Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-01-20 | SOLNESS-11375 | Simple XML: Editing dashboards via UI with Splunk platform 6.5.x+ results in malformed fieldset ("Search is waiting for input"). Workaround: After editing some dashboards, such as the Access Center dashboard, modified dashboard panels could stop updating and instead show Search is waiting for input.
|
Uncategorized issues
| Date filed | Issue number | Description |
|---|---|---|
| 2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
| 2018-04-15 | SOLNESS-15203 | Logic for "Should Timesync Host Not Syncing" correlation is faulty |
| 2018-03-28 | SOLNESS-15033 | contentinfo datamodel regex parser for tstats/from is incorrect |
| 2018-01-18 | SOLNESS-14237 | 500 server error when users without admin_all_object capability saves Identity Lookup Setting. |
| 2018-01-12 | SOLNESS-14140, SOLNESS-14154 | Custom swimlane searches are not showing output on the investigator dashboards. |
| 2018-01-09 | SOLNESS-14034 | Blank identitiy_lookup_expanded table stops ES identity data being updated |
| 2017-10-06 | SOLNESS-12461 | ES installer performs operations on non-existent apps if app is present in state file |
| 2017-09-25 | SOLNESS-12420 | corrupt csv header in identities_expanded.csv |
| 2017-06-22 | SOLNESS-12151 | /services/shcluster calls fail under dev license. |
| 2017-04-28 | SOLNESS-12021, SOLNESS-12042 | Asset and Identity merge issues due to whitespace in source files |
| 2017-03-30 | SOLNESS-11869 | confcheck_es_app_version missing from inputs.conf |
| 2017-03-23 | SOLNESS-11818, CIM-526 | rest with splunk_server=* does not return information from other search peers; use splunk_server=local Workaround: If you can't upgrade to 4.7.0, use the following workaround:
This workaround prevents the REST search from being run on the peers that don't have a modular input endpoint, which is causing the harmless errors.
|
| 2017-03-22 | SOLNESS-11808 | contentinfo custom search command incorrectly listed as "deprecated" Workaround: Edit the "usage" field for the "contentinfo" custom search command in SA-Utils/local/searchbnf.conf to contain a value of "public".
[contentinfo-command] usage = public
|
| 2017-03-20 | SOLNESS-11786, SPL-140442 | In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses. Workaround: If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with "edit_roles" capability. |
| 2017-03-10 | SOLNESS-11703 | Asset correlation: add "ip" output field only to non-CIDR lookups |
| 2017-02-23 | SOLNESS-11587 | Searches fail on Windows if the Splunk_server name is too long Workaround: Shorten the server name so that the file path used by the search is shorter than 256 characters. |
| 2017-02-03 | SOLNESS-11472 | TA-ueba saves outputs.conf to search app |
| 2017-01-26 | SOLNESS-11425 | General Settings: settings with endpoint defined by different apps are not displayed |
| 2017-01-24 | SOLNESS-11409 | IR only edits 1000 events at a time and silently fails to edit events > 1000 Workaround: Set Set max_events_per_bucket in limits.conf to a value higher than 1000. |
| 2017-01-20 | SOLNESS-11380 | IOC Manual Uploads and Parsing Issues |
| 2017-01-20 | SOLNESS-11374 | Threatlist lookup-gen savedsearches have invalid cron schedule Workaround: Edit the savedsearches cron_schedule manually. Remove one "*" if the default schedule is fine. |
| 2017-01-13 | SOLNESS-11296 | SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+ Workaround: Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform. |
| 2017-01-12 | SOLNESS-11273 | Create Capture page cannot create a new capture |
| 2017-01-11 | SOLNESS-11267 | Converting between realtime and scheduled correlation searches does not change the search |
| 2017-01-11 | SOLNESS-11266 | Content Management: enables related searches in improper app context |
| 2017-01-08 | SOLNESS-11253 | STIX_Package xml fails to import for US-CERT Automated Indicator Sharing feed |
| 2016-12-22 | SOLNESS-11192, SOLNESS-10232 | Correlation Search Editor: Cannot save after removing email action with invalid address Workaround: Clear out the email address field before removing the action |
| 2016-12-22 | SOLNESS-11188 | Images attached to Timeline are not displayed on 6.5.x if they are larger than 512KB. |
| 2016-12-21 | SOLNESS-11184 | Correlation Search Editor: Pressing the "Enter" key leads to unexpected behavior |
| 2016-12-19 | SOLNESS-11175 | The getDistance command included with Extreme Search returns out-of date results because the distance lookup file is out of date Workaround: Use the `globedistance` macro included with Enterprise Security for simple lat/long distance calculations instead. |
| 2016-12-15 | SOLNESS-11163 | Threat intel upload: Field values are emptied when an upload fails Workaround: Re-enter the field values, correcting the error that caused the upload to fail initially. For instance, when attempting to re-upload a file that has already been uploaded once, ensure that the "Overwrite" box is checked. |
| 2016-12-12 | SOLNESS-11113 | Incident Review: Edit Job Settings doesn't work |
| 2016-12-12 | SOLNESS-11120 | When printing a dashboard, key indicators show up large and with the drilldown link in parentheses. |
| 2016-12-07 | SOLNESS-11076 | Remove Extreme Search context migration task |
| 2016-10-14 | SOLNESS-10668, SPL-130354 | Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments |
| 2016-09-08 | SOLNESS-10347 | Adaptive response actions fail without a displayed error message |
| 2016-06-29 | SOLNESS-9824 | Glasstable importer: After deleting a glasstable that was imported the user can't import it again Workaround: To restore a glass table that was imported as part of an app and then deleted:
The glass table reappears. |
| 2016-06-10 | SOLNESS-9571 | The "pushdown predicates" setting does not affect drilldown searches when the `datamodel` macro is not followed by `drop_dm_object_name` |
| 2016-01-15 | SOLNESS-8345 | "Edit All Matching Events" getting timeout error when trying to edit large number of events Workaround: Increase the splunkdConnectionTimeout value from the default of 30 seconds in web.conf.
[settings] splunkdConnectionTimeout=120 |
| 2015-03-09 | SOLNESS-7415 | When assigning a notable events, the list of users may be incomplete when using SAML authentication Workaround: Wait 10 minutes after logging in to Splunk Enterprise Security for the list of users to be refreshed. |
| 2014-10-20 | SOLNESS-5676 | The Create Notable Event workflow action may result in a truncated notable event with missing fields. |
Last modified on 19 February, 2019
| Fixed Issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only
Download manual
Feedback submitted, thanks!