Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2017-01-20 SOLNESS-11375 Simple XML: Editing dashboards via UI with Splunk platform 6.5.x+ results in malformed fieldset ("Search is waiting for input").

Workaround:
After editing some dashboards, such as the Access Center dashboard, modified dashboard panels could stop updating and instead show Search is waiting for input.
  1. On a dashboard, click Edit to edit the dashboard.
  2. Make changes in the default UI edit mode.
  3. Click Submit to save the changes.
  4. Click Edit to reopen the dashboard editor.
  5. Click Source to edit the XML directly.
  6. Make a copy of the source to back up your changes.
  7. In every location in the XML file where there is an <input type="dropdown">, add <default></default> to the code block. For example:
    <input type="dropdown" token="special">
    <default></default>
    </input>
  8. Click Submit to save your changes.


2016-05-31 SOLNESS-9486 When using the Pushdown Predicates option, if a drilldown search references an evaluated field (example: src="unknown",) the replacement drilldown search will always return "No results found."

Workaround:
on the drilldown results page, remove the evaluated field from the search and run it again. Example: the pushdown predicate option changes the drilldown search to: | search (index=* OR index=_*) ((`cim_Web_indexes`) tag=web) src="unknown" Remove the evaluated field and run the search again | search (index=* OR index=_*) ((`cim_Web_indexes`) tag=web) (NOT src=* OR src="unknown")

Uncategorized issues

Date filed Issue number Description
2019-07-04 SOLNESS-19368 iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2018-03-28 SOLNESS-15033 contentinfo datamodel regex parser for tstats/from is incorrect
2018-03-19 SOLNESS-14951, SOLNESS-11683 Correlation Search Editor overrides some custom conf settings 5.0.1
2018-01-12 SOLNESS-14140, SOLNESS-14154 Custom swimlane searches are not showing output on the investigator dashboards.
2018-01-09 SOLNESS-14034 Blank identitiy_lookup_expanded table stops ES identity data being updated
2017-10-06 SOLNESS-12461 ES installer performs operations on non-existent apps if app is present in state file
2017-09-25 SOLNESS-12420 corrupt csv header in identities_expanded.csv
2017-08-02 SOLNESS-12253, CIM-561 Additional Field Extractions are not working for a specific Sourcetype
2017-06-22 SOLNESS-12151 /services/shcluster calls fail under dev license.
2017-05-10 SOLNESS-12060 ES 4.5.2 Glass Tables do not load behind apache reverse proxy
2017-04-19 SOLNESS-11995 Extractions are not performed for an app imported by a disabled app

Workaround:
Enable the app or add-on that is disabled.


2017-03-23 SOLNESS-11818, CIM-526 rest with splunk_server=* does not return information from other search peers; use splunk_server=local

Workaround:
If you can't upgrade to 4.7.0, use the following workaround:
  1. Log in to each ES SH or ES SHC member in your environment. For each of those, perform the following steps.
    1. Select Audit > Threat Intelligence Audit.
    2. Click Edit and click Source.
    3. Locate all instances of splunk_server=* and replace them with splunk_server=local
    4. Save your changes.

This workaround prevents the REST search from being run on the peers that don't have a modular input endpoint, which is causing the harmless errors.


2017-03-22 SOLNESS-11808 contentinfo custom search command incorrectly listed as "deprecated"

Workaround:
Edit the "usage" field for the "contentinfo" custom search command in SA-Utils/local/searchbnf.conf to contain a value of "public".


[contentinfo-command]
usage       = public


2017-03-20 SOLNESS-11786, SPL-140442 In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.

Workaround:
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with "edit_roles" capability.
2017-02-24 SOLNESS-11590 Upgrade to 4.5.2 broke correlation searches using map_notable_fields

Workaround:
# Check for and remove local overrides that change the behavior of the `map_notable_fields` macro.
  1. Remove the `map_notable_fields` macro from existing correlation searches, as it is deprecated and the notable.py script performs these field transformations automatically.


2017-02-24 SOLNESS-11599 Alert emails contain links to non-visible app contexts

Workaround:
Modify a parameter for the search that produces the alert with the non-functional link.
  1. Edit the savedsearches.conf stanza for the search that produces the alert.
  2. Add the following parameter to the search:
    request.ui_dispatch_app = search
2017-02-23 SOLNESS-11587 Searches fail on Windows if the Splunk_server name is too long

Workaround:
Shorten the server name so that the file path used by the search is shorter than 256 characters.
2017-01-18 SOLNESS-11359 Unable to use tokens with spaces for drill down searches in Incident Review

Workaround:
Use standard field names without spaces (e.g. signature) so that standard tokens (e.g. $signature$) can be referenced.
2017-01-13 SOLNESS-11296 SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+

Workaround:
Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
2017-01-08 SOLNESS-11253 STIX_Package xml fails to import for US-CERT Automated Indicator Sharing feed
2016-12-19 SOLNESS-11175 The getDistance command included with Extreme Search returns out-of date results because the distance lookup file is out of date

Workaround:
Use the `globedistance` macro included with Enterprise Security for simple lat/long distance calculations instead.
2016-11-04 SOLNESS-10821, CIM-447, CIM-472 ES search commands should log in gmtime()
2016-10-27 SOLNESS-10762, APPSC-1916 KSIs without "display.visualizations.singlevalue.underLabel" set won't render in GlassTable

Workaround:
Add "display.visualizations.singlevalue.underLabel" to the savedsearch definition in savedsearches.conf.
2016-10-24 SOLNESS-10720 Correlation search "Access - Inactive Account Usage - Rule" does not parse correctly
2016-10-14 SOLNESS-10668, SPL-130354 Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments
2016-10-12 SOLNESS-10654 ES installation should stop when there is failure at any stage
2016-10-04 SOLNESS-10561 Notable Suppressions page doesn't display status field on IE11
2016-09-26 SOLNESS-10523 Parameter default value not displayed in ARF dialog
2016-09-23 SOLNESS-10521, APPSC-1769 Glass table: Ad hoc search does not show earliest time selector.
2016-09-22 SOLNESS-10514, SPL-129214 Editing a Splunk Enterprise Security dashboard on 6.5.0 spawns endless submit buttons with custom div
2016-09-21 SOLNESS-10507 Update Center panel Top Updates Needed gives an error when there isn't data
2016-09-20 SOLNESS-10468 Identity Correlation: KV store collection changes not detected.

Workaround:
Run the Lookup Gen search corresponding to the asset or identity source table that was updated manually:
for assets:

[Identity - Asset String Matches - Lookup Gen]
[Identity - Asset CIDR Matches - Lookup Gen]

for identities:

[Identity - Identity Matches - Lookup Gen]
2016-09-19 SOLNESS-10464 Edits to key security indicators do not update until page refresh

Workaround:
After editing the key indicators and saving the settings, refresh the page.
2016-09-15 SOLNESS-10443 General Settings does not load on Splunk platform versions before 6.5.0 when minify_js = False in web.conf

Workaround:
Replace the minify_js=False entry in web.conf with minify_js=True
2016-09-13 SOLNESS-10413, ADDON-11310 ES SHC Upgrade: Upgrading ES to 4.5.x results in Credential Management breaking

Workaround:
Remove the TA-nessus passwords.conf file from the deployer before applying the cluster bundle. $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_nessus/local/passwords.conf
2016-09-09 SOLNESS-10374, APPSC-1712 Glass table: Threshold editor saves state even when cancelled
2016-09-08 SOLNESS-10347 Adaptive response actions fail without a displayed error message
2016-08-04 SOLNESS-10052, SOLNESS-9508 lxml out-of-memory condition when parsing large TAXII feed documents

Workaround:
Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the DA-ESS-ThreatIntelligence/local/inputs.conf file. For example:
[threatlist://hailataxii_torexit]
description = Hail a TAXII.com TOR LIST
disabled = false
interval = 86400
post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w"
type = taxii
url = http://hailataxii.com/taxii-data
[threat_intelligence_manager://sa_threat_local]
directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
disabled  = true
maxsize   = 52428800
sinkhole  = false
2016-06-29 SOLNESS-9824 Glasstable importer: After deleting a glasstable that was imported the user can't import it again

Workaround:
To restore a glass table that was imported as part of an app and then deleted:
  1. Disable the app.
  2. Wait a few minutes for the app importer to run.
  3. Enable the app.

The glass table reappears.

2016-06-10 SOLNESS-9571 The "pushdown predicates" setting does not affect drilldown searches when the `datamodel` macro is not followed by `drop_dm_object_name`
2016-05-18 SOLNESS-9391, SOLNESS-8975 Notable events created on assets/identity investigator are missing link back to investigator page
2016-03-18 SOLNESS-8868 Guided Correlation Search editor: aggregates can overwrite each other (Stats view)
2016-03-09 SOLNESS-8721 Files attached to an unsaved Note are stored in the KV Store before the user saves the note to the investigation.
2016-01-15 SOLNESS-8345 "Edit All Matching Events" getting timeout error when trying to edit large number of events

Workaround:
Increase the splunkdConnectionTimeout value from the default of 30 seconds in web.conf.
[settings]
splunkdConnectionTimeout=120
2015-04-16 SOLNESS-6641 A search name containing a German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)
2015-03-09 SOLNESS-7415 When assigning a notable events, the list of users may be incomplete when using SAML authentication

Workaround:
Wait 10 minutes after logging in to Splunk Enterprise Security for the list of users to be refreshed.
2014-10-20 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
2014-10-09 SOLNESS-5610 Dashboard view shows error 'DistributedSearchResultCollectionManager': Operating system thread limit reached; search could not be run.

Workaround:
Modify the max user processes ulimit to be less restrictive. See "I get errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting manual.
Last modified on 09 April, 2020
Fixed Issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.2, 4.5.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters