Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
|Date filed||Issue number||Description|
|2018-02-20||SOLNESS-14637||Splunk Web doesn't start after upgrading Splunk Enterprise Security|
Remove Advanced XML module folder and contents from the installation.
|Date filed||Issue number||Description|
|2020-07-30||SOLNESS-23521||Identity Management: Only transforms from specific apps are being displayed on "New Asset" modal|
|2020-05-13||SOLNESS-22828||Notable event status or owner sometimes are wrong because of size of incident_review collection|
Set max_rows_per_query in limits.conf to a size greater than the size of the incident_review_lookup collection and restart Splunk.
To check this:
index=_introspection host+<ES SH> sourcetype=kvstore "data.ns"="SA-ThreatIntelligence.incident_review" | stats max(data.count) AS count
And if this count is bigger than the max_rows_per_query limit in limits.conf, increase it on the search head(s):
limits.conf: [kvstore] max_rows_per_query = <something bigger than the count above>
and restart Splunk afterwards.
|2020-05-11||SOLNESS-22809||CustomSearchBuilder: Retention component for kvstore backed search-driven-lookup not working|
Update the Correlation Search to remove a list of special characters that have special meaning in regex, so the title of the Notable Event will not have these characters:
|2020-04-02||SOLNESS-22269, SOLNESS-21618||CSB build request includes query string + lookup count exceed|
|2020-03-23||SOLNESS-22110||Threat Intelligence: Maxmind ASN database can no longer be consumed|
|2020-03-05||SOLNESS-21951||Unable to Turn Off Acceleration Enforcement on Data Models|
Use cURL or CLI to modify dm_accel_settings. For instance:
curl -ku admin https://soln-esnightly2.sv.splunk.com:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/Web --data "acceleration=false&manual_rebuilds=false&output_mode=json" | python -m json.tool
|2020-02-28||SOLNESS-21907, SOLNESS-21911||Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit|
|2020-02-24||SOLNESS-21847||Threat Intelligence Framework: When download is anything other than TAXII we change file extension|
|2020-02-24||SOLNESS-21848||Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots|
|2020-02-20||SOLNESS-21817, SOLNESS-21910||When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist."|
Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less:
|2020-02-13||SOLNESS-21783||Incident Review does not load when read permissions on pertinent lookups are limited to select roles|
|2020-01-30||SOLNESS-21575||A&I breaks when source lookups contain _key field|
|2020-01-24||SOLNESS-21306||Missing README directory on SHC member causes app instability|
|2020-01-16||SOLNESS-21220, SOLNESS-21618||Identity Management: Preview search request issued via query string (issue for IE)|
|2020-01-07||SOLNESS-21102, SOLNESS-21222||Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page|
|2020-01-05||SOLNESS-21093||"Endpoint Changes" dashboard panels missing "datamodel=" resulting in missing results from "Endpoint.Filesystem" datamodel|
The panels for "Endpoint Changes By Action", "Endpoint Changes By Type" and "Endpoint Changes By System"
all have the first | tstats missing a "datamodel="
| `tstats` count from Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ...
| `tstats` count from datamodel=Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ...
|2019-12-13||SOLNESS-21001||Identity Management: Inferred/Implicit "identity" key values can cause unintended identity record merges|
In ES 6.0 we merge Asset and Identity records which have overlapping secondary keys ("asset" and "identity" fields respectively). When this is combined with inferred/implicit key values based on email, email_short and/or convention based mapping, it's possible that unintended records are merged.
If you are *not* interested in the inferred/implicit identity values (i.e. email, email_short), simply disable on an input-by-input basis by using the "Asset and Identity Management" UI to uncheck or remove conventions as needed for each input.
|2019-12-10||SOLNESS-20951, SOLNESS-20994||Postinstall fails when upgrading due to error enabling modular inputs|
The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.
|2019-11-13||SOLNESS-20746, SOLNESS-20544||Identity Management: Entity Merge search is failing due to improper temporary key unsetting|
|2019-10-02||SOLNESS-20348||Per Panel Filters: When applied prevent results from being shown|
Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml
|2019-05-29||SOLNESS-19047||Drilldowns from XML pages with special characters opens empty search page|
Upgrade to Splunk 7.1.8, 7.2.8, 7.3.2
|2019-03-15||SOLNESS-18377, SPL-167855||Workbench: custom visualizations don't work in workbench|
|2019-01-09||SOLNESS-17442, STREAM-4110||Stream SSL and DNS Activity views conflicts with Enterprise Security's SSL and DNS Activity views|
Please prevent the Splunk app for Stream from exporting views globally via local metadata override.
# ## in ../apps/splunk_app_stream/metadata/local.meta [views] export = none
|2018-10-03||SOLNESS-16682, SPL-170703||Internal Error: Missing a search command before *|
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security