Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
|Date filed||Issue number||Description|
|2020-03-23||SOLNESS-22110||Threat Intelligence: Maxmind ASN database can no longer be consumed|
|2020-02-28||SOLNESS-21907, SOLNESS-21911||Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit|
|2020-02-24||SOLNESS-21847||Threat Intelligence Framework: When download is anything other than TAXII we change file extension|
|2020-02-24||SOLNESS-21848||Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots|
|2020-02-23||SOLNESS-21845||Entities merge on previous foreign keys|
|2020-02-20||SOLNESS-21817, SOLNESS-21910||When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist."|
Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less:
|2020-02-13||SOLNESS-21783||Incident Review does not load when read permissions on pertinent lookups are limited to select roles|
|2020-01-30||SOLNESS-21581||Entity merge not parsing MV fields in KV Store sources|
|2020-01-24||SOLNESS-21476||Notable Event Framework: Invalid severity values afflict urgency calculation|
|2020-01-16||SOLNESS-21220, SOLNESS-21618||Identity Management: Preview search request issued via query string (issue for IE)|
|2019-12-13||SOLNESS-21001||Identity Management: Inferred/Implicit "identity" key values can cause unintended identity record merges|
In ES 6.0 we merge Asset and Identity records which have overlapping secondary keys ("asset" and "identity" fields respectively). When this is combined with inferred/implicit key values based on email, email_short and/or convention based mapping, it's possible that unintended records are merged.
If you are *not* interested in the inferred/implicit identity values (i.e. email, email_short), simply disable on an input-by-input basis by using the "Asset and Identity Management" UI to uncheck or remove conventions as needed for each input.
|2019-12-10||SOLNESS-20951, SOLNESS-20994||Postinstall fails when upgrading due to error enabling modular inputs|
The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.
|2018-10-03||SOLNESS-16682, SPL-170703||Internal Error: Missing a search command before *|
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.0