Splunk® Enterprise Security

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security

Remove Advanced XML module folder and contents from the installation.

For instance:


Uncategorized issues

Date filed Issue number Description
2020-04-09 SOLNESS-22356 Suppressing notable event gives a javascript error when the title contains special characters such as

Update the Correlation Search to remove a list of special characters that have special meaning in regex, so the title of the Notable Event will not have these characters:

2020-03-23 SOLNESS-22110 Threat Intelligence: Maxmind ASN database can no longer be consumed
2020-02-28 SOLNESS-21907, SOLNESS-21911 Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit
2020-02-24 SOLNESS-21848 Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots
2020-02-24 SOLNESS-21847 Threat Intelligence Framework: When download is anything other than TAXII we change file extension
2020-02-13 SOLNESS-21783 Incident Review does not load when read permissions on pertinent lookups are limited to select roles
2020-01-07 SOLNESS-21102, SOLNESS-21222 Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page
2020-01-05 SOLNESS-21093 "Endpoint Changes" dashboard panels missing "datamodel=" resulting in missing results from "Endpoint.Filesystem" datamodel

The panels for "Endpoint Changes By Action", "Endpoint Changes By Type" and "Endpoint Changes By System"

all have the first | tstats missing a "datamodel="

| `tstats` count from Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ...

Can be changed to this as a workaround:

| `tstats` count from datamodel=Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m
2019-12-10 SOLNESS-20951, SOLNESS-20994 Postinstall fails when upgrading due to error enabling modular inputs

The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.

Verify the role being used to install (i.e. role_admin) inherits the additional roles shipped by ES (ess_admin, ess_analyst, ess_user) and re-run setup.

2019-10-02 SOLNESS-20348 Per Panel Filters: When applied prevent results from being shown

Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml

 <set token="ppf"></set>
2019-09-30 SOLNESS-20299 Bug in libtaxii causing TLS handshake failure on TAXII feeds

Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib
2019-08-23 SOLNESS-19854, SOLNESS-20018 Attempt to 'stop managing' produces an error : coud not be found
2019-08-20 SOLNESS-19835 Content Management: Audit - Index Readiness search consuming to many disk resources
2019-07-16 SOLNESS-19413, SOLNESS-20461 Threat Intelligence Samples Removed in ES 6.0
2019-07-04 SOLNESS-19368 iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security
2019-06-28 SOLNESS-19321 Dropdown menus on ES Configuration Health & HTTP Category Analysis look odd when an investigation has been selected
2019-06-20 SOLNESS-19277 Manual Notable Event Creation: orig_time does not persist proper _time from event
2019-06-13 SOLNESS-19167, SOLNESS-19186 Next Steps disappear when creating Short ID.
2019-05-29 SOLNESS-19047 Drilldowns from XML pages with special characters opens empty search page

Upgrade to Splunk 7.1.8, 7.2.8, 7.3.2
2019-05-15 SOLNESS-18935 Analytic Story Details View - Empty References Bullet
2019-05-03 SOLNESS-18821 Asset/Identity Investigators on first load progress balls on bottom of page and side of page need to be removed
2019-05-01 SOLNESS-18806, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-30 SOLNESS-18801, SOLNESS-18790 SA-ThreatIntelligence/default/savedsearches.conf has action.keyindicator.drilldown_uri key twice
2019-04-30 SOLNESS-18800, SOLNESS-18789 SA-EndpointProtection/default/savedsearches.conf has schedule_window key twice
2019-04-26 SOLNESS-18773 "No module named six" import error from various scripts on 5.3.0 + Windows

Contact support to get the replacement log.py script that is attached to the jira issue. Replace log.py in the following locations:


2019-04-26 SOLNESS-18774, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-12 SOLNESS-18662 whois modular input does not permit realm specifications for api_user or proxy_user

Remove realm from credential.
2019-04-12 SOLNESS-18661 Hardcoded http URI in whois_handlers.py
2019-04-11 SOLNESS-18656, SOLNESS-19159 Identity correlation not favoring string lookup over CIDR when max_memtable_bytes exceeded
2019-04-08 SOLNESS-18603 Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice)

Set phased_execution_mode to singlethreaded

## limits.conf
phased_execution_mode = singlethreaded

2019-04-01 SOLNESS-18541, SOLNESS-18325 Asset Investigator: drilldown for notables isn't working
2019-04-01 SOLNESS-18539, SOLNESS-18376, SOLNESS-18765 IR: cs link has target=_bank causing windows to be re-used
2019-04-01 SOLNESS-18535, SOLNESS-18437 SDL editor: editor reports "cannot create lookup" when invalid cron schedule has been entered
2019-03-29 SOLNESS-18521, SOLNESS-18523 Adaptive Response's are being truncated in the correlation search editor page
2019-03-28 SOLNESS-18518, SOLNESS-18993 ES AR UI fully breaks on single "bad" AR HTML UI
2019-03-25 SOLNESS-18447, SOLNESS-18534 Progress bar freezes when deleting multiple investigations

Refresh the page. The investigations are still deleted.
2019-03-15 SOLNESS-18377, SPL-167855 Workbench: custom visualizations don't work in workbench
2019-02-12 SOLNESS-17965 "Email Address Matches" generating search not domain matching properly

The following override can be applied locally or via the UI:

## DA-ESS-ThreatIntelligence/local/savedsearches.conf
[Threat - Email Address Matches - Threat Gen]
search                               = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight
2019-01-09 SOLNESS-17442, STREAM-4110 Stream SSL and DNS Activity views conflicts with Enterprise Security's SSL and DNS Activity views

Please prevent the Splunk app for Stream from exporting views globally via local metadata override.
 ## in ../apps/splunk_app_stream/metadata/local.meta 
 export = none
2018-12-23 SOLNESS-17394, SOLNESS-19303 Threat Activity dashboard shows no results on load
2018-10-03 SOLNESS-16682, SPL-170703 Internal Error: Missing a search command before *
Last modified on 29 April, 2020
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters