This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
Date filed | Issue number | Description |
---|---|---|
2018-02-20 | SOLNESS-14637 | Splunk Web doesn't start after upgrading Splunk Enterprise Security Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils /appserver/modules/SOLNLookupEditor |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2020-02-24 | SOLNESS-21848 | Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots |
2020-02-24 | SOLNESS-21847 | Threat Intelligence Framework: When download is anything other than TAXII we change file extension |
2020-01-07 | SOLNESS-21102, SOLNESS-21222 | Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page |
2019-10-14 | SOLNESS-20459 | dm_accel_settings manager page still exposes deprecated manual_rebuilds parameter |
2019-10-02 | SOLNESS-20348 | Per Panel Filters: When applied prevent results from being shown Workaround: Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml
<set token="ppf"></set> |
2019-09-30 | SOLNESS-20299 | Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib |
2019-09-19 | SOLNESS-20202 | Certificate Manager doesn't permit .key Workaround: The app_certs_rest_handler permits an extensible file extension whitelist. For instance, if you want to be able to submit ".key" files.
## SA-Utils/local/restmap.conf [script:app_certs_rest_handler] script.param = {"extensions": [".arm", ".ca-bundle", ".cer", ".crt", ".der", ".p7b", ".p7s", ".pem", ".pfx", ".key"], "max_size": 1000000} |
2019-09-13 | SOLNESS-20145 | Expired User Activity picks up splunkd search logs via audittrail |
2019-08-23 | SOLNESS-19854, SOLNESS-20018 | Attempt to 'stop managing' produces an error : coud not be found |
2019-07-04 | SOLNESS-19368 | iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security |
2019-06-13 | SOLNESS-19167, SOLNESS-19186 | Next Steps disappear when creating Short ID. |
2019-05-14 | SOLNESS-18917 | PDF printout of Investigations timeline (.../ess_investigation?id=*&visual=timeline) does not match timeline (not in chronological order) |
2019-05-03 | SOLNESS-18821 | Asset/Identity Investigators on first load progress balls on bottom of page and side of page need to be removed |
2019-05-01 | SOLNESS-18806, SOLNESS-18659 | IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup |
2019-04-26 | SOLNESS-18774, SOLNESS-18659 | IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup |
2019-04-12 | SOLNESS-18662 | whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential. |
2019-04-12 | SOLNESS-18661 | Hardcoded http URI in whois_handlers.py |
2019-04-11 | SOLNESS-18656, SOLNESS-19159 | Identity correlation not favoring string lookup over CIDR when max_memtable_bytes exceeded |
2019-04-08 | SOLNESS-18603 | Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice) Workaround: Set phased_execution_mode to singlethreaded
## limits.conf [search] phased_execution_mode = singlethreaded
|
2019-03-29 | SOLNESS-18523, SOLNESS-18521, SOLNESS-18529 | Adaptive Response's are being truncated in the correlation search editor page |
2019-03-29 | SOLNESS-18521, SOLNESS-18523 | Adaptive Response's are being truncated in the correlation search editor page |
2019-03-28 | SOLNESS-18518, SOLNESS-18993 | ES AR UI fully breaks on single "bad" AR HTML UI |
2019-03-13 | SOLNESS-18400 | Correlation Search Editor does not properly read throttling window duration |
2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
2019-02-12 | SOLNESS-17965 | "Email Address Matches" generating search not domain matching properly Workaround: The following override can be applied locally or via the UI:
## DA-ESS-ThreatIntelligence/local/savedsearches.conf [Threat - Email Address Matches - Threat Gen] search = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight |
2019-02-11 | SOLNESS-17956 | Identity Correlation modification will not save on SHC |
2019-02-07 | SOLNESS-17946 | Security Domains CSV (security_domains.csv) overwritten during upgrade |
2019-01-22 | SOLNESS-17734 | Custom app won't show up in Content Management App dropdown unless there is at least one shared savedsearch in the app |
2018-12-26 | SOLNESS-17396 | New Analytic Story page will show error when Splunk in configured with non-default Management Port |
2018-12-20 | SOLNESS-17368 | Incident Review: Filter on "edit events" modal does not work / no focus |
2018-12-17 | SOLNESS-17291, RTO-337 | expandtoken errors with "field larger than field limit" Workaround: # The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
csv.field_size_limit(10485760) |
2018-12-16 | SOLNESS-17285 | Custom Role inheritance is not working in ES app after upgrade Workaround: Contact support for patch. |
2018-12-11 | SOLNESS-17293 | Expected Host Not Reporting correlation does not persist host tags |
2018-11-27 | SOLNESS-17111 | Incident Review - Unable to type names when assigning Enterprise Security notables |
2018-11-21 | SOLNESS-17081 | Notable events are populated with info_max_time="+Infinity", info_min_time="0.000" with alert.digest_mode=0 in the savedsearch.conf |
2018-10-10 | SOLNESS-16774 | Index Time Delta: Improper timeDiff computation causes false negatives |
2018-10-04 | SOLNESS-16696 | Error in error logging in managed_nav_rest_handler.py |
2018-10-03 | SOLNESS-16682, SPL-170703 | Internal Error: Missing a search command before * |
2018-10-01 | SOLNESS-16662, SOLNESS-15945 | Content Management/Analytic Story Details: clicking on a saved search doesn't open the editor just the lister page |
2018-09-05 | SOLNESS-16498 | Navigation Dividers Do Not Render When On Certain Views |
Last modified on 13 August, 2022
PREVIOUS Fixed Issues for Splunk Enterprise Security |
NEXT How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0
Feedback submitted, thanks!