TAXII feed provider to inform them of the malformed data.
|2016-09-26||SOLNESS-10523||Parameter default value not displayed in ARF dialog|
|2016-09-23||SOLNESS-10521, APPSC-1769||Glass table: Ad hoc search does not show earliest time selector.|
|2016-09-22||SOLNESS-10514, SPL-129214||Editing a Splunk Enterprise Security dashboard on 6.5.0 spawns endless submit buttons with custom div|
|2016-09-21||SOLNESS-10507||Update Center panel Top Updates Needed gives an error when there isn't data|
|2016-09-20||SOLNESS-10490, SOLNESS-10405, SOLNESS-10844||Drilldown from Adaptive Responses table on Incident Review fails if a custom adaptive response action includes the drilldown_uri parameter in the param._cam JSON blob but leaves its value blank|
If you do not want to specify a custom drilldown, remove the drilldown_uri parameter from your param._cam JSON block.
|2016-09-20||SOLNESS-10468||Identity Correlation: KV store collection changes not detected.|
Run the Lookup Gen search corresponding to the asset or identity source table that was updated manually:
for assets: [Identity - Asset String Matches - Lookup Gen] [Identity - Asset CIDR Matches - Lookup Gen] for identities: [Identity - Identity Matches - Lookup Gen]
|2016-09-19||SOLNESS-10464||Edits to key security indicators do not update until page refresh|
After editing the key indicators and saving the settings, refresh the page.
|2016-09-15||SOLNESS-10443||General Settings does not load on Splunk platform versions before 6.5.0 when minify_js = False in web.conf|
Replace the minify_js=False entry in web.conf with minify_js=True
|2016-09-13||SOLNESS-10413, ADDON-11310||ES SHC Upgrade: Upgrading ES to 4.5.x results in Credential Management breaking|
Remove the TA-nessus
|2016-09-09||SOLNESS-10374, APPSC-1712||Glass table: Threshold editor saves state even when cancelled|
|2016-09-08||SOLNESS-10347||Adaptive response actions fail without a displayed error message|
|2016-08-04||SOLNESS-10052, SOLNESS-9508||lxml out-of-memory condition when parsing large TAXII feed documents|
Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the
[threatlist://hailataxii_torexit] description = Hail a TAXII.com TOR LIST disabled = false interval = 86400 post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w" type = taxii url = http://hailataxii.com/taxii-data
[threat_intelligence_manager://sa_threat_local] directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel disabled = true maxsize = 52428800 sinkhole = false
|2016-07-26||SOLNESS-9979||Asset and Identity Correlation Setup page open unreliably due to config.js error in Firefox|
Reload the page until it works.
|2016-07-06||SOLNESS-9845||Glasstable: After upgrading an imported glass table the user has to delete the glasstable in the lister, disable, and enable the imported GT app for the upgrade to take effect.|
|2016-06-29||SOLNESS-9824||Glasstable importer: After deleting a glasstable that was imported the user can't import it again|
To restore a glass table that was imported as part of an app and then deleted:
The glass table reappears.
|2016-06-10||SOLNESS-9571||The "pushdown predicates" setting does not affect drilldown searches when the `datamodel` macro is not followed by `drop_dm_object_name`|
|2016-05-18||SOLNESS-9391, SOLNESS-8975||Notable events created on assets/identity investigator are missing link back to investigator page|
|2016-05-11||SOLNESS-9311, SOLNESS-11247||Incident Review: form tokens aren't passed to the URL when filtering dashboard.|
|2016-03-18||SOLNESS-8868||Guided Correlation Search editor: aggregates can overwrite each other (Stats view)|
|2016-03-09||SOLNESS-8721||Files attached to an unsaved Note are stored in the KV Store before the user saves the note to the investigation.|
|2016-01-15||SOLNESS-8345||"Edit All Matching Events" getting timeout error when trying to edit large number of events|
|2015-04-16||SOLNESS-6641||A search name containing a German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)|
|2015-03-09||SOLNESS-7415||When assigning a notable events, the list of users may be incomplete when using SAML authentication|
Wait 10 minutes after logging in to Splunk Enterprise Security for the list of users to be refreshed.
|2014-10-20||SOLNESS-5676||The Create Notable Event workflow action may result in a truncated notable event with missing fields.|
|2014-10-09||SOLNESS-5610||Dashboard view shows error 'DistributedSearchResultCollectionManager': Operating system thread limit reached; search could not be run.|
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0