Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2017-01-20 SOLNESS-11375 Simple XML: Editing dashboards via UI with Splunk platform 6.5.x+ results in malformed fieldset ("Search is waiting for input").

Workaround:
After editing some dashboards, such as the Access Center dashboard, modified dashboard panels could stop updating and instead show Search is waiting for input.
  1. On a dashboard, click Edit to edit the dashboard.
  2. Make changes in the default UI edit mode.
  3. Click Submit to save the changes.
  4. Click Edit to reopen the dashboard editor.
  5. Click Source to edit the XML directly.
  6. Make a copy of the source to back up your changes.
  7. In every location in the XML file where there is an <input type="dropdown">, add <default></default> to the code block. For example:
    <input type="dropdown" token="special">
    <default></default>
    </input>
  8. Click Submit to save your changes.


Uncategorized issues

Date filed Issue number Description
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2018-04-15 SOLNESS-15203 Logic for "Should Timesync Host Not Syncing" correlation is faulty
2018-03-28 SOLNESS-15033 contentinfo datamodel regex parser for tstats/from is incorrect
2018-01-18 SOLNESS-14237 500 server error when users without admin_all_object capability saves Identity Lookup Setting.
2018-01-12 SOLNESS-14140, SOLNESS-14154 Custom swimlane searches are not showing output on the investigator dashboards.
2018-01-09 SOLNESS-14034 Blank identitiy_lookup_expanded table stops ES identity data being updated
2017-10-06 SOLNESS-12461 ES installer performs operations on non-existent apps if app is present in state file
2017-09-25 SOLNESS-12420 corrupt csv header in identities_expanded.csv
2017-06-22 SOLNESS-12151 /services/shcluster calls fail under dev license.
2017-04-28 SOLNESS-12021, SOLNESS-12042 Asset and Identity merge issues due to whitespace in source files
2017-03-30 SOLNESS-11869 confcheck_es_app_version missing from inputs.conf
2017-03-23 SOLNESS-11818, CIM-526 rest with splunk_server=* does not return information from other search peers; use splunk_server=local

Workaround:
If you can't upgrade to 4.7.0, use the following workaround:
  1. Log in to each ES SH or ES SHC member in your environment. For each of those, perform the following steps.
    1. Select Audit > Threat Intelligence Audit.
    2. Click Edit and click Source.
    3. Locate all instances of splunk_server=* and replace them with splunk_server=local
    4. Save your changes.

This workaround prevents the REST search from being run on the peers that don't have a modular input endpoint, which is causing the harmless errors.


2017-03-22 SOLNESS-11808 contentinfo custom search command incorrectly listed as "deprecated"

Workaround:
Edit the "usage" field for the "contentinfo" custom search command in SA-Utils/local/searchbnf.conf to contain a value of "public".


[contentinfo-command]
usage       = public


2017-03-20 SOLNESS-11786, SPL-140442 In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.

Workaround:
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with "edit_roles" capability.
2017-03-10 SOLNESS-11703 Asset correlation: add "ip" output field only to non-CIDR lookups
2017-02-23 SOLNESS-11587 Searches fail on Windows if the Splunk_server name is too long

Workaround:
Shorten the server name so that the file path used by the search is shorter than 256 characters.
2017-02-03 SOLNESS-11472 TA-ueba saves outputs.conf to search app
2017-01-26 SOLNESS-11425 General Settings: settings with endpoint defined by different apps are not displayed
2017-01-24 SOLNESS-11409 IR only edits 1000 events at a time and silently fails to edit events > 1000

Workaround:
Set Set max_events_per_bucket in limits.conf to a value higher than 1000.
2017-01-20 SOLNESS-11380 IOC Manual Uploads and Parsing Issues
2017-01-20 SOLNESS-11374 Threatlist lookup-gen savedsearches have invalid cron schedule

Workaround:
Edit the savedsearches cron_schedule manually. Remove one "*" if the default schedule is fine.
2017-01-13 SOLNESS-11296 SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+

Workaround:
Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
2017-01-12 SOLNESS-11273 Create Capture page cannot create a new capture
2017-01-11 SOLNESS-11267 Converting between realtime and scheduled correlation searches does not change the search
2017-01-11 SOLNESS-11266 Content Management: enables related searches in improper app context
2017-01-08 SOLNESS-11253 STIX_Package xml fails to import for US-CERT Automated Indicator Sharing feed
2016-12-22 SOLNESS-11192, SOLNESS-10232 Correlation Search Editor: Cannot save after removing email action with invalid address

Workaround:
Clear out the email address field before removing the action
2016-12-22 SOLNESS-11188 Images attached to Timeline are not displayed on 6.5.x if they are larger than 512KB.
2016-12-21 SOLNESS-11184 Correlation Search Editor: Pressing the "Enter" key leads to unexpected behavior
2016-12-19 SOLNESS-11175 The getDistance command included with Extreme Search returns out-of date results because the distance lookup file is out of date

Workaround:
Use the `globedistance` macro included with Enterprise Security for simple lat/long distance calculations instead.
2016-12-15 SOLNESS-11163 Threat intel upload: Field values are emptied when an upload fails

Workaround:
Re-enter the field values, correcting the error that caused the upload to fail initially. For instance, when attempting to re-upload a file that has already been uploaded once, ensure that the "Overwrite" box is checked.
2016-12-12 SOLNESS-11113 Incident Review: Edit Job Settings doesn't work
2016-12-12 SOLNESS-11120 When printing a dashboard, key indicators show up large and with the drilldown link in parentheses.
2016-12-07 SOLNESS-11076 Remove Extreme Search context migration task
2016-10-14 SOLNESS-10668, SPL-130354 Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments
2016-09-08 SOLNESS-10347 Adaptive response actions fail without a displayed error message
2016-06-29 SOLNESS-9824 Glasstable importer: After deleting a glasstable that was imported the user can't import it again

Workaround:
To restore a glass table that was imported as part of an app and then deleted:
  1. Disable the app.
  2. Wait a few minutes for the app importer to run.
  3. Enable the app.

The glass table reappears.

2016-06-10 SOLNESS-9571 The "pushdown predicates" setting does not affect drilldown searches when the `datamodel` macro is not followed by `drop_dm_object_name`
2016-01-15 SOLNESS-8345 "Edit All Matching Events" getting timeout error when trying to edit large number of events

Workaround:
Increase the splunkdConnectionTimeout value from the default of 30 seconds in web.conf.
[settings]
splunkdConnectionTimeout=120
2015-03-09 SOLNESS-7415 When assigning a notable events, the list of users may be incomplete when using SAML authentication

Workaround:
Wait 10 minutes after logging in to Splunk Enterprise Security for the list of users to be refreshed.
2014-10-20 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
Last modified on 19 February, 2019
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters