Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed

Issue number

Description

2018-02-20

SOLNESS-14637

Splunk Web doesn't start after upgrading Splunk Enterprise Security

Workaround:
Remove Advanced XML module folder and contents from the installation.

For instance:

 $SPLUNK_HOME/etc/apps/SA-Utils
/appserver/modules/SOLNLookupEditor

Uncategorized issues

Date filed	Issue number	Description
2020-01-07	SOLNESS-21102, SOLNESS-21222	Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page
2019-09-30	SOLNESS-20299	Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib
2019-05-01	SOLNESS-18806, SOLNESS-18659	IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-26	SOLNESS-18774, SOLNESS-18659	IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-12	SOLNESS-18662	whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential.
2019-04-12	SOLNESS-18661	Hardcoded http URI in whois_handlers.py
2019-02-19	SOLNESS-18079	Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2019-02-11	SOLNESS-17956	Identity Correlation modification will not save on SHC
2019-02-07	SOLNESS-17946	Security Domains CSV (security_domains.csv) overwritten during upgrade
2018-12-17	SOLNESS-17291, RTO-337	expandtoken errors with "field larger than field limit" Workaround: # The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for the background on issues surrounding field sizes. (this method is new in python 2.5) csv.field_size_limit(10485760) https://answers.splunk.com/answers/709747/error-field-larger-than-field-limit-131072.html#answer-709749
2018-12-11	SOLNESS-17293	Expected Host Not Reporting correlation does not persist host tags
2018-10-04	SOLNESS-16696	Error in error logging in managed_nav_rest_handler.py
2018-10-02	SOLNESS-16673	ES Installer -- FIPS never gets enabled
2018-09-18	SOLNESS-16563	globedistance macro units syntax does not match usage in summary gen search Workaround: The following syntax for Access - Geographically Improbable Access - Summary Gen: eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) \| dedup key, user \| `globedistance(src_lat,src_long,dest_lat,dest_long,"m")` Should be: eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" \| dedup key, user \| `globedistance(src_lat,src_long,dest_lat,dest_long,units)`
2018-09-15	SOLNESS-16550	Workbench Inventory Panel treating user token as an asset
2018-08-15	SOLNESS-16219	Identity Management: inputs.conf ootb disablement does not align with macros.conf
2018-08-01	SOLNESS-15993, SOLNESS-16146	Threat Intelligence upload cancel button not working
2018-06-22	SOLNESS-15800	Multi-select drag on Asset Investigator does not display details on the screen with error message "Uncaught TypeError: Cannot read property 'sign_board' of undefined." on Chrome Java Console. Workaround: No
2018-06-11	SOLNESS-15654, SOLNESS-14643	Post upgrade process does not re-enable all the apps
2018-05-25	SOLNESS-15528	Threat Intel parsing error when documents without stanzas are parsed.
2018-05-10	SOLNESS-15402, SOLNESS-15456	Incident Review: non-admin users cannot tag notable events Workaround: Update ACLs for SA-ThreatIntelligence to permit non-admins write access to "tags". For instance, [tags] access = read : [ * ], write : [ admin, ess_analyst ]
2018-05-02	SOLNESS-15348, SOLNESS-15344	Adaptive Response section on Correlation Search Editor breaks when no data is returned
2018-04-30	SOLNESS-15332	Access - Inactive Account Usage: Zero results when drilling down
2018-04-25	SOLNESS-15277	SHC Destructive Resync puts SHC Captains hostname into Members inputs.conf
2018-04-20	SOLNESS-15253, SOLNESS-15541	Navigation Editor: do not allow one to select "default view" for a link
2018-04-19	SOLNESS-15251	Audit - Script Errors: Exit code 114 is normal for instrumentation.py and should be whitelisted
2018-04-15	SOLNESS-15203	Logic for "Should Timesync Host Not Syncing" correlation is faulty
2018-04-10	SOLNESS-15132, SOLNESS-15100	Correlation Search Guided Mode UI: Truncating Datamodel list because of missing count
2018-04-10	SOLNESS-15128	Threat Intelligence Manager appears to be parsing the entire apps directory
2018-03-29	SOLNESS-15051	maxmind_geoip_asn_ipv6 encoding should be latin1
2018-03-28	SOLNESS-15042	Unable to parse and import some STIX files obtained from www.us-cert.gov. NamespaceNotFoundError: Namespace not found: http://us-cert.gov/ciscp
2018-03-28	SOLNESS-15033	contentinfo datamodel regex parser for tstats/from is incorrect
2018-03-22	SOLNESS-14982	Extreme Search app unintentionally downgraded
2018-03-20	SOLNESS-14964	ES correlation searches export feature generates wrong settings for counttype, relation and quantity Workaround: Manually fix wrong names generated by correlation search export.
2018-03-19	SOLNESS-14947, SOLNESS-15058	"Audit - Script Errors" incorrectly report running scripts as in unknown state Workaround: Change the search string of "Audit - Script Errors" from SA-Utils to: {noformat} \| rest /services/admin/inputstatus/ModularInputs:modular%20input%20commands splunk_server=local count=0 \| append [\| rest /services/admin/inputstatus/ExecProcessor:exec%20commands splunk_server=local count=0] \| fields inputs* \| transpose \| rex field=column "inputs(?<script>\S+)(?:\s\((?<stanza>[^\(]+)\))?\.(?<key>(exit status description)\|(time closed)\|(time opened))" \| eval value=coalesce('row 1', 'row 2'), stanza=coalesce(stanza, "default"), started=if(key=="time opened", value, started), stopped=if(key=="time closed", value, stopped) \| rex field=value "exited\s+with\s+code\s+(?<exit_status>\d+)" \| stats first(started) as started, first(stopped) as stopped, first(exit_status) as exit_status by script, stanza \| eval errmsg=case(exit_status=="0", null(), isnotnull(exit_status), "A script exited abnormally with exit status: "+exit_status, isnull(started) or isnotnull(stopped), "A script is in an unknown state"), ignore=if(`script_error_msg_ignore`, 1, 0) \| where isnotnull(errmsg) AND ignore=0 {noformat}
2018-03-06	SOLNESS-14813	Blank setup page for ES Fresh Install Workaround: Temporarily remove apps deployed via deployment server and restart.
2018-03-02	SOLNESS-14793	is_threatintel = 0 May still process Intelligence Download as threat intelligence if there is outstanding threat intelligence files Workaround: Go to /apps/SA-ThreatIntelligence/local/data/threat_intel/<threatlist_filename>.csv and delete
2018-02-13	SOLNESS-14596	TA-cef: (KV_MODE=auto) does not properly extract CEF events
2018-01-18	SOLNESS-14237	500 server error when users without admin_all_object capability saves Identity Lookup Setting.
2017-11-09	SOLNESS-12599	Glass table lines always appear at the front, even when sent to back.
2017-09-25	SOLNESS-12421	New ES Lookup Editor: Cannot re-enable disabled managed lookups
2017-04-05	SOLNESS-11913	Glasstable searches containing `\| rest` may display inaccurate results on Core Splunk 6.6+ Workaround: Log in as a user who is a member of or inherits the "admin" role to ensure that the data presented in the Glass Table view is complete.
2017-03-30	SOLNESS-11872	Session Center Page : UBA tab : Export to PDF does not include UBA results
2017-01-13	SOLNESS-11296	SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+ Workaround: Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
2016-12-12	SOLNESS-11120	When printing a dashboard, key indicators show up large and with the drilldown link in parentheses.

Release Notes

Related Answers

Known Issues for Splunk Enterprise Security

Highlighted issues

Uncategorized issues

Comments

Known Issues for Splunk Enterprise Security