Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Known issues

Date filed Issue number Description
2025-06-03 SOLNESS-51493 When creating a manual Finding in ES 8.1, the default (suggested) "Risk score" of zero is not accepted
2025-05-30 SOLNESS-51478 Key indicators are not loading

Workaround:
Create a new dashboard using Dashboard Studio studio with a Key Indicator block instead of creating a Classic Dashboard using simple XML.
2025-05-28 SOLNESS-51456 Filter bar above the table in CM disappears in 8.1.0 on chosing sequence templates

Workaround:
Refresh the page to reset the Content Management page and view filters again.Since the sequence templates are no longer supported to be editted .
2025-05-19 SOLNESS-51392 After upgrading to ES v8.0.40, getting following error "definition is invalid" while accessing the risk analysis dashboard

Workaround:
After upgrading the ES to v8.0.40 or v8.1, encounters an error message saying "Definition is invalid" when trying to access a dashboard that was modified before upgrade.

Workaround: when encountering the error message, close the error modal and edit the dashboard through UI, make a small change and save. The definition should automatically be updated to use the new schema, and the error message should disappear. Revert the change and save if needed. When on the risk analysis page that has no edit button, save a copy of the local definition file for restoration purpose, remove the local definition file from the backend and restart.

2025-05-15 SOLNESS-51378 Editing the SPL for a dashboard panel data source has unexpected editing behavior

Workaround:
Cut out the whole search, paste it into an external editor, edit, then paste back in.
2025-05-07 SOLNESS-51489 Drilldown searches containing $_indextime$ as a token cannot be evaluated for Findings created by detections with Automation Rules configured

Workaround:
Update the token in the detection that has an automation rule configured to use $_time$ (the time when the finding was detected) instead of $_indextime$.
2025-05-05 SOLNESS-51141, SOLNESS-51156 The risk score displays even when no risk object exists.
2025-05-05 SOLNESS-51121 Key Indicators aren't rendered as the only block in Classic Dashboards

Workaround:
By agreement with Sahit Soni:

{quote}This is a very specific scenario where the workaround would be to do one of the following:

  1. add an additional metric to track other than Template:Key indicators block on their SimpleXML dashboard
  2. update their SimpleXML dashboard to use version 2{quote}
2025-04-17 SOLNESS-50696 Detection versioning duplicate check doesn't work every time.
2024-11-05 SOLNESS-47715 Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host

Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields


Date filed Issue number Description
2025-06-02 BLUERIDGE-16966 $_indextime$ tokens fail to evaluate for Automation Rule Findings
2025-05-29 BLUERIDGE-16953 Notes API creates notes with attachments even if there is a failure in creating an attachment
2025-05-20 BLUERIDGE-16724 When viewing an investigation page, non https url should work.
2025-05-19 BLUERIDGE-16715 Finding's Side panel metafields reset after clicking Back to Queue button from investigation

Workaround:
Refreshing seems to work sometimes...
2025-05-19 BLUERIDGE-16722 ES 8.1 Investigations: Playbook logs are trimmed and only timestamps are populated in the Automation tab for certain playbook runs
2025-05-02 BLUERIDGE-16301 Urgency is incorrect on the side panel for findings created through detections with automation rule configured
2025-04-29 BLUERIDGE-16107 ACS request fails in SHC for querying IP allow list
2025-04-17 BLUERIDGE-15954 Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used.
2025-03-06 BLUERIDGE-15501 Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.

Workaround:
Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.

Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster

Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows.

If you are using Splunk Enterprise Security (on-prem), run the following CURL command:
curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>"


If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal.

2025-02-28 BLUERIDGE-15425 Next Steps in Finding Groups change when an edit is made to the Detection
2025-02-27 BLUERIDGE-15407 Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-"
2024-10-18 BLUERIDGE-13101 Users can create a finding with an empty name for a custom field
2024-10-17 BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere
2024-10-16 BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes
2024-10-15 BLUERIDGE-12966 Eventtypes based on the notable index will not match investigations since they aren't from the notable index
2024-10-14 BLUERIDGE-12939 Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added
2024-10-09 BLUERIDGE-12864 Missing validation in UI while adding duplicate Finding fields in AQ settings page
2024-09-27 BLUERIDGE-12602, BLUERIDGE-11983 Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions
2024-09-13 BLUERIDGE-12347 Prompt modal shows reference ID and HRID combined instead of HRID for investigations
2024-09-09 BLUERIDGE-12190 Automation tab may appear for users who cannot run playbooks
2024-09-06 BLUERIDGE-12176 Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog
2024-09-03 BLUERIDGE-12100 Included findings table in AQ side panel is not sortable
2024-08-20 BLUERIDGE-11791, BLUERIDGE-11790 Missing input validation for file upload size
2024-05-13 BLUERIDGE-9351 Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing


Date filed Issue number Description
2025-05-09 SINT-7541 After pairing, a "unhealthy" message flashes for a second before it refreshes and says the connection is "healthy"
2025-05-08 SINT-7540 TIM-on-CMP: Link to customer document is pointing to old doc
2025-05-08 SINT-7539 Wrong message on the tooltip when deleting a threat list
2025-05-06 SINT-7508 Unprivileged users should see helpful messages in the UI instead of failures

See also

For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).

Last modified on 05 June, 2025
Fixed issues   Limitations

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters