The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.
Known issues
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-21 | SOLNESS-49794 | Discrepancy when saving custom FBD with versioning off/on |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-03-13 | BLUERIDGE-15531 | MC Title Column Filter only searches Findings and not Investigations |
| 2025-03-11 | BLUERIDGE-15514 | Splunk core inserts hostname into Mission Control tab in the navbar when SAML authenticated and there's no `name` attribute defined, causing redirection error Workaround: Press the big mission control button on the main ES page to access the mission control page. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-07 | BLUERIDGE-15505 | SidePanel breaks for findings with variable called `comment` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues. Workaround: Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.
Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:
|
| 2025-03-03 | BLUERIDGE-15433 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation. Workaround: Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panel Workaround: Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requested Workaround: Close the embedded workbench dialog |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-11-04 | BLUERIDGE-13359, BLUERIDGE-11468 | Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.") Workaround: Re-run the search on the Analyst Queue |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sources Workaround: Remove `source` before sending to detection. add
`| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be reverted Workaround: Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
See also
For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).
Last modified on 27 March, 2025
| Fixed issues | Limitations |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.3
Download manual
Feedback submitted, thanks!