This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
| Date filed | Issue number | Description |
|---|---|---|
| 2018-02-20 | SOLNESS-14637 | Splunk Web doesn't start after upgrading Splunk Enterprise Security Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils /appserver/modules/SOLNLookupEditor |
Uncategorized issues
| Date filed | Issue number | Description |
|---|---|---|
| 2020-04-09 | SOLNESS-22356 | Suppressing notable event gives a javascript error when the title contains special characters such as Workaround: Update the Correlation Search to remove a list of special characters that have special meaning in regex, so the title of the Notable Event will not have these characters: [\^$.|?*+()
|
| 2020-03-23 | SOLNESS-22110 | Threat Intelligence: Maxmind ASN database can no longer be consumed |
| 2020-02-28 | SOLNESS-21907, SOLNESS-21911 | Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit |
| 2020-02-24 | SOLNESS-21848 | Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots |
| 2020-02-24 | SOLNESS-21847 | Threat Intelligence Framework: When download is anything other than TAXII we change file extension |
| 2020-02-13 | SOLNESS-21783 | Incident Review does not load when read permissions on pertinent lookups are limited to select roles |
| 2020-01-07 | SOLNESS-21102, SOLNESS-21222 | Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page |
| 2020-01-05 | SOLNESS-21093 | "Endpoint Changes" dashboard panels missing "datamodel=" resulting in missing results from "Endpoint.Filesystem" datamodel Workaround: The panels for "Endpoint Changes By Action", "Endpoint Changes By Type" and "Endpoint Changes By System" all have the first | tstats missing a "datamodel="
| `tstats` count from Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ...
| `tstats` count from datamodel=Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ... |
| 2019-12-10 | SOLNESS-20951, SOLNESS-20994 | Postinstall fails when upgrading due to error enabling modular inputs Workaround: The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.
|
| 2019-10-02 | SOLNESS-20348 | Per Panel Filters: When applied prevent results from being shown Workaround: Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml
<set token="ppf"></set> |
| 2019-09-30 | SOLNESS-20299 | Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib |
| 2019-08-23 | SOLNESS-19854, SOLNESS-20018 | Attempt to 'stop managing' produces an error : coud not be found |
| 2019-08-20 | SOLNESS-19835 | Content Management: Audit - Index Readiness search consuming to many disk resources |
| 2019-07-16 | SOLNESS-19413, SOLNESS-20461 | Threat Intelligence Samples Removed in ES 6.0 |
| 2019-07-04 | SOLNESS-19368 | iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security |
| 2019-06-28 | SOLNESS-19321 | Dropdown menus on ES Configuration Health & HTTP Category Analysis look odd when an investigation has been selected |
| 2019-06-20 | SOLNESS-19277 | Manual Notable Event Creation: orig_time does not persist proper _time from event |
| 2019-06-13 | SOLNESS-19167, SOLNESS-19186 | Next Steps disappear when creating Short ID. |
| 2019-05-29 | SOLNESS-19047 | Drilldowns from XML pages with special characters opens empty search page Workaround: Upgrade to Splunk 7.1.8, 7.2.8, 7.3.2 |
| 2019-05-15 | SOLNESS-18935 | Analytic Story Details View - Empty References Bullet |
| 2019-05-03 | SOLNESS-18821 | Asset/Identity Investigators on first load progress balls on bottom of page and side of page need to be removed |
| 2019-05-01 | SOLNESS-18806, SOLNESS-18659 | IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup |
| 2019-04-30 | SOLNESS-18801, SOLNESS-18790 | SA-ThreatIntelligence/default/savedsearches.conf has action.keyindicator.drilldown_uri key twice |
| 2019-04-30 | SOLNESS-18800, SOLNESS-18789 | SA-EndpointProtection/default/savedsearches.conf has schedule_window key twice |
| 2019-04-26 | SOLNESS-18773 | "No module named six" import error from various scripts on 5.3.0 + Windows Workaround: Contact support to get the replacement log.py script that is attached to the jira issue. Replace log.py in the following locations: $SPLUNK_HOME\etc\apps\SA-Utils\lib\SolnCommon\log.py $SPLUNK_HOME\etc\apps\SplunkEnterpriseSecuritySuite\lib\SplunkEnterpriseSecuritySuite\log.py |
| 2019-04-26 | SOLNESS-18774, SOLNESS-18659 | IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup |
| 2019-04-12 | SOLNESS-18662 | whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential. |
| 2019-04-12 | SOLNESS-18661 | Hardcoded http URI in whois_handlers.py |
| 2019-04-11 | SOLNESS-18656, SOLNESS-19159 | Identity correlation not favoring string lookup over CIDR when max_memtable_bytes exceeded |
| 2019-04-08 | SOLNESS-18603 | Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice) Workaround: Set phased_execution_mode to singlethreaded
## limits.conf [search] phased_execution_mode = singlethreaded
|
| 2019-04-01 | SOLNESS-18541, SOLNESS-18325 | Asset Investigator: drilldown for notables isn't working |
| 2019-04-01 | SOLNESS-18539, SOLNESS-18376, SOLNESS-18765 | IR: cs link has target=_bank causing windows to be re-used |
| 2019-04-01 | SOLNESS-18535, SOLNESS-18437 | SDL editor: editor reports "cannot create lookup" when invalid cron schedule has been entered |
| 2019-03-29 | SOLNESS-18521, SOLNESS-18523 | Adaptive Response's are being truncated in the correlation search editor page |
| 2019-03-28 | SOLNESS-18518, SOLNESS-18993 | ES AR UI fully breaks on single "bad" AR HTML UI |
| 2019-03-25 | SOLNESS-18447, SOLNESS-18534 | Progress bar freezes when deleting multiple investigations Workaround: Refresh the page. The investigations are still deleted. |
| 2019-03-15 | SOLNESS-18377, SPL-167855 | Workbench: custom visualizations don't work in workbench |
| 2019-02-12 | SOLNESS-17965 | "Email Address Matches" generating search not domain matching properly Workaround: The following override can be applied locally or via the UI:
## DA-ESS-ThreatIntelligence/local/savedsearches.conf [Threat - Email Address Matches - Threat Gen] search = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight |
| 2019-01-09 | SOLNESS-17442, STREAM-4110 | Stream SSL and DNS Activity views conflicts with Enterprise Security's SSL and DNS Activity views Workaround: Please prevent the Splunk app for Stream from exporting views globally via local metadata override. # ## in ../apps/splunk_app_stream/metadata/local.meta [views] export = none |
| 2018-12-23 | SOLNESS-17394, SOLNESS-19303 | Threat Activity dashboard shows no results on load |
| 2018-10-03 | SOLNESS-16682, SPL-170703 | Internal Error: Missing a search command before * |
Last modified on 29 April, 2020
| Fixed Issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0
Download manual
Feedback submitted, thanks!