Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk.

Security issues

  • Reflected XSS in Splunk Web (SPL-60629)

This issue has been resolved in Splunk versions 4.3.6 and later. For more information about this issue, refer to the notice about it on the Splunk Security Portal.

Data input issues

  • monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
  • When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294)
  • Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
  • Splunk does not support execution with the python-modifying variable PYTHONCASEOK set. (SPL-31866)
  • A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start. (SPL-33760)
  • The universal forwarder changes capitalization of the hostname (pulls from server.conf instead of inputs.conf) and Splunk Web now displays two hosts. (SPL-38141)
  • A file monitor blacklist set to a NULL value ("blacklist = " in inputs.conf) results in all files for that input being blacklisted and therefore not indexed. (SPL-38750)
  • When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name. (SPL-43865)
  • The file browser in Data Preview will display an error and only part of the file system when trying to load large numbers of subdirectories (100+) and files (1000+). (SPL-46503)
  • fschange default settings in UF/LWF does not forward fschange audittrail events to an indexer. A workaround is to explicitly set "signdaudit = false" and "index=_audit". This will forward fschange events as sourcetype=fschangemonitor to index=_audit (SPL-50531)
  • Latest time/earliest time boundaries are mismatched between metadata and bucket directory for buckets rebuilt by splunk fsck. (SPL-51016)
  • The .sizeManifest4.1 file reports a smaller total size than reality for buckets rebuilt by splunk fsck. (SPL-51366)
  • fschange sometimes starts to generate events for action=add or action=delete even when there is no such action (SPL-49536)
  • Splunk stops to monitor symlink path once symlink is broken, and even after fixing the symlink. Restarting Splunk or reloading monitor will restart to monitor the fixed symlink, again. (SPL-52284)
  • Editing any disabled data input and saving it will enable the input (SPL-49699)

Splunk Web and Manager interface issues

  • An issue with the Highcharts library used in Chrome version 18.x causes dashboards to crash when hovering over a point on a line graph. Current workaround is to use another supported browser. (SPL-49700)
  • If you have cookies disabled or if the server and/or client CPU time are not in sync, you will be returned to the login page. Both machines must have the correct time set when the cookie timestamp is verified. (SPL-22393)
  • Using the browser's Back button to get back to a form view doesn't work properly; you have to re-run the search to redisplay the graph. (SPL-27179)
  • Zooming out in the flash timeline only zooms out the previous time region, not the subsequent one. (SPL-18126)
  • Splunk Web still thinks your license is expired if you replace it behind the scenes. To work around this issue, choose 'Enter a new license number' and then log in. (SPL-28582)
  • The success message when uploading a file in Splunk Web does not correctly display the filename. (SPL-29855)
  • Using jquery before 1.3.2 with changeset 6268 results in false activeX warnings (see http://dev.jquery.com/changeset/6268/trunk). A patch is available, to apply the patch:
    • Download the patch file.
    • Unzip the patch file.
    • cd $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/contrib
    • patch jquery-1.3.2.js jquery-activex.patch
    • Because Splunk Web aggressively caches content, you must change the URI signature:
    • Open http://localhost:8000/_bump
    • Click the 'bump version' button.
  • Splunk Web does not notify you if you specify an invalid port number in web.conf. (SPL-25584)
  • The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index. (SPL-34123)
  • On iPads, the drop-down menu for selecting events does not wrap correctly. (SPL-44678)
  • Splunk Web modal dialog boxes are not compatible with protected web environments that use proxies and application layer gateways. (SPL-43365)
  • In Manager > Data inputs > Remote event log collections, the enabled/disabled banner message does not display the correct status. (SPL-45692)
  • When using drag-and-drop resizing for dashboard panels in Internet Explorer 6, the panel will only drag to a larger size. If you drag the corner to make it smaller again, the display does not update. If you reload the whole page, the chart will display the smaller size. (SPL-45801)
  • Dashboard panels in Internet Explorer 6 do not render their contents at an optimal size, resulting in unnecessary white space. (SPL-45800)
  • The SSOMode=permissive setting does not allow Splunk Web access if the incoming client IP does not have a match in the trustedIP list. (SPL-46047)
  • Dashboard panels with Flash charts do not rearrange properly. (SPL-46019)
  • If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change take effect immediately. The retrieved events will be in the correct time zone but the timeline will not. Wait 30 seconds and reload the page to see the updated timeline. (SPL-46852)
  • Under Firefox 3.5 via Splunk Web's Manager > Access Control > Users to save a new user record, a banner message displays indicating: Your entry was not saved. The following error was reported: server abort. This message can be ignored as the user record is created. Firefox 3.6.10, 7.0.1, 8.0.1 do not reproduce this behavior. (SPL-47195)
  • Word Wrap option does not work properly for a long single line csv event (SPL-48250)
  • Intermittently the flashtime search events list displays empty result rows. Rerun the same search and all the event content will appear. This is not a data issue as the table view confirms the set of raw data exists. (SPL-49330)
  • If you upload a lookup table file (Manager > Lookups > Lookup tables files) and then try to configure a new lookup definition (Manager > Lookups > Lookup definitions > Add new), you may not be able to select the file. There are two workarounds. First, you can upload the file again, starting in the destination app context. For example, to upload it to the search app, make sure you start from the search app. Second, if the file is already uploaded, change the file's permission so that it is global. For example, in the permissions view, under "Object appears" select "All apps". (SPL-51601)
  • Splunk Web may become unresponsive if excessive session lock files exist in $SPLUNK_HOME/var/run/splunk. This may occur if an unsupported browser is used to access Splunk Web, or if unexpected requests are made to Splunk Web (such as via a health check app). To work around this setup a job to delete session* files in this directory older than one day. (SPL-37409)

Charting and drill-down issues

  • When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)

Search, saved search, alerting, scheduling, and job management issues

  • When running a search with time range modifies, such as startminutesago or earliest, the displayed time range message still shows time based on time range picker. The results are correct. (SPL-33409)
  • There is no way to escape an asterisk (*) in the search language. (SPL-30079)
  • CLI search doesn't warn on stderr when results were truncated due to the maxout limit. (SPL-35478)
  • Error message when searching for an invalid search string doesn't dissapear when executing a valid search. (SPL-34144)
  • Email alert sends attachment in csv despite format=plain being set in alert_actions.conf or action.email.format=plain in savedsearches.conf. (SPL-38858)
  • On Windows, lookup tables populated by scheduled searches could fail to be updated if there is a search running and using the lookup at the time of the update attempt. (SPL-40332)
  • Internet Explorer is not displaying multilined events preceded with spaces such as Windows Event log events, WMI events or XML. (SPL-40354)
  • The spath command does not correctly recognize and extract nested XML elements unless you list every element above the one you want to extract. (SPL-46890)
  • Leaving a browser open on the summary dashboard of the search app for a long time can cause the system to run out of memory. This is caused by a memory leak affecting real-time metadata searches such as those that the search app's summary dashboard runs. (SPL-45901) For work-around instructions, see this Splunk Answer.
  • The like function is not accepting sub-functions. For example: | where A like(lower(B)). The workaround is to use the sub-function in an eval expression before | eval B=lower(B). (SPL-47213)
  • Sparklines do not display in email alerts. The email will display the backing data rather than rendering the sparklines. Workaround: Use the PDF Server app to email a PDF of the report. (SPL-48265)
  • The Create Alert and Schedule Search dialog boxes in the Search app, under "send email," are missing the option to include search results as PDF. Workaround: Enable PDF email alerts in Manager > Searches and reports. (SPL-46832)
  • _time format is not human-readable when you export events using the Export button. Workaround: use the convert...ctime() function. (SPL-48611)
  • Events from February 29 will not appear in search results if your search is constructed using a relative day time boundary (-1d@d). Workaround: do not use a relative day in your search. (SPL-48724)
  • Scheduled searches with summary indexing plus email alerts with conditions are not generating summary data. Workaround: use the Always condition and create a separate search for email alerting. (SPL-47904)
  • Export with Unlimited for csv, xml or json in the Advanced Charting view will generate a zero(0) byte file (SPL-51334). Workaround: Manager > User Interface > Views > charting, replace the text "event" with "result" in the following XML entry and Save. A restart is not necessary : <module name="Export"><param name="exportType">event</param></module>
  • The simultaneous running of many summary indexing searches that use the 'stash_new' command can result in namespace collision, which can cause errors in splunkd.log similar to "WARN FileClassifierManager - The file '/var/fflanda/splunk/var/spool/splunk/RMD5257b69c72240c88d_342014304.stash_new' is invalid. Reason: binary" and block summary indexing searches from running. To work around this issue, turn off binary checking by editing $SPLUNK_HOME/etc/local/props.conf and setting the value of NO_BINARY_CHECK=1 under the [stash_new] stanza. (SPL-59578)
  • Modification of _time in subsearch may results in returning of incorrect number of events. There is no warning or error message in logs, either. A workaround is to use main search if _time value is needed to be modified. (SPL-45787)

Localization, internationalization, and character set issues

  • Certain Japanese language OSes, including most versions of Windows, use the ¥ (Yen) symbol to denote backslashes in path names. This can cause issues when monitoring or spooling files, and may require custom regex configurations where a file path is part of the dataset. (SPL-23307)
  • Splunk throws the following error message when data input tar.gz file contains Simplified Chinese characters (GB2312): Input is not proper UTF-8, indicate encoding! (SPL-38488) Workaround: manually extract the CSV files from the tar.gz file and put them in the same data input file path. Splunk will recognize all the CSV files with Chinese file names and all events will be read into Splunk correctly.
  • Time zone extraction can conflict if time zone strings match (for example, EST as US Eastern Standard Time and Australian Eastern Standard Time). Workaround: use an explicit time prefix, a time format that does not include the time zone, or explicitly specify the time zone. (SPL-45509)
  • When extracting app for localization "splunk extract i18n -app appname" it fails. Workaround is to use older Splunk version to extract (SPL-48673)

Dashboard and app development issues

  • Old modules, templates, and other app components are not deleted on upgrade. (SPL-22494)
  • If you specify more than the 3-column maximum for layoutPanel, the error message is not very helpful. (SPL-29295)
  • You can create/update/clone/delete 'Navigation menus', but Splunk Web only uses default.xml. (SPL-30024)
  • On Windows, ServerSideInclude modules cannot use relative paths in their source parameter ("../../myinclude.html"). (SPL-35552)
  • Real time search dashboard intermittently stops updating short of the actual # of events received. (SPL-37461)
  • As of 4.2.1, Splunk has removed support for illegal characters in URIs. Apps that add explicit links to the view XML that contain unsafe URL characters that are unencoded will fail with a 500 error.
  • showsource=1 to convert a simple xml dashboard to advanced xml sometimes generate incorrect advanced xml. (SPL-48485)

Windows-specific issues

  • The Message field is not extracted and is therefore missing from imported Windows event log file (.evt) data. (SPL-24947)
  • Timestamps are not set correctly for comment lines in W3C (aka Internet Information Server (IIS) and Exchange) log files. (SPL-29111)
  • The splunkd.exe executable on Windows generates about 4,000 page faults/sec when running the Windows app (only) with all the inputs turned on. This is not necessarily a real problem, since most of the page faults will be cache hits and won't end up as hard (on-disk) page faults. However, if the machine is under memory pressure (perhaps from another RAM-hungry app) then splunkd's behavior may cause lots of hard page faults/sec. (SPL-30343)
  • On Windows XP and Server 2003 systems, Event Log checkpointing fails if you stop Splunk, clean the events, and restart Splunk. To work around this issue, don't stop Splunk when you clean the events. (SPL-29594)
  • The Windows Service Control Manager will interrupt the shutdown of the splunkd or splunkweb processes if it doesn't complete in the allotted 30 seconds. This will result in an unclean shutdown and Splunk will prompt the administrator to perform fast recovery on the indexes on the next splunkd start. (SPL-37653)
  • Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows. (SPL-42212)
  • The Universal Forwarder installer on Windows does not copy certificates from Windows/Samba shared directories. (SPL-45590)
  • In Data Preview, empty lines can appear if the empty line is the first item in a 4KB segment. (SPL-46010)
  • If you upgrade a Splunk instance with Windows Registry monitoring inputs enabled from 4.2 to 4.3, the behavior of those inputs might change due to the way Splunk now handles default Registry monitoring configurations. To restore default behavior, either install the Windows app or technology add-on (TA), or make changes to regmon-filters.conf as shown in "Workaround for Registry Monitoring configuration issue." (SPL-46805, SPL-46844, SPL-46912)
  • On Windows, upload a new app from the manager returns "error processing the upload" , changing a server to license-slave fails for "invalid string uri" and the sendemail script and email alerts fail. This occurs only if the user is not using the default server time zone in his or her profile. Workaround: change the user profile time zone to use the default server time zone, or do not specify a user time zone. (SPL-48993)
  • The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer. (SPL-51303)
  • On Windows 2008 R2, blue screens can occur when the irp returned is NULL within the splunkdrv-win6.sys driver (SPL-45149)
  • When a Windows Event Log file (.evt/evtx) is read by [monitor::] stanza, Splunk stops indexing Event Log in the middle if Splunk is restarted while Splunk is still reading the evt(x) file (SPL-61602)

CLI issues

  • The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. (SPL-38182) To work around this, specify the destination index manually in inputs.conf.
  • The CLI export command does not return results when flags are added for filtering. (SPL-45694)
  • The server.conf spec indicates that you can set requireClientCert = true in order to require that HTTPS clients connecting to the splunkd process present a certificate signed by the CA whose public certificate is defined in caCertFile. Because the Splunk CLI cannot be configured to present an SSL certificate, setting requireClientCert = true in server.conf breaks its ability to communicate with splunkd. (SPL-47585)
  • The $SPLUNK_HOME/bin/bloom utility creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility until this issue is fixed. (SPL-50742)

Distributed deployment, forwarder, deployment server, and deployment monitor issues

  • Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
  • Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
  • When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
  • You can't use Manager to specify an app for deployment server to deploy, you can only specify server classes. (SPL-29903)
  • Light forwarders are unable to load-balance UDP incoming data across several indexers using autoLB. In this situation the data will be forwarded to one indexer only. A "heavy", or full forwarder is currently needed achieve this. (SPL-32708)
  • Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
  • If you install a universal forwarder on the same *nix machine as a regular Splunk installation, they overwrite each other's services upon running "enable boot-start". (SPL-36032)
  • Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
  • Distributed search bundle replication from *nix to Windows with illegal Windows file name characters in file name can cause bundle extraction to fail. This operation can loop and cause unwanted disk space to be used that is normally used for bundle extraction. (SPL-39464)
  • Charts in the deployment monitor do not show data if the increment selected is 30 minutes or less. To work around this issue, when searching over timeranges of 30 min or less, use forwarder_metrics and per_index_metrics macros to run searches against the logs rather than against summaries. For example:
    • The search that populates the forwarder summary index is: `forwarder_metrics` | eval lastReceived = if(kb>0, _time, null) | `forwarder_lookup_stats("max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps")`.
    • The search that populates the indexer summary index is `per_index_metrics` | stats sum(kb) as kb by splunk_server | join type="outer" splunk_server [ search `indexer_queue_stats`] | rename splunk_server as my_splunk_server (SPL-39701)
  • The TCP input processor sometimes writes confusing but harmless messages in the splunkd.log of an indexer : "ERROR TcpInputProc - Error encountered for connection from src=xxx.xxx.xxx. Success". These can be safely ignored. (SPL-34584)
  • Under certain circumstances when deploying apps, the deployment client will return the following error message: Cannot update application info: /nobody/appname/app/install/state = enabled: Metadata could not be written: /nobody/appname/app/install/state: { }, removable: yes. Workaround: create a file and folder /metadata/local.meta in the installation tree of the app that the deployment server is deploying. (SPL-45019)
  • Deleting application from deployment server does not honour restartSplunkd = true and restartSplunkWeb = true variables in serveclass.conf. Workaround: manually restart splunk on affected deployment clients (SPL-41345)
  • Round-robin load balancing does not work. Note/workaround: round-robin load balancing was deprecated in Splunk 4.2 and automatic load balancing is now the default. (SPL-46856)
  • "Deployment Monitor]" app's "MB Indexed" dashboard reports incorrect volume if other Splunk instances are sending metrics.log to search peers (SPL-48887)
  • "Deployment Monitor" app's "By License Pool" report shows nearly double the daily usage than "By Indexer" Report. (SPL-49519)
  • The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer. (SPL-51303)
  • An attribute, syslogSourceType, for syslog routing does not work. (SPL-64400)

Startup and shutdown issues

  • On shutdown, many WARN lines are displayed in splunk.log that should actually be INFO. These lines can be safely ignored. (SPL-24862)
  • If the splunk stop command is run while the splunk start command is still in the process of completing, Splunk may shut down uncleanly and lose data. (SPL-37510)
  • When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception. (SPL-36819)
  • A crash of splunkd can occur on start-up due the DispatchReaper thread failing to properly parse a search artifact in the search dispatch directory. The work-around is to delete the contents of the dispatch directory ($SPLUNK_HOME/var/run/splunk/dispatch/) and start Splunk again. (SPL-47232)

Unsorted issues

  • When Splunk Web is configured for listenOnIPv6 = yes, only listener for IPv4 is created. (SPL-51911)
  • Splunk doesn't run on FreeBSD with ZFS. (SPL-30317)
  • BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
  • PDF Server App is outputting PDF Reports with some overlapping panels. (SPL-38101)
  • PDF Server App fails with the following error: "An error occurred while generating a PDF of this report: Failed to generate PDF: Appserver failed to dispatch report request to /services/pdfserver/renderpdf: Splunkd daemon is not responding: ('The read operation timed out',)". (SPL-48455)
  • PDF Server App does not print a test page if splunkd is configured to listen on IPv6 while splunkweb is not configured for IPv6. Error in python.log: "(400) Remote host does not look like a Splunk server; aborting PDF." Emailed PDFs still work. (SPL-45876)
  • Rpm package verification " rpm -V splunk-xxx-xxx.rpm" returns a message "missing splunk-launch.conf.default" even though the content does not have a problem. (SPL-35181)
  • Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)
  • When adding in hostname for localhost/report server there is no place to add in the port number under Manager » System settings » Email alert settings (SPL-53789)
  • Splunk diag --exclude is not implemented for Universal Forwarder (SPL-52926)
  • When you install Splunk on Ubuntu using the Ubuntu Software Center and the .deb package, Ubuntu displays an error message that the package is of bad quality. Workaround: install using the .tgz file (SPL-43264).
  • The indexes.conf maxVolumeSizeMB parameter is compared to a calculated "apparent size" on disk when determining index disk usage. Depending upon the file system, a disparity between how large the index is allowed to grow on disk and the configured maxVolumeSizeMB can appear. (SPL-54326)
  • In non-License Master, "See License Manager" link in a license warning message is linked to the Splunk instance itself, not its license master. Visit License Master's Manager -> Licensing view for warning/alert messages. (SPL-42070)
Meet Splunk 4.3
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 4.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters