Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Known issues

Date filed Issue number Description
2025-04-29 BLUERIDGE-16107 ACS request fails in SHC for querying IP allow list
2025-04-29 BLUERIDGE-16077, BLUERIDGE-15433, BLUERIDGE-16189 Reflect the MC note created_time/updated_time on findings' update_time
2025-04-22 BLUERIDGE-16006, BLUERIDGE-15855 Wrong id sent while bulk update Assign to me for a finding
2025-04-17 BLUERIDGE-15954 Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used.
2025-04-16 BLUERIDGE-15899 Large number of tokens generated during mc soar allowlist validation
2025-03-06 BLUERIDGE-15501 Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.

Workaround:
Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.

Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster

Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows.

If you are using Splunk Enterprise Security (on-prem), run the following CURL command:
curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>"


If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal.

2025-03-03 BLUERIDGE-15433, BLUERIDGE-16077 Last updated field shows N/A after reloading
2025-02-28 BLUERIDGE-15425 Next Steps in Finding Groups change when an edit is made to the Detection
2025-02-27 BLUERIDGE-15407 Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-"
2024-11-18 BLUERIDGE-13527 Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panel

Workaround:
Close and re-open the side-panel or select another finding.
2024-10-22 BLUERIDGE-13380, BLUERIDGE-13575 The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sources

Workaround:
Remove `source` before sending to detection.

add `| fields - source` to end of search

2024-10-18 BLUERIDGE-13101 Users can create a finding with an empty name for a custom field
2024-10-17 BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere
2024-10-16 BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes
2024-10-15 BLUERIDGE-12966 Eventtypes based on the notable index will not match investigations since they aren't from the notable index
2024-10-14 BLUERIDGE-12939 Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added
2024-10-09 BLUERIDGE-12864 Missing validation in UI while adding duplicate Finding fields in AQ settings page
2024-09-27 BLUERIDGE-12602, BLUERIDGE-11983 Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions
2024-09-13 BLUERIDGE-12347 Prompt modal shows reference ID and HRID combined instead of HRID for investigations
2024-09-09 BLUERIDGE-12190 Automation tab may appear for users who cannot run playbooks
2024-09-06 BLUERIDGE-12176 Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog
2024-09-03 BLUERIDGE-12100 Included findings table in AQ side panel is not sortable
2024-08-20 BLUERIDGE-11791, BLUERIDGE-11790 Missing input validation for file upload size
2024-05-13 BLUERIDGE-9351 Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing


Date filed Issue number Description
2022-03-25 SINT-7432 Cloning MITRE is blocked in the UI for several back releases.

See also

For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).

Last modified on 30 April, 2025
Fixed Issues   Limitations

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.40

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters