This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known issues for Splunk Enterprise Security
Splunk Enterprise Security 7.0.2 was released on October 5, 2022. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
This release includes the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-11-30 | SOLNESS-40082 | Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher. |
| 2023-02-22 | SOLNESS-34979 | Threatlists might be re-downloaded every 30-60 seconds. |
| 2023-01-27 | SOLNESS-34582 | Update the language for field and field description in Correlation Search Editor. |
| 2022-12-28 | SOLNESS-34278 | Failed to clone search - ES 7.0.2 |
| 2022-12-19 | SOLNESS-34219 | Workflow action on ES does not populate the $field$ in Incident Review. |
| 2022-12-16 | SOLNESS-34200 | Workflow actions do not work as expected. |
| 2022-12-15 | SOLNESS-34193 | Content Management does not show "Search and Reporting" app in ES 7.0.2 and 7.1. Workaround: None |
| 2022-12-06 | SOLNESS-33999 | Classic Content Management page stuck at "Loading" |
| 2022-11-17 | SOLNESS-33744 | The eventtype website_watchlist does not exist or is disabled due to empty searches in the default eventtypes from DA-ESS-NetworkProtection.Workaround: *As a workaround, one can disable the eventtypes locally and set a pseudo value for the search: (altrhough only disabling the eventtypes should be necessary)*
[website_watchlist] search = noop DA-ESS-NetworkProtection/local/tags.conf [eventtype=website_watchlist] watchlist = disabled web_watchlist = disabled{noformat}
|
| 2022-10-31 | SOLNESS-33301 | The collectrisk.py generates risk events that duplicate the origin event. |
| 2022-10-03 | SOLNESS-32865 | Upgrade "All Investigations" list in Investigation bar uses React instead of the "swc bootstrap" dropdown. |
| 2022-09-23 | SOLNESS-32806, SOLNESS-32822 | Visual differences seen in the UI while performing Splunk 9.0.2208.2 sanity testing. |
| 2022-09-21 | SOLNESS-32798 | Special character handling issues for risk objects in Incident Review. Workaround: If a correlation search is handling special characters incorrectly, then the drill-down search within the notable under Adaptive Response Actions must be updated. Change the tokenized value that is wrapped in quotes by removing the quotes and adding the correct token filter, in this case '|s'. For example, within the correlation search: "Risk Threshold Exceeded For Object Over 24 Hour Period", update the risk object within the Adaptive Response Action Drill-down search for the notable. Change the risk object in the SPL from Template:Risk object="$risk object$" to {{risk_object=$risk_object|s$}}. |
| 2022-09-14 | SOLNESS-32646 | Saved searches in Content Management can be enabled or disabled with a bulk update but not using the Actions column. |
| 2022-09-14 | SOLNESS-32650 | Clicking on a risk factor in the Content Management always displays the first risk factor. |
| 2022-09-14 | SOLNESS-32647 | Saved searches created in the Content Management page with private settings are not displayed. |
| 2022-08-11 | SOLNESS-32131 | Unable to edit lookup files in Splunk Enterprise Security using Content Management. |
| 2022-07-07 | SOLNESS-31600 | Using "nobody" as the owner of savedsearches shipped with Splunk Enterprise Security. |
| 2022-06-24 | SOLNESS-31447 | Workflow actions for Incident Review open in a new window for an open search in the current window where the setting for type is "search in event_menu". |
| 2022-03-01 | SOLNESS-30155 | Make Contributing Events Link always work in Risk Event Timeline |
| 2022-01-31 | SOLNESS-29825 | Short IDs created before upgrading to ES 7.0 do not show up in Incident Review even though the Short ID is in the notable_xref_lookup.Workaround: When you upgrade Splunk Enterprise Security to versions 7.0.0 or higher, the short IDs for notables that were created prior to the upgrade are not displayed on the Incident Review page. However, you can recreate all the short IDs that were available prior to the upgrade. |
Last modified on 18 March, 2024
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.2
Download manual
Feedback submitted, thanks!