This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
| 2019-02-11 | SOLNESS-17956 | Identity Correlation modification will not save on SHC |
| 2019-02-07 | SOLNESS-17946 | Security Domains CSV (security_domains.csv) overwritten during upgrade |
| 2018-09-18 | SOLNESS-16563 | globedistance macro units syntax does not match usage in summary gen search Workaround: The following syntax for Access - Geographically Improbable Access - Summary Gen: eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)` |
| 2018-04-15 | SOLNESS-15203 | Logic for "Should Timesync Host Not Syncing" correlation is faulty |
| 2018-04-10 | SOLNESS-15132, SOLNESS-15100 | Correlation Search Guided Mode UI: Truncating Datamodel list because of missing count |
| 2018-03-28 | SOLNESS-15033 | contentinfo datamodel regex parser for tstats/from is incorrect |
| 2018-02-13 | SOLNESS-14603 | Splunk_SA_CIM version 4.10.0 is lower than required 4.9.1 Workaround: Suppress the message via inputs.conf ## $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf [configuration_check://confcheck_es_app_version] suppress = Splunk_SA_CIM |
| 2018-02-13 | SOLNESS-14596 | TA-cef: (KV_MODE=auto) does not properly extract CEF events |
| 2018-01-22 | SOLNESS-14285 | Assets identity correlation setup: automatic lookup for asset str matching misses "dvc_ip" and "src_ip" as output fields. |
| 2018-01-18 | SOLNESS-14237 | 500 server error when users without admin_all_object capability saves Identity Lookup Setting. |
| 2018-01-12 | SOLNESS-14140, SOLNESS-14154 | Custom swimlane searches are not showing output on the investigator dashboards. |
| 2018-01-09 | SOLNESS-14034 | Blank identitiy_lookup_expanded table stops ES identity data being updated |
| 2017-12-07 | SOLNESS-13840 | Investigation print displays Dec 31, 1969 4:00 PM as a secondary timestamp for all entries. |
| 2017-10-30 | SOLNESS-12543 | When Printing Investigation, events include start and end times, but end times are epoch=0 |
| 2017-10-16 | SOLNESS-12495 | Investigations does not appear in ES navigation menu toolbar after upgrade to 4.7.x. Workaround: Because the Investigations page was renamed in 4.6.x and the navigation editor now respects local overrides, the My Investigations page disappears from the navigation and the Investigations page does not replace it. To add the Investigations page to the navigation, select Config > General > Navigation and add the Investigations view to the navigation in Splunk Enterprise Security. |
| 2017-10-06 | SOLNESS-12461 | ES installer performs operations on non-existent apps if app is present in state file |
| 2017-10-04 | SOLNESS-12457 | Failed TAXII threat feed poll collection doesn't show in Threat Intel Audit |
| 2017-09-25 | SOLNESS-12420 | corrupt csv header in identities_expanded.csv |
| 2017-09-13 | SOLNESS-12384 | mvtruncate looks at "src" regardless of what's passed to $input$ |
| 2017-08-11 | SOLNESS-12282 | Asset/Identity Center --> Identity Information Panel is filtering out results improperly |
| 2017-08-07 | SOLNESS-12271 | Threat Intel CRUD API: GET operation should not require _key value. |
| 2017-08-04 | SOLNESS-12261 | ES custom search commands using chunked protocol do not work correctly on windows (failed search or truncated results) |
| 2017-07-06 | SOLNESS-12187 | Splunk no longer shows a useful error message from modular inputs that use external validation |
| 2017-06-30 | SOLNESS-12194 | Adaptive Response: Email action uses wrong message parameter (should use action.email.message.alert) Workaround: Update line 34 of SA-ThreatIntelligence/appserver/static/js/components/response/EmailModularAlert.js Original: suffix: 'report', Updated: suffix: 'alert', |
| 2017-06-22 | SOLNESS-12151 | /services/shcluster calls fail under dev license. |
| 2017-06-22 | SOLNESS-12157, SOLNESS-12158 | confcheck_es_app_version generating errors prematurely |
| 2017-06-20 | SOLNESS-12142, SOLNESS-12149 | Error saving correlation search in correlation editor due to invalid alert_comparator Workaround: If an invalid alert_comparator message is observed when saving a correlation search, simply adjust the "Trigger Conditions" portion of the Correlation Search Editor to the desired values (even if the current form values are the desired values). This will permit the correlation search to be saved. |
| 2017-06-20 | SOLNESS-12141 | Custom fields not showing up in Incident review after upgrade to 4.7.0 Workaround: As of 4.7.0, Incident Review uses a saved search "Incident Review - Main" to retrieve notable events. You will need to reimplement any customizations previously made to the "notable" macro in the context of this saved search. |
| 2017-06-16 | SOLNESS-12133 | Identity Manager: AttributeError 'NoneType' object has no attribute 'get' |
| 2017-05-24 | SOLNESS-12086, SOLNESS-12107 | error when trying to remove windows duration field |
| 2017-05-18 | SOLNESS-12074, SOLNESS-12071 | Set notable "Drill-down latest offset"=1m while editing correlation search causes stuck in "saving" status |
| 2017-05-10 | SOLNESS-12057, SOLNESS-12048 | Incident review is capped at 10000 events after upgrading from 4.5.1 to 4.7.0 |
| 2017-05-07 | SOLNESS-12049 | Double quote in correlation search name causes "unknown" notable description in Incident Review dashboard Workaround: Remove the double quote from the correlation search name. |
| 2017-05-05 | SOLNESS-12046 | Error while loading Glass Table. File contains parsing errors Workaround: Verify that the syntax in web.conf is correct. |
| 2017-05-05 | SOLNESS-12045, SOLNESS-12077 | Upgrade from 4.5.2 to 4.7, incorrect threatlist download failure notifications Workaround: Edit splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below: --- confcheck_failed_threat_download.old.py +++ confcheck_failed_threat_download.py @@ -33,7 +33,7 @@ messages = [] - job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest) + job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest) while elapsed < srch_timeout:
if job.isDone:
if job.resultCount > 0 or job.eventCount > 0:
|
| 2017-04-28 | SOLNESS-12021, SOLNESS-12042 | Asset and Identity merge issues due to whitespace in source files |
| 2017-04-28 | SOLNESS-12024, SOLNESS-12055 | confcheck_es_app_version exited with code 3 |
| 2017-04-14 | SOLNESS-11988 | Nav Editor: Cancel button doesn't work |
| 2017-04-05 | SOLNESS-11913 | Glasstable searches containing | rest may display inaccurate results on Core Splunk 6.6+Workaround: Log in as a user who is a member of or inherits the "admin" role to ensure that the data presented in the Glass Table view is complete. |
| 2017-04-04 | SOLNESS-11908 | The Splunk Cloud admin role sc_admin is unable to perform UBA Setup Workaround: Contact Splunk Support to set up the Splunk UBA integration. |
| 2017-03-30 | SOLNESS-11872 | Session Center Page : UBA tab : Export to PDF does not include UBA results |
| 2017-01-13 | SOLNESS-11296 | SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+ Workaround: Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform. |
| 2016-12-22 | SOLNESS-11188 | Images attached to Timeline are not displayed on 6.5.x if they are larger than 512KB. |
| 2016-12-12 | SOLNESS-11120 | When printing a dashboard, key indicators show up large and with the drilldown link in parentheses. |
| 2016-10-14 | SOLNESS-10668, SPL-130354 | Threatlist Intelligence Audit will only display information from the local SH peer in clustered SH environments |
Last modified on 13 May, 2021
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1
Download manual
Feedback submitted, thanks!