Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security

Workaround:
Remove Advanced XML module folder and contents from the installation.

For instance:

 $SPLUNK_HOME/etc/apps/SA-Utils
/appserver/modules/SOLNLookupEditor
 

Uncategorized issues

Date filed Issue number Description
2019-09-30 SOLNESS-20299 Bug in libtaxii causing TLS handshake failure on TAXII feeds

Workaround:
Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib
2019-04-12 SOLNESS-18661 Hardcoded http URI in whois_handlers.py
2019-04-12 SOLNESS-18662 whois modular input does not permit realm specifications for api_user or proxy_user

Workaround:
Remove realm from credential.
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2018-12-17 SOLNESS-17291, RTO-337 expandtoken errors with "field larger than field limit"

Workaround:
# The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
  1. the background on issues surrounding field sizes.
  2. (this method is new in python 2.5)

csv.field_size_limit(10485760)

https://answers.splunk.com/answers/709747/error-field-larger-than-field-limit-131072.html#answer-709749

2018-11-21 SOLNESS-17081 Notable events are populated with info_max_time="+Infinity", info_min_time="0.000" with alert.digest_mode=0 in the savedsearch.conf
2018-10-15 SOLNESS-16787, SPL-161666 SAML users can't view glasstables

Workaround:
Created local user accounts with sc_admin (ess_admin) roles.
2018-10-04 SOLNESS-16696 Error in error logging in managed_nav_rest_handler.py
2018-09-19 SOLNESS-16577 ES Investigation Dashboard sorts Created and Last Modified columns incorrectly
2018-09-18 SOLNESS-16563 globedistance macro units syntax does not match usage in summary gen search

Workaround:
The following syntax for Access - Geographically Improbable Access - Summary Gen:

eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
 

Should be:
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)`
 
2018-05-10 SOLNESS-15401 Cannot create investigation from Asset/Identity dashboards
Last modified on 11 November, 2019
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters