Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues

Date filed Issue number Description
2024-12-03 SOLNESS-48316, SOLNESS-48522 Max_size Error for Threat Input Source : Feed Discarded Despite Adjusted Settings

Workaround:
N/A..
2024-12-02 SOLNESS-48285, SOLNESS-47969 Threat - Threat List Activity - Rule Search is missing Risk Message
2024-11-05 SOLNESS-47715 Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host

Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields
2024-10-22 SOLNESS-47561, BLUERIDGE-13686 After stack creation the disposition and finding/investigation status values are not populated on AQ page side panel for some time

Workaround:
This is known issue for ES 8.0.0 amd 8.0.1. To get around this, the customer can manually run the Template:Administrative reload modinput which hydrates their kvstore data.

{noformat}administrative_reload (modinput) -> adminstrative_redload.py -> packages/app-ess/apps/SA-ThreatIntelligence/package/bin/reviewstatuses_rest_handler.py handleReload function -> Read conf file and updates the kvstore record{noformat}


Date filed Issue number Description
2025-03-18 BLUERIDGE-15547 Records of findings are not visible in an investigation after 30 days.
2025-03-18 BLUERIDGE-15562 The Investigation Overview page does not show investigation data when all findings are deleted from the investigation.
2025-03-06 BLUERIDGE-15501 Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.

Workaround:
Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.

Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster

Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows.

If you are using Splunk Enterprise Security (on-prem), run the following CURL command:
curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>"


If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal.

2025-02-17 BLUERIDGE-15280 Summary fields not rendered on Investigations Overview
2025-02-14 BLUERIDGE-15218 IR Table field "label1" got changed to "Destination" after Upgrade
2025-01-17 BLUERIDGE-14236 Front end checks as part of PO automation.

Workaround:
Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required.
2024-12-19 BLUERIDGE-14052, BLUERIDGE-13938 Removing investigation type description completely causes stuck loading spinner
2024-11-25 BLUERIDGE-13617 Do not show feedback controls while streaming response (show only after the whole response has come through)
2024-11-18 BLUERIDGE-13527 Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panel

Workaround:
Close and re-open the side-panel or select another finding.
2024-11-18 BLUERIDGE-13526 Embedded workbench field action shows on the investigation details page without being requested

Workaround:
Close the embedded workbench dialog
2024-11-18 BLUERIDGE-13528 Multiple workflow field actions can be opened on the investigation details page

Workaround:
Click any whitespace to close the workflow action
2024-11-07 BLUERIDGE-13415 Analyst Queue; filtering on a title returns only Findings and not Investigations
2024-11-04 BLUERIDGE-13359, BLUERIDGE-11468 Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")

Workaround:
Re-run the search on the Analyst Queue
2024-10-22 BLUERIDGE-13380, BLUERIDGE-13575 The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sources

Workaround:
Remove `source` before sending to detection.

add `| fields - source` to end of search

2024-10-22 BLUERIDGE-13172 Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity
2024-10-18 BLUERIDGE-13101 Users can create a finding with an empty name for a custom field
2024-10-17 BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere
2024-10-16 BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes
2024-10-15 BLUERIDGE-12966 Eventtypes based on the notable index will not match investigations since they aren't from the notable index
2024-10-14 BLUERIDGE-12939 Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added
2024-10-10 BLUERIDGE-12912, BLUERIDGE-13032 Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation
2024-10-09 BLUERIDGE-12864 Missing validation in UI while adding duplicate Finding fields in AQ settings page
2024-09-27 BLUERIDGE-12602, BLUERIDGE-11983 Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions
2024-09-13 BLUERIDGE-12347 Prompt modal shows reference ID and HRID combined instead of HRID for investigations
2024-09-10 BLUERIDGE-12231 The usernames in nested findings do not use the account real-names (unlike the search results)
2024-09-09 BLUERIDGE-12221 Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be reverted

Workaround:
Re-run the search on Analyst Queue to see the most recent changes
2024-09-09 BLUERIDGE-12190 Automation tab may appear for users who cannot run playbooks
2024-09-06 BLUERIDGE-12176 Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog
2024-09-03 BLUERIDGE-12100 Included findings table in AQ side panel is not sortable
2024-08-20 BLUERIDGE-11791, BLUERIDGE-11790 Missing input validation for file upload size
2024-05-13 BLUERIDGE-9351 Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing


Date filed Issue number Description
2025-01-27 SINT-7114 Invalid unicode characters (like emojis) cause TAXII errors
2024-11-21 SINT-6969, SINT-7056, SINT-7095 Unable to populate URL threat intel feed for Accenture Cyware

Workaround:
Increased max_size parameter in configuration but it does not resolve the issue. (From past case)

G-drive link for SH diag - [1]

See also

For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).

Last modified on 24 March, 2025
Fixed issues   Limitations

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters