Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
|Date filed||Issue number||Description|
|2017-01-20||SOLNESS-11375||Simple XML: Editing dashboards via UI with Splunk platform 6.5.x+ results in malformed fieldset ("Search is waiting for input").|
After editing some dashboards, such as the Access Center dashboard, modified dashboard panels could stop updating and instead show Search is waiting for input.
|Date filed||Issue number||Description|
|2019-02-19||SOLNESS-18079||Port And Protocol Tracker Lookup Gen isn't tracking allowed ports|
|2018-04-15||SOLNESS-15203||Logic for "Should Timesync Host Not Syncing" correlation is faulty|
|2018-03-28||SOLNESS-15033||contentinfo datamodel regex parser for tstats/from is incorrect|
|2018-01-18||SOLNESS-14237||500 server error when users without admin_all_object capability saves Identity Lookup Setting.|
|2018-01-12||SOLNESS-14140, SOLNESS-14154||Custom swimlane searches are not showing output on the investigator dashboards.|
|2018-01-09||SOLNESS-14034||Blank identitiy_lookup_expanded table stops ES identity data being updated|
|2017-10-06||SOLNESS-12461||ES installer performs operations on non-existent apps if app is present in state file|
|2017-09-25||SOLNESS-12420||corrupt csv header in identities_expanded.csv|
|2017-06-22||SOLNESS-12151||/services/shcluster calls fail under dev license.|
|2017-04-28||SOLNESS-12021, SOLNESS-12042||Asset and Identity merge issues due to whitespace in source files|
|2017-03-30||SOLNESS-11869||confcheck_es_app_version missing from inputs.conf|
|2017-03-23||SOLNESS-11818, CIM-526||rest with splunk_server=* does not return information from other search peers; use splunk_server=local|
If you can't upgrade to 4.7.0, use the following workaround:
This workaround prevents the REST search from being run on the peers that don't have a modular input endpoint, which is causing the harmless errors.
|2017-03-22||SOLNESS-11808||contentinfo custom search command incorrectly listed as "deprecated"|
Edit the "usage" field for the "contentinfo" custom search command in
[contentinfo-command] usage = public
|2017-03-20||SOLNESS-11786, SPL-140442||In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.|
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with "edit_roles" capability.
|2017-03-10||SOLNESS-11703||Asset correlation: add "ip" output field only to non-CIDR lookups|
|2017-02-23||SOLNESS-11587||Searches fail on Windows if the Splunk_server name is too long|
Shorten the server name so that the file path used by the search is shorter than 256 characters.
|2017-02-03||SOLNESS-11472||TA-ueba saves outputs.conf to search app|
|2017-01-26||SOLNESS-11425||General Settings: settings with endpoint defined by different apps are not displayed|
|2017-01-24||SOLNESS-11409||IR only edits 1000 events at a time and silently fails to edit events > 1000|
Set Set max_events_per_bucket in limits.conf to a value higher than 1000.
|2017-01-20||SOLNESS-11380||IOC Manual Uploads and Parsing Issues|
|2017-01-20||SOLNESS-11374||Threatlist lookup-gen savedsearches have invalid cron schedule|
Edit the savedsearches cron_schedule manually. Remove one "*" if the default schedule is fine.
|2017-01-13||SOLNESS-11296||SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+|
Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
|2017-01-12||SOLNESS-11273||Create Capture page cannot create a new capture|
|2017-01-11||SOLNESS-11267||Converting between realtime and scheduled correlation searches does not change the search|
|2017-01-11||SOLNESS-11266||Content Management: enables related searches in improper app context|
|2017-01-08||SOLNESS-11253||STIX_Package xml fails to import for US-CERT Automated Indicator Sharing feed|
|2016-12-22||SOLNESS-11192, SOLNESS-10232||Correlation Search Editor: Cannot save after removing email action with invalid address|
Clear out the email address field before removing the action
|2016-12-22||SOLNESS-11188||Images attached to Timeline are not displayed on 6.5.x if they are larger than 512KB.|
|2016-12-21||SOLNESS-11184||Correlation Search Editor: Pressing the "Enter" key leads to unexpected behavior|
|2016-12-19||SOLNESS-11175||The getDistance command included with Extreme Search returns out-of date results because the distance lookup file is out of date|
Use the `globedistance` macro included with Enterprise Security for simple lat/long distance calculations instead.
|2016-12-15||SOLNESS-11163||Threat intel upload: Field values are emptied when an upload fails|
Re-enter the field values, correcting the error that caused the upload to fail initially. For instance, when attempting to re-upload a file that has already been uploaded once, ensure that the "Overwrite" box is checked.
|2016-12-12||SOLNESS-11113||Incident Review: Edit Job Settings doesn't work|
|2016-12-12||SOLNESS-11120||When printing a dashboard, key indicators show up large and with the drilldown link in parentheses.|
|2016-12-07||SOLNESS-11076||Remove Extreme Search context migration task|
|2016-10-14||SOLNESS-10668, SPL-130354||Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments|
|2016-09-08||SOLNESS-10347||Adaptive response actions fail without a displayed error message|
|2016-06-29||SOLNESS-9824||Glasstable importer: After deleting a glasstable that was imported the user can't import it again|
To restore a glass table that was imported as part of an app and then deleted:
The glass table reappears.
|2016-06-10||SOLNESS-9571||The "pushdown predicates" setting does not affect drilldown searches when the `datamodel` macro is not followed by `drop_dm_object_name`|
|2016-01-15||SOLNESS-8345||"Edit All Matching Events" getting timeout error when trying to edit large number of events|
|2015-03-09||SOLNESS-7415||When assigning a notable events, the list of users may be incomplete when using SAML authentication|
Wait 10 minutes after logging in to Splunk Enterprise Security for the list of users to be refreshed.
|2014-10-20||SOLNESS-5676||The Create Notable Event workflow action may result in a truncated notable event with missing fields.|
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only
Feedback submitted, thanks!