Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
|Date filed||Issue number||Description|
|2020-08-28||SOLNESS-23821||lookup_table_custom_rest_handler does NOT support symlinks|
Consider using mount points instead of symlinks. Otherwise, please contact Splunk Support.
|2020-07-30||SOLNESS-23521||Identity Management: Only transforms from specific apps are being displayed on "New Asset" modal|
|2020-07-14||SOLNESS-23451||Notable Event Framework: Searches converted from XS to MLTK did not have their tokens updated|
Update the rule_description for the following searches.
[Network - Unusual Volume of Network Activity - Rule] action.notable.param.rule_description = An unusual volume of network activity was detected. $src_count$ unique sources have generated network traffic in the past 15 minutes and $total_count$ network events have been observed in the same time period.
[Network - Substantial Increase in Port Activity (By Destination) - Rule] action.notable.param.rule_description = A statistically significant increase in the volume of activity on port $dest_port$ was noted. Today's value is $dest_port_traffic_count$.
[Network - Substantial Increase in an Event - Rule] action.notable.param.rule_description = A statistically significant increase in the volume of $signature$ events was noted. Today's value is $ids_attacks$.
|2020-05-13||SOLNESS-22828||Notable event status or owner sometimes are wrong because of size of incident_review collection|
Set max_rows_per_query in limits.conf to a size greater than the size of the incident_review_lookup collection and restart Splunk.
To check this:
index=_introspection host+<ES SH> sourcetype=kvstore "data.ns"="SA-ThreatIntelligence.incident_review" | stats max(data.count) AS count
And if this count is bigger than the max_rows_per_query limit in limits.conf, increase it on the search head(s):
limits.conf: [kvstore] max_rows_per_query = <something bigger than the count above>
and restart Splunk afterwards.
|2020-05-11||SOLNESS-22809||CustomSearchBuilder: Retention component for kvstore backed search-driven-lookup not working|
|2020-03-23||SOLNESS-22110||Threat Intelligence: Maxmind ASN database can no longer be consumed|
|2020-02-20||SOLNESS-21817, SOLNESS-21910||When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist."|
Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less:
|2020-02-13||SOLNESS-21783||Incident Review does not load when read permissions on pertinent lookups are limited to select roles|
|2019-03-15||SOLNESS-18377, SPL-167855||Workbench: custom visualizations don't work in workbench|
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.1