Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk.

Security issues

  • Reflected XSS in Splunk Web (SPL-60629)

This issue has been resolved in Splunk versions 4.3.6 and later. For more information about this issue, refer to the notice about it on the Splunk Security Portal.

Data input issues

  • monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
  • When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294)
  • Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
  • Splunk does not support execution with the python-modifying variable PYTHONCASEOK set. (SPL-31866)
  • A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start. (SPL-33760)
  • When specifying a monitor input with a wildcard at the root level in Windows, Splunk logs an error and fails to index the desired files. (SPL-37087)
  • The universal forwarder changes capitalization of the hostname (pulls from server.conf instead of inputs.conf) and Splunk Web now displays two hosts. (SPL-38141)
  • When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name. (SPL-43865)
  • The file browser in Data Preview will display an error and only part of the file system when trying to load large numbers of subdirectories (100+) and files (1000+). (SPL-46503)
  • When restarting a universal forwarder, *.gz files are reindexed, resulting in duplicate events. (SPL-51091, SPL-51734)
  • Latest time/earliest time boundaries are mismatched between metadata and bucket directory for buckets rebuilt by splunk fsck. (SPL-51016)
  • The .sizeManifest4.1 file reports a smaller total size than reality for buckets rebuilt by splunk fsck. (SPL-51366)
  • Time zone extraction can conflict if time zone strings match two different abbreviations (for example, EST matches both US Eastern Standard Time and Australian Eastern Standard Time, or CST matches both US Central Standard Time and China Standard Time). Workaround: use an explicit time prefix, a time format that does not include the time zone, or explicitly specify the time zone. (SPL-45509, SPL-51419)
  • fschange sometimes starts to generate events for action=add or action=delete even when there is no such action (SPL-49536)
  • Splunk stops to monitor symlink path once symlink is broken, and even after fixing the symlink. Restarting Splunk or reloading monitor will restart to monitor the fixed symlink, again. (SPL-52284)
  • Use of volumes on Windows with forward slashes not possible (SPL-52620)
  • Universal forwarder does not appear in the list of uninstallable programs, and does not uninstall correctly. (SPL-52583)
  • Unable to delete/clone saved searches from UI; Manager -> Searches and Reports. (SPL-47878)
  • Data indexing flow can bottleneck in Aggregator when encountering DateParserVerbose messages. To work around, set DateParserVerbse to CRITICAL in log.cfg (SPL-53425)
  • Editing any disabled data input and saving it will enable the input (SPL-49699)

Splunk Web and Manager interface issues

  • If you have cookies disabled or if the server and/or client CPU time are not in sync, you will be returned to the login page. Both machines must have the correct time set when the cookie timestamp is verified. (SPL-22393)
  • Using the browser's Back button to get back to a form view doesn't work properly; you have to re-run the search to redisplay the graph. (SPL-27179)
  • Zooming out in the flash timeline only zooms out the previous time region, not the subsequent one. (SPL-18126)
  • Splunk Web still thinks your license is expired if you replace it behind the scenes. To work around this issue, choose 'Enter a new license number' and then log in. (SPL-28582)
  • Using jquery before 1.3.2 with changeset 6268 results in false activeX warnings (see http://dev.jquery.com/changeset/6268/trunk). A patch is available, to apply the patch:
    • Download the patch file.
    • Unzip the patch file.
    • cd $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/contrib
    • patch jquery-1.3.2.js jquery-activex.patch
    • Because Splunk Web aggressively caches content, you must change the URI signature:
    • Open http://localhost:8000/_bump
    • Click the 'bump version' button.
  • Splunk Web does not notify you if you specify an invalid port number in web.conf. (SPL-25584)
  • The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index. (SPL-34123)
  • On iPads, the drop-down menu for selecting events does not wrap correctly. (SPL-44678)
  • Splunk Web modal dialog boxes are not compatible with protected web environments that use proxies and application layer gateways. (SPL-43365)
  • When using drag-and-drop resizing for dashboard panels in Internet Explorer 6, the panel will only drag to a larger size. If you drag the corner to make it smaller again, the display does not update. If you reload the whole page, the chart will display the smaller size. (SPL-45801)
  • Dashboard panels in Internet Explorer 6 do not render their contents at an optimal size, resulting in unnecessary white space. (SPL-45800)
  • If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change take effect immediately. The retrieved events will be in the correct time zone but the timeline will not. Wait 30 seconds and reload the page to see the updated timeline. (SPL-46852)
  • If you upload a lookup table file (Manager > Lookups > Lookup tables files) and then try to configure a new lookup definition (Manager > Lookups > Lookup definitions > Add new), you may not be able to select the file. There are two workarounds. First, you can upload the file again, starting in the destination app context. For example, to upload it to the search app, make sure you start from the search app. Second, if the file is already uploaded, change the file's permission so that it is global. For example, in the permissions view, under "Object appears" select "All apps". (SPL-36241, SPL-51601)
  • Internet Explorer is not displaying multilined events preceded with spaces such as Windows Event log events, WMI events or XML. To work around this, turn off "Wrap results" in the Options menu. (SPL-40354)
  • Unable to delete/clone saved searches from Manager -> Searches and Reports. (SPL-52179, SPL-47878)
  • When adding in link hostname for localhost/report server there is no place to add in the port number under Manager » System settings » Email alert settings (SPL-53789)
  • When the number of results are tens of thousands, sorting results by clicking arrow of a field sometimes does not work in flashtimeline (SPL-54255)
  • Cannot drilldown in Splunk Web > Jobs. Browser message :"JobManager module] Splunkd daemon is not responding: ('The read operation timed out',)" or in some circumstances the browser may crash. This may be due to one or more searches that have expanded to very large literal searches as seen in info.csv for that search. In $SPLUNK_HOME/dispatch ensure the number of dispatch subdirectories are at least less than 2000, find the largest info.csv files (eg.several MB) and remove those artifact subdirectories. (SPL-55661)
  • Splunk Web may become unresponsive if excessive session lock files exist in $SPLUNK_HOME/var/run/splunk. This may occur if an unsupported browser is used to access Splunk Web, or if unexpected requests are made to Splunk Web (such as via a health check app). To work around this setup a job to delete session* files in this directory older than one day. (SPL-37409)
  • Splunk Web may incorrectly display events that appear to have missing content or punctuations. This is related to a known issue with Webkit. The event viewer has changed under Splunk 5.0 and no longer a display issue. Try another browser or an updated version of your current browser. (SPL-55380/SPL-55354)
  • The "Next" link in Splunk Web should be grayed out after displaying by default 10K events in 4.3.x and 1K events in 5.0.x. Clicking "Next" at this point will display an empty page. (SPL-64905)

Charting and drill-down issues

  • When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)
  • The majorUnit parameter is not supported in JSChart for time axes (it is supported for numeric axes), but usage of it in Simple XML does not automatically force the chart to display in Flash. Instead, Splunk ignores any manually defined majorUnit setting you provide. As a workaround, include another unsupported-by-JSChart property definition to force the chart to display in Flash with your majorUnit setting in place. For example, if you are trying to set a 1 hour major unit (using a tag like <option name="charting.axisLabelsX.majorUnit">P0Y0M0DT1H0M0S</option>), add <option name="charting.scaleX">1</option> to the Simple XML for the chart. This causes the chart to render correctly in Flash with the major unit displaying in 1 hour increments along the X axis. (SPL-50934)

Search, saved search, alerting, scheduling, and job management issues

  • The simultaneous running of many summary indexing searches that use the 'stash_new' command can result in namespace collision, which can cause errors in splunkd.log similar to "WARN FileClassifierManager - The file '/var/fflanda/splunk/var/spool/splunk/RMD5257b69c72240c88d_342014304.stash_new' is invalid. Reason: binary" and block summary indexing searches from running. To work around this issue, turn off binary checking by editing $SPLUNK_HOME/etc/local/props.conf and setting the value of NO_BINARY_CHECK=1 under the [stash_new] stanza. (SPL-59578)
  • When running a search with time range modifies, such as startminutesago or earliest, the displayed time range message still shows time based on time range picker. The results are correct. (SPL-33409)
  • There is no way to escape an asterisk (*) in the search language. (SPL-30079)
  • CLI search doesn't warn on stderr when results were truncated due to the maxout limit. (SPL-35478)
  • The Create Alert and Schedule Search dialog boxes in the Search app, under "send email," are missing the option to include search results as PDF. Workaround: Enable PDF email alerts in Manager > Searches and reports. (SPL-46832)
  • On Windows, lookup tables populated by scheduled searches could fail to be updated if there is a search running and using the lookup at the time of the update attempt. (SPL-40332)
  • Sparklines do not display in email alerts. The email will display the backing data rather than rendering the sparklines. Workaround: Use the PDF Server app to email a PDF of the report. (SPL-48265)
  • Searches using cidrmatch may cause crashes, workaround, replace: 'cidrmatch(A, B)' with: 'if(typeof(B, "String"), cidrmatch(A, B), null())'(SPL-49828)
  • Using the rex command with mode=sed does not work with multi-value fields. To work around this issue, use mvexpand before using rex. (SPL-52007)
  • Search fails and UI banner message: "DISPATCHCOMM_RP_FAIL__<host name>" is displayed (SPL-52565)
  • Searches with subsearch component may fail or produce errors dealing with paths inside var/run/splunk/dispatchtmp Typical file failures involve prereport_*.csv.gz or srtmpfile*. (SPL-52862)
  • When a lookup table size is zero, searches in Splunk Search Head in distributed search or standalone instance on Windows server might start to crash. This particularly affects the VMWare app and results in empty dashboards. Patch release can be requested from Support to resolve this issue until it is addressed in a maintenance release. (SPL-53256)
  • The rex command cannot be applied to aliased fields but does apply properly to the original field. (SPL-55193)
  • If the second argument to mvsplit is not an eval string, the search will crash and dump core. (SPL-56754)
  • Using the mode=sed with the rex command does not appear to replace characters with '\' value correctly (SPL-55549)
  • date_*, such as date_hour field values are based on UTC, and they are not timezone-aware fields. Never use these fields if you are searching events in non-UTC timezone.(SPL-56028)
  • Modification of _time in subsearch may results in returning of incorrect number of events. There is no warning or error message in logs, either. A workaround is to use main search if _time value is needed to be modified. (SPL-45787)

Localization, internationalization, and character set issues

  • Certain Japanese language OSes, including most versions of Windows, use the ¥ (Yen) symbol to denote backslashes in path names. This can cause issues when monitoring or spooling files, and may require custom regex configurations where a file path is part of the dataset. (SPL-23307)
  • Splunk throws the following error message when data input tar.gz file contains Simplified Chinese characters (GB2312): Input is not proper UTF-8, indicate encoding! (SPL-38488) Workaround: manually extract the CSV files from the tar.gz file and put them in the same data input file path. Splunk will recognize all the CSV files with Chinese file names and all events will be read into Splunk correctly.

Dashboard and app development issues

  • Old modules, templates, and other app components are not deleted on upgrade. (SPL-22494)
  • If you specify more than the 3-column maximum for layoutPanel, the error message is not very helpful. (SPL-29295)
  • You can create/update/clone/delete 'Navigation menus', but Splunk Web only uses default.xml. (SPL-30024)
  • On Windows, ServerSideInclude modules cannot use relative paths in their source parameter ("../../myinclude.html"). (SPL-35552)
  • Real time search dashboard intermittently stops updating short of the actual # of events received. (SPL-37461)
  • As of 4.2.1, Splunk has removed support for illegal characters in URIs. Apps that add explicit links to the view XML that contain unsafe URL characters that are unencoded will fail with a 500 error.

Windows-specific issues

  • The Message field is not extracted and is therefore missing from imported Windows event log file (.evt) data. (SPL-24947)
  • Timestamps are not set correctly for comment lines in W3C (aka Internet Information Server (IIS) and Exchange) log files. (SPL-29111)
  • The splunkd.exe executable on Windows generates about 4,000 page faults/sec when running the Windows app (only) with all the inputs turned on. This is not necessarily a real problem, since most of the page faults will be cache hits and won't end up as hard (on-disk) page faults. However, if the machine is under memory pressure (perhaps from another RAM-hungry app) then splunkd's behavior may cause lots of hard page faults/sec. (SPL-30343)
  • On Windows XP and Server 2003 systems, Event Log checkpointing fails if you stop Splunk, clean the events, and restart Splunk. To work around this issue, don't stop Splunk when you clean the events. (SPL-29594)
  • The Windows Service Control Manager will interrupt the shutdown of the splunkd or splunkweb processes if it doesn't complete in the allotted 30 seconds. This will result in an unclean shutdown and Splunk will prompt the administrator to perform fast recovery on the indexes on the next splunkd start. (SPL-37653)
  • Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows. (SPL-42212)
  • The universal forwarder installer on Windows does not copy certificates from Windows/Samba shared directories. (SPL-45590)
  • In data preview, empty lines can appear if the empty line is the first item in a 4KB segment. (SPL-46010)
  • The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer. (SPL-51303)
  • When you upgrade the Windows universal forwarder from 4.2 to 4.3, the installer places the upgraded program files in C:\Program Files\SplunkUniversalForwarder, regardless of what the current UF program directory is. To work around this problem, upgrade the UF from the command line and set the INSTALLDIR flag to the current UF program directory. (SPL-49824)
  • When a lookup table size is zero, searches in Splunk Search Head in distributed search or standalone instance on Windows server might start to crash. (SPL-53256)
  • On Windows 2008 R2, blue screens can occur when the irp returned is NULL within the splunkdrv-win6.sys driver (SPL-45149)
  • When a Windows Event Log file (.evt/evtx) is read by [monitor::] stanza, Splunk stops indexing Event Log in the middle if Splunk is restarted while Splunk is still reading the evt(x) file (SPL-61602)

CLI issues

  • The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. (SPL-38182) To work around this, specify the destination index manually in inputs.conf.
  • The CLI export command does not return results when flags are added for filtering. (SPL-45694)
  • The server.conf spec indicates that you can set requireClientCert = true in order to require that HTTPS clients connecting to the splunkd process present a certificate signed by the CA whose public certificate is defined in caCertFile. Because the Splunk CLI cannot be configured to present an SSL certificate, setting requireClientCert = true in server.conf breaks its ability to communicate with splunkd. (SPL-47585)
  • The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility. (SPL-50742)

Distributed deployment, forwarder, deployment server, and deployment monitor issues

  • Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
  • Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
  • When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
  • You can't use Manager to specify an app for deployment server to deploy, you can only specify server classes. (SPL-29903)
  • Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
  • If you install a universal forwarder on the same *nix machine as a regular Splunk installation, they overwrite each other's services upon running "enable boot-start". (SPL-36032)
  • Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
  • Distributed search bundle replication from *nix to Windows with illegal Windows file name characters in file name can cause bundle extraction to fail. This operation can loop and cause unwanted disk space to be used that is normally used for bundle extraction. (SPL-39464)
  • Charts in the deployment monitor do not show data if the increment selected is 30 minutes or less. To work around this issue, when searching over timeranges of 30 min or less, use forwarder_metrics and per_index_metrics macros to run searches against the logs rather than against summaries. For example:
    • The search that populates the forwarder summary index is: `forwarder_metrics` | eval lastReceived = if(kb>0, _time, null) | `forwarder_lookup_stats("max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps")`.
    • The search that populates the indexer summary index is `per_index_metrics` | stats sum(kb) as kb by splunk_server | join type="outer" splunk_server [ search `indexer_queue_stats`] | rename splunk_server as my_splunk_server (SPL-39701)
  • The TCP input processor sometimes writes confusing but harmless messages in the splunkd.log of an indexer : "ERROR TcpInputProc - Error encountered for connection from src=xxx.xxx.xxx. Success". These can be safely ignored. (SPL-34584)
  • Deleting application from deployment server does not honour restartSplunkd = true and restartSplunkWeb = true variables in serveclass.conf. Workaround: manually restart splunk on affected deployment clients (SPL-41345)
  • Round-robin load balancing was deprecated in Splunk 4.2 and automatic load balancing is now the default. (SPL-46856)
  • "Deployment Monitor" app's "MB Indexed" dashboard reports incorrect volume if other Splunk instances are sending metrics.log to search peers (SPL-48887)
  • "Deployment Monitor" app's "By License Pool" report shows nearly double the daily usage than "By Indexer" Report. (SPL-49519)
  • Machine filter type configuration at serverclass level does not obey whitelist/blacklist rules but applies at the app level instead. (SPL-55194)
  • The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer. (SPL-51303)
  • When you upgrade the Windows universal forwarder from 4.2 to 4.3, the installer places the upgraded program files in C:\Program Files\SplunkUniversalForwarder, regardless of what the current UF program directory is. To work around this problem, upgrade the UF from the command line and set the INSTALLDIR flag to the current UF program directory. (SPL-49824)
  • An attribute, syslogSourceType, for syslog routing does not work. (SPL-64400)

Startup and shutdown issues

  • On shutdown, many WARN lines are displayed in splunk.log that should actually be INFO. These lines can be safely ignored. (SPL-24862)
  • If the splunk stop command is run while the splunk start command is still in the process of completing, Splunk may shut down uncleanly and lose data. (SPL-37510)
  • When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception. (SPL-36819)

Unsorted issues

  • BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
  • PDF Server App is outputting PDF Reports with some overlapping panels. (SPL-38101)
  • PDF Server App does not print a test page if splunkd is configured to listen on IPv6 while splunkweb is not configured for IPv6. Error in python.log: "(400) Remote host does not look like a Splunk server; aborting PDF." Emailed PDFs still work. (SPL-45876)
  • Rpm package verification " rpm -V splunk-xxx-xxx.rpm" returns a message "missing splunk-launch.conf.default" even though the content does not have a problem. (SPL-35181)
  • Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)
  • Splunk records incorrect timestamps timezone offsets within the internal log files (splunkd.log, etc.) with certain builds of AIX 6.1. (SPL-52920)
  • Splunk can experience intermittent crashes in different threads on AIX due to a unresolved gcc bug in AIX(SPL-49004).
  • Splunk diag --exclude is not implemented for Universal Forwarder (SPL-52926)
  • When you install Splunk on Ubuntu using the Ubuntu Software Center and the .deb package, Ubuntu displays an error message that the package is of bad quality. Workaround: install using the .tgz file (SPL-43264).
  • Splunk Web crashes or becomes unresponsive when clicking Next link quickly in event list. (SPL-64911, SPL-65692)
  • In non-License Master, "See License Manager" link in a license warning message is linked to the Splunk instance itself, not its license master. Visit License Master's Manager -> Licensing view for warning/alert messages. (SPL-42070)
Meet Splunk 4.3
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 4.3.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters