Splunk® Enterprise Security

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security

Workaround:
Remove Advanced XML module folder and contents from the installation.

For instance:

 $SPLUNK_HOME/etc/apps/SA-Utils
/appserver/modules/SOLNLookupEditor
 

Uncategorized issues

Date filed Issue number Description
2020-01-07 SOLNESS-21102, SOLNESS-21222 Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page
2019-09-30 SOLNESS-20299 Bug in libtaxii causing TLS handshake failure on TAXII feeds

Workaround:
Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib
2019-05-01 SOLNESS-18806, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-26 SOLNESS-18774, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-12 SOLNESS-18662 whois modular input does not permit realm specifications for api_user or proxy_user

Workaround:
Remove realm from credential.
2019-04-12 SOLNESS-18661 Hardcoded http URI in whois_handlers.py
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2019-02-07 SOLNESS-17946 Security Domains CSV (security_domains.csv) overwritten during upgrade
2018-12-17 SOLNESS-17291, RTO-337 expandtoken errors with "field larger than field limit"

Workaround:
# The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
  1. the background on issues surrounding field sizes.
  2. (this method is new in python 2.5)

csv.field_size_limit(10485760)

https://answers.splunk.com/answers/709747/error-field-larger-than-field-limit-131072.html#answer-709749

2018-12-11 SOLNESS-17293 Expected Host Not Reporting correlation does not persist host tags
2018-10-04 SOLNESS-16696 Error in error logging in managed_nav_rest_handler.py
2018-10-02 SOLNESS-16673 ES Installer -- FIPS never gets enabled
2018-09-18 SOLNESS-16563 globedistance macro units syntax does not match usage in summary gen search

Workaround:
The following syntax for Access - Geographically Improbable Access - Summary Gen:

eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
 

Should be:
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)`
 
2018-09-15 SOLNESS-16550 Workbench Inventory Panel treating user token as an asset
2018-08-15 SOLNESS-16219 Identity Management: inputs.conf ootb disablement does not align with macros.conf
2018-08-01 SOLNESS-15993, SOLNESS-16146 Threat Intelligence upload cancel button not working
2018-06-22 SOLNESS-15800 Multi-select drag on Asset Investigator does not display details on the screen with error message "Uncaught TypeError: Cannot read property 'sign_board' of undefined." on Chrome Java Console.

Workaround:
No
2018-06-11 SOLNESS-15654, SOLNESS-14643 Post upgrade process does not re-enable all the apps
2018-05-25 SOLNESS-15528 Threat Intel parsing error when documents without stanzas are parsed.
2018-05-10 SOLNESS-15402, SOLNESS-15456 Incident Review: non-admin users cannot tag notable events

Workaround:
Update ACLs for SA-ThreatIntelligence to permit non-admins write access to "tags". For instance,


[tags]
access = read : [ * ], write : [ admin, ess_analyst ]
2018-05-02 SOLNESS-15348, SOLNESS-15344 Adaptive Response section on Correlation Search Editor breaks when no data is returned
2018-04-30 SOLNESS-15332 Access - Inactive Account Usage: Zero results when drilling down
2018-04-25 SOLNESS-15277 SHC Destructive Resync puts SHC Captains hostname into Members inputs.conf
2018-04-20 SOLNESS-15253, SOLNESS-15541 Navigation Editor: do not allow one to select "default view" for a link
2018-04-19 SOLNESS-15251 Audit - Script Errors: Exit code 114 is normal for instrumentation.py and should be whitelisted
2018-04-15 SOLNESS-15203 Logic for "Should Timesync Host Not Syncing" correlation is faulty
2018-04-10 SOLNESS-15132, SOLNESS-15100 Correlation Search Guided Mode UI: Truncating Datamodel list because of missing count
2018-04-10 SOLNESS-15128 Threat Intelligence Manager appears to be parsing the entire apps directory
2018-03-29 SOLNESS-15051 maxmind_geoip_asn_ipv6 encoding should be latin1
2018-03-28 SOLNESS-15042 Unable to parse and import some STIX files obtained from www.us-cert.gov. NamespaceNotFoundError: Namespace not found: http://us-cert.gov/ciscp
2018-03-28 SOLNESS-15033 contentinfo datamodel regex parser for tstats/from is incorrect
2018-03-22 SOLNESS-14982 Extreme Search app unintentionally downgraded
2018-03-20 SOLNESS-14964 ES correlation searches export feature generates wrong settings for counttype, relation and quantity

Workaround:
Manually fix wrong names generated by correlation search export.
2018-03-19 SOLNESS-14947, SOLNESS-15058 "Audit - Script Errors" incorrectly report running scripts as in unknown state

Workaround:
Change the search string of "Audit - Script Errors" from SA-Utils to:

{noformat} | rest /services/admin/inputstatus/ModularInputs:modular%20input%20commands splunk_server=local count=0 | append [| rest /services/admin/inputstatus/ExecProcessor:exec%20commands splunk_server=local count=0] | fields inputs* | transpose | rex field=column "inputs(?<script>\S+)(?:\s\((?<stanza>[^\(]+)\))?\.(?<key>(exit status description)|(time closed)|(time opened))" | eval value=coalesce('row 1', 'row 2'), stanza=coalesce(stanza, "default"), started=if(key=="time opened", value, started), stopped=if(key=="time closed", value, stopped) | rex field=value "exited\s+with\s+code\s+(?<exit_status>\d+)" | stats first(started) as started, first(stopped) as stopped, first(exit_status) as exit_status by script, stanza | eval errmsg=case(exit_status=="0", null(), isnotnull(exit_status), "A script exited abnormally with exit status: "+exit_status, isnull(started) or isnotnull(stopped), "A script is in an unknown state"), ignore=if(`script_error_msg_ignore`, 1, 0) | where isnotnull(errmsg) AND ignore=0 {noformat}

2018-03-06 SOLNESS-14813 Blank setup page for ES Fresh Install

Workaround:
Temporarily remove apps deployed via deployment server and restart.
2018-03-02 SOLNESS-14793 is_threatintel = 0 May still process Intelligence Download as threat intelligence if there is outstanding threat intelligence files

Workaround:
Go to  /apps/SA-ThreatIntelligence/local/data/threat_intel/<threatlist_filename>.csv and delete
2018-02-13 SOLNESS-14596 TA-cef: (KV_MODE=auto) does not properly extract CEF events
2018-01-18 SOLNESS-14237 500 server error when users without admin_all_object capability saves Identity Lookup Setting.
2017-11-09 SOLNESS-12599 Glass table lines always appear at the front, even when sent to back.
2017-09-25 SOLNESS-12421 New ES Lookup Editor: Cannot re-enable disabled managed lookups
2017-04-05 SOLNESS-11913 Glasstable searches containing | rest may display inaccurate results on Core Splunk 6.6+

Workaround:
Log in as a user who is a member of or inherits the "admin" role to ensure that the data presented in the Glass Table view is complete.
2017-03-30 SOLNESS-11872 Session Center Page : UBA tab : Export to PDF does not include UBA results
2017-01-13 SOLNESS-11296 SA-ExtremeSearch display_context view does not work in Splunk platform 6.5+

Workaround:
Download the Extreme Search Visualizations app from Splunkbase to use updated dashboards that are compatible with newer versions of the Splunk platform.
2016-12-12 SOLNESS-11120 When printing a dashboard, key indicators show up large and with the drilldown link in parentheses.
Last modified on 08 February, 2020
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters