This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known issues for Splunk Enterprise Security
This version of Splunk Enterprise Security has the following known issues and workarounds. Issues are listed in all relevant sections. Some issues may appear more than once.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
| 2018-11-26 | SOLNESS-17110 | ES notable events has different urgencies which are not listed in the urgency lookup. |
| 2018-09-18 | SOLNESS-16563 | globedistance macro units syntax does not match usage in summary gen search Workaround: The following syntax for Access - Geographically Improbable Access - Summary Gen: eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)` |
| 2018-06-01 | SOLNESS-15565 | Incident Review: Notable Event with urgency=unknown not showing up Workaround: Don't allow notable events to take on invalid/unknown urgencies by overriding the "get_urgency" macro.
## SA-ThreatIntelligence/local/macros.conf [get_urgency] definition = eval severity=if(isnotnull(severity),lower(severity),"unknown"),`get_priority_meval` | lookup local=true urgency_lookup priority,severity OUTPUT urgency | fillnull value="informational" urgency |
| 2018-05-23 | SOLNESS-15509 | Threat Intel - Downloaded AIS TAXII file does not contain expected results due to TZ settings |
| 2018-04-19 | SOLNESS-15245 | Empty Adaptive Response Action dropdown |
| 2018-03-28 | SOLNESS-15033 | contentinfo datamodel regex parser for tstats/from is incorrect |
| 2018-03-20 | SOLNESS-14964 | ES correlation searches export feature generates wrong settings for counttype, relation and quantity Workaround: Manually fix wrong names generated by correlation search export. |
| 2018-03-15 | SOLNESS-14899 | "triggered_alert_count" is not supported by this handler error when attempting to change throttling window duration |
| 2018-02-13 | SOLNESS-14603 | Splunk_SA_CIM version 4.10.0 is lower than required 4.9.1 Workaround: Suppress the message via inputs.conf ## $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf [configuration_check://confcheck_es_app_version] suppress = Splunk_SA_CIM |
| 2018-02-13 | SOLNESS-14596 | TA-cef: (KV_MODE=auto) does not properly extract CEF events |
| 2018-01-22 | SOLNESS-14285 | Assets identity correlation setup: automatic lookup for asset str matching misses "dvc_ip" and "src_ip" as output fields. |
| 2018-01-18 | SOLNESS-14237 | 500 server error when users without admin_all_object capability saves Identity Lookup Setting. |
| 2018-01-12 | SOLNESS-14140, SOLNESS-14154 | Custom swimlane searches are not showing output on the investigator dashboards. |
| 2018-01-09 | SOLNESS-14034 | Blank identitiy_lookup_expanded table stops ES identity data being updated |
| 2018-01-05 | SOLNESS-14017 | Cannot add custom KPI to Glasstable when using the default value of current_count. |
| 2017-12-07 | SOLNESS-13840 | Investigation print displays Dec 31, 1969 4:00 PM as a secondary timestamp for all entries. |
| 2017-10-30 | SOLNESS-12543 | When Printing Investigation, events include start and end times, but end times are epoch=0 |
| 2017-10-16 | SOLNESS-12495 | Investigations does not appear in ES navigation menu toolbar after upgrade to 4.7.x. Workaround: Because the Investigations page was renamed in 4.6.x and the navigation editor now respects local overrides, the My Investigations page disappears from the navigation and the Investigations page does not replace it. To add the Investigations page to the navigation, select Config > General > Navigation and add the Investigations view to the navigation in Splunk Enterprise Security. |
| 2017-10-06 | SOLNESS-12461 | ES installer performs operations on non-existent apps if app is present in state file |
| 2017-09-25 | SOLNESS-12420 | corrupt csv header in identities_expanded.csv |
| 2017-09-13 | SOLNESS-12384 | mvtruncate looks at "src" regardless of what's passed to $input$ |
| 2017-09-06 | SOLNESS-12365 | Multi-value field expansion in the asset lookup (IP, DNS, or MAC fields separated by a pipe) does not work. |
| 2017-08-24 | SOLNESS-12314 | Report "Memory Utilization By System" is calculating mem, mem_used and mem_free to GB assuming that it is bytes |
| 2017-08-11 | SOLNESS-12282 | Asset/Identity Center --> Identity Information Panel is filtering out results improperly |
| 2017-08-07 | SOLNESS-12271 | Threat Intel CRUD API: GET operation should not require _key value. |
| 2017-08-04 | SOLNESS-12261 | ES custom search commands using chunked protocol do not work correctly on windows (failed search or truncated results) |
| 2017-07-31 | SOLNESS-12242 | Enterprise Security Glass Tables fails to load |
| 2017-07-26 | SOLNESS-12233 | After app upgrade, admin loses permission to view post-install page of ES. |
| 2017-06-30 | SOLNESS-12194 | Adaptive Response: Email action uses wrong message parameter (should use action.email.message.alert) Workaround: Update line 34 of SA-ThreatIntelligence/appserver/static/js/components/response/EmailModularAlert.js Original: suffix: 'report', Updated: suffix: 'alert', |
| 2017-06-22 | SOLNESS-12151 | /services/shcluster calls fail under dev license. |
| 2017-05-07 | SOLNESS-12049 | Double quote in correlation search name causes "unknown" notable description in Incident Review dashboard Workaround: Remove the double quote from the correlation search name. |
| 2017-04-14 | SOLNESS-11988 | Nav Editor: Cancel button doesn't work |
| 2017-04-05 | SOLNESS-11913 | Glasstable searches containing | rest may display inaccurate results on Core Splunk 6.6+Workaround: Log in as a user who is a member of or inherits the "admin" role to ensure that the data presented in the Glass Table view is complete. |
| 2017-03-30 | SOLNESS-11872 | Session Center Page : UBA tab : Export to PDF does not include UBA results |
| 2017-01-13 | SOLNESS-11296 | SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+ Workaround: Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform. |
| 2016-12-22 | SOLNESS-11188 | Images attached to Timeline are not displayed on 6.5.x if they are larger than 512KB. |
| 2016-12-12 | SOLNESS-11120 | When printing a dashboard, key indicators show up large and with the drilldown link in parentheses. |
Last modified on 21 May, 2019
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.2
Download manual
Feedback submitted, thanks!