Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF


Splunk 4.3.4 was released on September 10, 2012.

The following issues have been resolved in this release:

Resolved data input issues

  • When restarting a universal forwarder, *.gz files are reindexed, resulting in duplicate events. (SPL-51091, SPL-51734)
  • The .sizeManifest4.1 file reports a smaller total size than reality for buckets rebuilt by splunk fsck. (SPL-51366)
  • A capital letter in stanza name in indexes.conf causes the index to become "unfindable". (SPL-55151)
  • When editing/adding new scripted inputs in manager/REST, pre-existing cron-scheduled scripted inputs run once at the wrong time. (SPL-53278)
  • Violation of MAX_DAYS_HENCE by file-based data sources without modtime updates leads to indexing congestion in the merging pipeline. (SPL-52210)
  • Path in indexes.conf ends with "\" will cause parsing problem in Windows. (SPL-52103)
  • Errors splunkd.log "in TailingProcessor - Error matching path and file". (SPL-47988)

Resolved Splunk Web and Manager interface issues

  • Unable to delete/clone saved searches from Manager -> Searches and Reports. (SPL-52179, SPL-47878)
  • JSChart: in flashtimeline long-running top/rare searches with preview make the chart flicker. (SPL-54371)
  • JSChart: when in a dashboard, the maxResultsForTop parameter is not being respected. (SPL-53530)
  • Wrong/broken icons in Manager after upgrade from 4.2.5. (SPL-53520)
  • Sparkline not display partially and sometimes it will become very short after complete the search. (SPL-52709)
  • The tz value (tz = Etc/GMT+10) is incorrect for Hawaii time zone. (SPL-52106)
  • Can't highlight, or copy/paste LDAP users from LDAP group in the group mapping / permissions screen on Firefox. Works fine on IE. (SPL-51542)
  • Changing permissions on a tag via Splunk Web from private to global makes tag appear to have been deleted. (SPL-52388)
  • Users with expired tokens/cookies are unable to log into Splunk Web. (SPL-45981)
  • Clicking reload link in job management page takes you right back to the app page on IE. (SPL-43234)
  • Search_User_Activity dashboard doesn't show latest user search activity. (SPL-50182)
  • Application "Loading" message obscures logout link. (SPL-49191)

Resolved search, saved search, alerting, scheduling, and job management issues

  • Searches using cidrmatch may cause crashes. Workaround: replace: 'cidrmatch(A, B)' with: 'if(typeof(B, "String"), cidrmatch(A, B), null())' (SPL-49828)
  • Using the rex command with mode=sed does not work with multi-value fields. To work around this issue, use mvexpand before using rex. (SPL-52007)
  • Search fails and Splunk Web banner message: "DISPATCHCOMM_RP_FAIL__<host name>" is displayed (SPL-52565)
  • Subsearch failing with the error "Encountered an error while reading file '/opt/splunk/var/run/splunk/dispatchtmp/subsearch_*/prereport_*.csv.gz'.", the workaround is to format the fields with the command fields instead of table at the end of the sub search. (SPL-52862)
  • When a lookup table size is zero, searches run on a search head in distributed search or on a standalone instance on Windows Server might start to crash. This particularly affects the VMWare app and results in empty dashboards. (SPL-53256)
  • Summary generating searches skip even while realtime_schedule = 0. (SPL-54029)
  • Searches referencing conf files that include settings with embedded nulls cause all subsequent searches to fail with "SearchException: An unknown error occurred while parsing search". (SPL-53090)
  • Using the "rest" command in a subsearch results in a CSV read error in var/run/splunk/dispatchtmp/..., only when commands are piped after "rest". (SPL-52862)
  • "None" is in the time unit drop-down menu in throttling setting for saved searches. (SPL-54681)
  • Could not identify leap second on 30 June, 2012. (SPL-52775)
  • Creating alert to run a script: Need to validate and prevent the field called "File name of shell script to run" to accept special characters of: "..", "/", or "\". (SPL-49225)
  • Windows - scheduled searches with long (>260 char) search name always return 0 results. (SPL-43587)

Resolved distributed deployment, forwarder, deployment server, and deployment monitor issues

  • File system change monitor (fschange) settings on Windows universal forwarder does not forward events to an indexer. (SPL-54233)
  • SSO: Direct logins in permissive mode cannot logout - "Logout" button not shown. (SPL-53917)
  • A distributed search fails with a warning "DISPATCHCOMM_RP_FAIL__<host name>". (SPL-52565)

Resolved dashboard and app development issues

  • Charts not populating on realtime dashboard with filter. (SPL-53261)
  • The sort postprocess should treat the number of rows as an integer instead of a string in SimpleResultsTable. (SPL-52827)
  • Simple XML : <label> not respected for <input type="time"> module. (SPL-52492)
  • The web.conf minify_css setting modifies base path. (SPL-51365)

Resolved unsorted issues

  • Fields in custom conf files are not persisted if they do not have a default provided. (SPL-54152)
  • Search peer on Solaris platform fail to restart after creating an index on the search peer. (SPL-52863)
  • Summary indexing with alert condition set to "always" does not index all events. (SPL-52959)
  • After direct upgrade from 4.1.6 to 4.3.2, instance has index corruption and cannot run fsck on indexes. (SPL-47246, SPL-52868)
  • The 'configs/conf-authorize' endpoint is slow. (SPL-50334)
  • splunkd crashes if you delete and then create a new key in $SPLUNK_HOME/etc/auth/audit/. (SPL-49185)
  • Crashing thread: CallbackRunnerThread > Seg fault > unknown signal origin > CallbackRunnerThread > MetricsManagerprobe. (SPL-53372)
  • Crash: Sig abort > HTTPRequestHandlerThread > tcmalloc > Assertion `utf8bytes >= 0xC280' failed. (SPL-53260)
  • Crashing thread: HttpClientPollingThread_index_us > Signal sent by PID 22865 running under UID 0 > XMLDocument > __assert_fail. (SPL-52991)
  • Events logged by splunkd processors to splunkd.log should reference the full context (source/sourcetype/host) of the pdata chunk in scope. (SPL-52686)
  • PDF of a dashboard does not contain results from inline realtime search. (SPL-52618)
  • Python.log: INFO Sending email: Misspelling: recepients. (SPL-52530)
  • Splunkd.log: TcpOutputProc: logging: Typo. (SPL-51842)
  • Crashing thread: HTTPRequestHandlerThread with Received fatal signal 6 (Aborted). (SPL-52226)
  • Creating an index with "Volume" in the name fails. (SPL-50749)
  • Certs are always created for splunkweb on startup if the privkey.pem and cert.pem files do not exist. (SPL-49542)
  • Every request to splunkweb is creating a session lock file in var/run/splunk, ending up in DOS. (SPL-48237)
  • "SearchResults - Unable to write" message in logs is not accurate. (SPL-47283)
  • Crash in "regex matching: Access violation" due to an extracted field having the same name as the field from which it is being extracted. (SPL-45102)
Workaround for SSL configuration for users of Firefox 3

This documentation applies to the following versions of Splunk® Enterprise: 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters