Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
Acrobat logo Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security

Workaround:
Remove Advanced XML module folder and contents from the installation.

For instance:

 $SPLUNK_HOME/etc/apps/SA-Utils
/appserver/modules/SOLNLookupEditor
 

Uncategorized issues

Date filed Issue number Description
2020-07-30 SOLNESS-23521 Identity Management: Only transforms from specific apps are being displayed on "New Asset" modal
2020-05-13 SOLNESS-22828 Notable event status or owner sometimes are wrong because of size of incident_review collection

Workaround:
Set max_rows_per_query in limits.conf to a size greater than the size of the incident_review_lookup collection and restart Splunk.

To check this:

index=_introspection host+<ES SH> sourcetype=kvstore "data.ns"="SA-ThreatIntelligence.incident_review" | stats max(data.count) AS count

And if this count is bigger than the max_rows_per_query limit in limits.conf, increase it on the search head(s):

limits.conf:
[kvstore]
max_rows_per_query = <something bigger than the count above>

and restart Splunk afterwards.

2020-05-11 SOLNESS-22809 CustomSearchBuilder: Retention component for kvstore backed search-driven-lookup not working
2020-04-09 SOLNESS-22356 Suppressing notable event gives a javascript error when the title contains special characters such as

Workaround:
Update the Correlation Search to remove a list of special characters that have special meaning in regex, so the title of the Notable Event will not have these characters:
[\^$.|?*+()


2020-04-02 SOLNESS-22269, SOLNESS-21618 CSB build request includes query string + lookup count exceed
2020-03-23 SOLNESS-22110 Threat Intelligence: Maxmind ASN database can no longer be consumed
2020-03-05 SOLNESS-21951 Unable to Turn Off Acceleration Enforcement on Data Models

Workaround:
Use cURL or CLI to modify dm_accel_settings. For instance:


curl -ku admin https://soln-esnightly2.sv.splunk.com:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/Web  --data "acceleration=false&manual_rebuilds=false&output_mode=json" | python -m json.tool
2020-02-28 SOLNESS-21907, SOLNESS-21911 Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit
2020-02-24 SOLNESS-21847 Threat Intelligence Framework: When download is anything other than TAXII we change file extension
2020-02-24 SOLNESS-21848 Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots
2020-02-20 SOLNESS-21817, SOLNESS-21910 When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist."

Workaround:
Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less:
./etc/apps/SA-ThreatIntelligence/local/reviewstatuses.conf
./etc/apps/SplunkEnterpriseSecuritySuite/local/reviewstatuses.conf
2020-02-13 SOLNESS-21783 Incident Review does not load when read permissions on pertinent lookups are limited to select roles
2020-01-30 SOLNESS-21575 A&I breaks when source lookups contain _key field
2020-01-24 SOLNESS-21306 Missing README directory on SHC member causes app instability
2020-01-16 SOLNESS-21220, SOLNESS-21618 Identity Management: Preview search request issued via query string (issue for IE)
2020-01-07 SOLNESS-21102, SOLNESS-21222 Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page
2020-01-05 SOLNESS-21093 "Endpoint Changes" dashboard panels missing "datamodel=" resulting in missing results from "Endpoint.Filesystem" datamodel

Workaround:
The panels for "Endpoint Changes By Action", "Endpoint Changes By Type" and "Endpoint Changes By System"

all have the first | tstats missing a "datamodel="

| `tstats` count from Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ...


Can be changed to this as a workaround:

| `tstats` count from datamodel=Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m
...
2019-12-13 SOLNESS-21001 Identity Management: Inferred/Implicit "identity" key values can cause unintended identity record merges

Workaround:
In ES 6.0 we merge Asset and Identity records which have overlapping secondary keys ("asset" and "identity" fields respectively). When this is combined with inferred/implicit key values based on email, email_short and/or convention based mapping, it's possible that unintended records are merged.

If you are *not* interested in the inferred/implicit identity values (i.e. email, email_short), simply disable on an input-by-input basis by using the "Asset and Identity Management" UI to uncheck or remove conventions as needed for each input.
If you are interested in the inferred/implicit identity values, consider relocating items which overlap into their own identity_manager input such that conventions can be disabled just for this specific input.

2019-12-10 SOLNESS-20951, SOLNESS-20994 Postinstall fails when upgrading due to error enabling modular inputs

Workaround:
The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.


Verify the role being used to install (i.e. role_admin) inherits the additional roles shipped by ES (ess_admin, ess_analyst, ess_user) and re-run setup.

2019-11-13 SOLNESS-20746, SOLNESS-20544 Identity Management: Entity Merge search is failing due to improper temporary key unsetting
2019-10-02 SOLNESS-20348 Per Panel Filters: When applied prevent results from being shown

Workaround:
Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml


 <set token="ppf"></set>
2019-05-29 SOLNESS-19047 Drilldowns from XML pages with special characters opens empty search page

Workaround:
Upgrade to Splunk 7.1.8, 7.2.8, 7.3.2
2019-03-15 SOLNESS-18377, SPL-167855 Workbench: custom visualizations don't work in workbench
2019-01-09 SOLNESS-17442, STREAM-4110 Stream SSL and DNS Activity views conflicts with Enterprise Security's SSL and DNS Activity views

Workaround:
Please prevent the Splunk app for Stream from exporting views globally via local metadata override.
 # 
 ## in ../apps/splunk_app_stream/metadata/local.meta 
 [views]
 export = none
 
2018-10-03 SOLNESS-16682, SPL-170703 Internal Error: Missing a search command before *
Last modified on 12 March, 2021
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters