Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Security issues

  • Reflected XSS in Splunk Web (SPL-59895, CVE-2012-6447)
  • Unquoted Service Path in Windows for Universal Forwarder (SPL-60250)
  • Plaintext Recovery Attack and DoS in OpenSSL 0.9.8.x (SPL-61546)

The issues above have been addressed in Splunk 5.0.3. For information, refer to this posting on the Splunk Security Portal

  • Lack of enforcing X-Frame-Options allows for “Clickjacking” attack on Splunk Web (SPL-65987).

This issue is resolved in version 5.0.4. For information, refer to this posting on the Splunk Security Portal.

Highlighted issues

  • Significant increase in indexer latency and reduction in throughput of up to 75% related to execution of MaxDataSize settings in indexes.conf, which can result in the indexer(s) refusing forwarder connections. This issue is more likely to manifest in deployments with slower storage volumes. To mitigate this issue, edit the appropriate copy of indexes.conf to set serviceOnlyAsNeeded to false when indexes with values set for homePath.MaxDataSizeMB or coldPath.MaxDataSizeMB are present. (SPL-58689)
  • A 500 Internal Server Error is displayed when using Manager to edit or create a saved search, add a data input, list or edit indexes, or edit user roles. (SPL-58872, SPL-58650).

Data input issues

  • During upgrade, if a Splunk instance times out with the message, "Conf is currently being modified by process <some process ID>", run the command splunk clean locks on the instance and retry the upgrade. (SPL-60905)
  • Adding an input using the CLI results in different capital case in source name if you use monitor vs oneshot. (SPL-54816)
  • If you edit indexes.conf by hand to add an index with a mixed-case name, you cannot add an input to that index. (SPL-51167)
  • Can't edit a UDP input if the value includes a value in the 'restrict to host' field. (SPL-47146)
  • The file browser in Data Preview will display an error and only part of the file system when trying to load large numbers of subdirectories (100+) and files (1000+). (SPL-46503)
  • In Australia, with devices set to Australia/Sydney (Australia Eastern), logs get generated as 11/16/11 10:30:00 EST, and Splunk (or the machine) interprets EST as US Eastern. (SPL-56076)
  • Cannot edit a scripted input containing backslashes in Manager on OS X. (SPL-56043)
  • WARNs about "Endpoint has not specified a type for val=auto, will return this as a string in JSON API." in splunkd.log when adding an index via the CLI. (SPL-53640)
  • Index names cannot contain uppercase (capital) letters. (SPL-55544)
  • A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start. (SPL-33760)
  • monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555)
  • Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases. (SPL-31576)
  • When specifying a monitor input with a wildcard at the root level in Windows, Splunk logs an error and fails to index the desired files. (SPL-37087)
  • When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name. (SPL-43865)
  • In rare cases, a monitor input for rotating log files can result in log.* being completely re-indexed. Workaround: adjust log rotation so that files are rotated before reaching 20MB in size. (SPL-58862)
  • Indexer throttled and indexing paused with "...too many tsidx files in bucket=* Is splunk-optimize working? if not, low disk space may be the cause..." message displayed in Splunk Web. To work around this issue, restart splunkd. (SPL-58922)

Charting issues

  • The majorUnit parameter is not supported in JSChart for time axes (it is supported for numeric axes), but usage of it in Simple XML does not automatically force the chart to display in Flash. Instead, Splunk ignores any manually defined majorUnit setting you provide. As a workaround, include another unsupported-by-JSChart property definition to force the chart to display in Flash with your majorUnit setting in place. For example, if you are trying to set a 1 hour major unit (using a tag like <option name="charting.axisLabelsX.majorUnit">P0Y0M0DT1H0M0S</option>), add <option name="charting.scaleX">1</option> to the Simple XML for the chart. This causes the chart to render correctly in Flash with the major unit displaying in 1 hour increments along the X axis. (SPL-52051, SPL-50934)
  • Column charts may not render correctly in IE8 in compatiblity mode. (SPL-54749)
  • Setting the "stack mode" changes the 'multi-series mode'. (SPL-48439)
  • When a chart displays an "OTHER" bucket of values, drilling down into it adds myfield="OTHER" to the search string. (SPL-30399)
  • Running "<my search> | chart count by host span=log10" - gives Error in chart command. The value for option span is invalid (SPL-58175)
  • The "Edit report" link is missing when you load a saved report from Splunk Web. To work around this issue, edit the report in Manager > Searches and Reports. (SPL-59182)

Index replication issues

  • During a rolling restart, the cluster master is showing indexes as unavailable for searching, despite having 2 of the 3 nodes available. (SPL-55972)
  • Certain actions can disable distributed search. These actions include: restarting the master and peer nodes; running clean all -f; stopping the master and peer nodes and upgrading them to a newer build. Workaround is to re-enable distributed search and restart the master. (SPL-56643)
  • Using the delete operator on clustered data can potentially result in unintended events getting deleted. In most cases it will result in intended events not getting deleted. (SPL-56812)
  • Deleted files on a hot bucket exist only on the source peer and will be lost if the source peer goes down before rolling the bucket. (SPL-52062)
  • splunkd hangs when an instance is configured as a peer and the master is not available. (SPL-54657)
  • If you increase the search factor on a cluster, some non-searchable bucket copies are made searchable which aren't actually searchable until they're rolled. To ensure that all copies get rolled, perform a rolling-restart on the cluster peers right after you increase the search factor. Increasing the search factor requires the cluster to make searchable copies for each of the existing cluster buckets which places a heavy processing load on the cluster. (SPL-54694)
  • Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, which means the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master. (SPL-52901)
  • When you deploy a cluster master with no peers or search head and do not add any within 2-3 minutes, a duplicate error "Received an empty peer list from the master" is displayed. (SPL-55532)
  • Replication connection failures show up as "WARN BucketReplicator - Failed to replicate warm bucket" in splunkd.log (but the bucket is still replicated). (SPL-55413)
  • Crash in TcpOutEloop on a third node when two other nodes have been taken offline. (SPL-53753)
  • When configuring clustering peer, a misconfiguration of server.conf (for example, configuring an instance as a peer when there is no master available) could cause splunkd to hang. (SPL-54657, SPL-53447)
  • Setting sslVerifyServerCert=true is not being picked up and no validation takes place when clients are replicated. (SPL-56368)
  • Peers cannot add themselves to cluster if splunkd SSL is disabled on the master, or if the peers have SSL disabled and the master has it enabled. (SPL-56179)
  • When there are network issues between peers, lots of small buckes are created because the master continues to schedule replications to that peer. (SPL-56244)
  • The clustering manager dashboard loads more slowly if there are many buckets. (SPL-56172)
  • When the specified replication port is not available, there is no error message and splunkd will not start. (SPL-55216)
  • Indexing a small amount of data on a peer with clustering disabled and then stopping, and enabling clustering on it will result in warnings in the peer's splunkd.log about "status=skipping reason="could not get size for journal" and the data is unsearchable until clustering is disabled on that peer. (SPL-54805)
  • Piping a search to the delete operator is not applied to replicated copies if the primary peer fails right after the delete happens. (SPL-54063, SPL-51974)
  • The splunk list cluster-master-generation command does not list peer list for generation. (SPL-53096)
  • Clustering peers get stuck at the license agreement prompt when restarting the first time after an upgrade if you run a rolling restart. (SPL-52871)
  • A node that has been re-added to the cluster (after failure) does not get searched. (SPL-52828)
  • If an invalid active bundle exists on the master, slave keeps downloading it every second and spams splunkd.log. (SPL-51320)
  • Message in splunkd.log on peer is confusing when the peer is disconnected from the replication port ("Received unexpected <n> byte message!") (SPL-56302)
  • Lots of "Examining bucket" debug messages in web_service.log when viewing index replication dashboard. (SPL-56240)
  • If you configure a cluster master with replication factor of n and configure fewer than n peers, peers are redirected to the configuration page even if it is fully configured, until at least n peers are configured. (SPL-56144)
  • "A splunktcp forwarder port is not configured in inputs.conf" error message appears on forwarder/search head/master when it should only appear on the affected slave. (SPL-56019)
  • Changing an instance to master from peer in Splunk Web does not remove master_uri or replication_port from server.conf, although everything works. (SPL-55641)
  • If you deploy a peer with no port, scheme or with an incorrect scheme specified in master_uri, splunkd won't start on the peer and it becomes unresponsive. (SPL-55005)
  • If you set up a cluster peer in Manager, do not specify a TCP port, and ignore the warning, the port is enabled but the configuration is written into $SPLUNK_HOME/etc/system/local. (SPL-54570)
  • An ugly error message is shown in Splunk Web when a peer fails to connect to the master. (SPL-53091)
  • Required fields are not indicated in the index replication pages in Manager. (SPL-53066)
  • When issuing a rolling restart, 'Failed to start search process' messages are written to splunkd.log. (SPL-52430)
  • splunkd.log gets spammed with "master is not enabled on this node" messages every second. when you disable clustering on the master. (SPL-50709)
  • Can only specify useACK=true from outputs.conf, not from Manager. (SPL-50000)
  • A cluster master allows a slave with a duplicate guid to add itself to the cluster. (SPL-48149)
  • AckQ causes permanent data stall when a single pData is larger than entire AckQ size. (SPL-82109)(SPL-84882)
  • Downloads of knowledge bundles from search heads to search peers could result in bundle corruption on the peers due to timeouts. (SPL-82333)
  • Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. (SPL-70433)

Integrated PDF generation issues

  • When a PDF is generated of a dashboard that includes one or more panels with table visualizations, it's possible that the PDF versions of the tables will include columns for fields that are not seen in the original dashboard tables. The PDF table columns may also appear in a different order than they do in the original dashboard tables. Splunk adds any field in the original stats results of the search to the PDF version of a table, even if the field is restricted from showing in the original dashboard table by the dashboard XML. The workaround for this is to write the search string so it explicitly defines the fields output by the search. You can use the fields or table commands to do this. (SPL-56255)
  • PDF charts do not use the same colors as are used in the onscreen charts, and are inconsistent for a given field from panel to panel. (SPL-48566)
  • PDF wizard uses "admin_xxxx" name for non-English dashboards. (SPL-56279)
  • Row numbers are missing in PDF of simple results tables. (SPL-56248)
  • "Render PDF" button should be (but isn't) greyed out if on a non-supported platform, like HPUX, AIX, or OSX on PowerPC. Without the button being greyed out, clicking "Render PDF" produces "[Errno 2] no such file or directory" in python.log. (SPL-56049)
  • Panel names that have words that are too long to wrap extend off the side of the page. (SPL-54782)
  • "Shiny"-type gauges display as minimal-style gauges in PDF printouts. (SPL-48517)
  • Split multi-series mode charts don't print to PDF. (SPL-48437)
  • If you schedule delivery of a PDF report of a dashboard that includes HTML panels, the PDF report will not be attached to the email. You will see the following error in the python.log: No search job available. To work around this issue, remove the HTML panels from the dashboard. (SPL-64056)
  • <searchTemplate> is not honored as a way to specify a search in a simple XML view when creating a search in a dashboard. To work around this issue, replace <searchTemplate> with <searchString>. (SPL-65757)
  • Heat maps aren't printed. (SPL-73029)
  • FireFox on Windows does not render chart panels in PDF. (SPL-74353). To work around this problem:
1. Install free PDF reader if not installed already. ( http://get.adobe.com/reader/)
2. Go to Firefox -> options -> Applications
3. Set Adobe reader as default app for rendering PDF documents.
  • PDF generation fails when dashboards include HTML (SPL-75106).

Report acceleration issues

  • In Manager, report names appearing on the Report Acceleration Summaries and Report Acceleration Summary Details pages (under Reports using this summary) may be followed by a period. (SPL-56540)
  • Under very specific conditions Splunk can erroneously summarize data in a manner that causes subtle charting errors. This happens when you accelerate a search with an unbounded time range (earliest and/or latest time not set) and a timechart without an explicit span setting. If you accelerate a search of this nature and find yourself running into trouble, try updating the search so its time range is bounded or its timechart command has a span. (SPL-56001)
  • When you switch to Free and then create a summarization (which is not supported in Free), the following error is shown "TSUM: LicenseRestriction: [HTTP 402] Current license does not allow the requested action" (SPL-56339)
  • If two summaries from searches in two different apps have the same hash, the link to each of them in Manager goes to the same search. (SPL-56040)
  • The Size on Disk report under Report Acceleration Summaries shows incorrect values for admin role users and power role users. (SPL-56331)
  • The Report Acceleration Summary page shows the same accelerated search created by both Admin and Power users on different lines. (SPL-56319)
  • The breadcrumb trail for the Report Acceleration page in Manager always links back to the Search app instead of respecting app context. (SPL-55558)

Search, saved search, alerting, scheduling, and job management issues

  • Searches that contain subsearches do not return data in environments where search heads are running version 5.0.x and indexers are running version 4.3.x. To work around this issue, upgrade indexers to the same version as the search heads. (SPL-62457)
  • Searches with subsearches that use the join command in environments where search heads are running 5.0.x and indexers are running 4.3.x return different data than environments with both search heads and indexers running 4.3.x. (SPL-59398)
  • The simultaneous running of many summary indexing searches that use the 'stash_new' command can result in namespace collision, which can cause errors in splunkd.log similar to "WARN FileClassifierManager - The file '/var/fflanda/splunk/var/spool/splunk/RMD5257b69c72240c88d_342014304.stash_new' is invalid. Reason: binary" and block summary indexing searches from running. To work around this issue, turn off binary checking by editing $SPLUNK_HOME/etc/local/props.conf and setting the value of NO_BINARY_CHECK=1 under the [stash_new] stanza. (SPL-59578)
  • Some new search objects (rtsearch command, and its objects) are not included in the CLI help yet. (SPL-56409)
  • Killed or otherwise 'zombie' search jobs are not flagged as such in Splunk Web, and are displayed differently on different tabs. (SPL-54026, SPL-55455)
  • Time range validation in the Edit Search dialog incorrectly complains about latest time when it is validating earliest time, even if there is no error. To work around this issue, use epoch time format. (SPL-56393)
  • The search assistant continues to return values present only in deleted data. (SPL-54951)
  • The search assistant doesn't complete commands where the cursor is but instead replaces the last part of the search command. (SPL-48546)
  • When starting from a saved search, changing the search string and pressing the search button doesn't clear the module context, and you get errors like "Search cloned false ID". (SPL-54924)
  • In IE, when clicking on a dashboard (created by a very long search) and when taken to the flashtimeline, the search is not whole and it is broken. (SPL-45760)
  • When adding a pre-existing shared saved search to a dashboard, users can't save the dashboard and can't edit the name of the existing saved search. (SPL-54355)
  • When using the tscollect command, if the string specified for namespace includes single quotes, they will be included in the name of the folder created on the filesystem, although double quotes do not have this problem. (SPL-53458)
  • Creating a realtime backfill saved search in savedsearches.conf does not happen if default_backfill = false in limits.conf. (SPL-53157)
  • The anonymize command does not recognize relative path for source. (SPL-53001)
  • strptime() conversions which contain a timeformat string ending in "%H" do not work because Splunk interprets missing minutes as not matching the regex. (SPL-51772)
  • Using the spath command fails if a field was added from the search assistant. (SPL-46765)
  • Sharing a previously private scheduled summary index-populating search in a shp environment may result in duplicate runs of the search and therefore duplicate data. (SPL-46970)
  • Using the mode=sed with the rex command does not replace characters with '\' value correctly (SPL-55549)
  • date_*, such as date_hour field values are based on UTC, and they are not timezone-aware fields. Never use these fields if you are searching events in non-UTC timezone.(SPL-56028)
  • Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)
  • In AutoKV prior to 5.0, an event that contained key value pairs encapsulated in double-quotes and included a trailing ' / ' was treated as one value. Now, the backslash acts as an escape for the double-quote, causing AutoKV to consume everything up to the next double quote as part of the value. (SPL-58852)
  • Summary index file header gets indexed when using the collect command. (SPL-58176)
  • Searches do not match with numeric values for indexed fields with uppercase characters. (SPL-60142)
  • Real-time search/alerts sometimes have unacceptable latency (>10 seconds). (SPL-60620, SPL-60376)
  • python.log can grow due to email alerts automatically logged in DEBUG mode: INFO sendemail:mail sendPDF ...DEBUG Preloading from '/opt/splunk/var/run/splunk/merged/server.conf'. (SPL-64933)
  • Modification of _time in subsearch may results in returning of incorrect number of events. There is no warning or error message in logs, either. A workaround is to use main search if _time value is needed to be modified. (SPL-45787)
  • If you use | reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated. (SPL-67642)
  • In distributed search environment, "reverse" search command returns records out of order (SPL-78110)
  • Customers are unable to search a specific time range due to an error that states "Earliest time cannot be greater than latest time." Workaround: add earliest= and latest= commands to the search query. (SPL-90717)

Splunk Web and Manager interface issues

  • If you change the value in "Path to indexes" (Manager > System Settings > General Settings), you must use the CLI to restart Splunk. If you restart from within Manager, the change will not take effect. (SPL-55858, SPL-55770)
  • Tags created via Splunk Web of fields that include special characters are double-encoded in tags.conf and will not display correctly. (SPL-53510)
  • Clicking on "Collapse all" doesn't collapse the tree to the root nodes in "view source" mode. (SPL-51328)
  • If you misconfigure an LDAP strategy in authentication.conf, you can't fix it in Manager. (SPL-51024)
  • When you zoom several times, charts do not resize correctly when toggled into edit mode. (SPL-46211)
  • When you edit a dashboard using the Visualization Editor, any comment tags you had in your XML may be re-arranged. (SPL-52004)
  • Splunk Web still thinks your license is expired if you replace it behind the scenes. To work around this issue, choose 'Enter a new license number' and then log in. (SPL-28582)
  • The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index. (SPL-34123)
  • If you upload a lookup table file (Manager > Lookups > Lookup tables files) and then try to configure a new lookup definition (Manager > Lookups > Lookup definitions > Add new), you may not be able to select the file. There are two workarounds. First, you can upload the file again, starting in the destination app context. For example, to upload it to the search app, make sure you start from the search app. Second, if the file is already uploaded, change the file's permission so that it is global. For example, in the permissions view, under "Object appears" select "All apps". (SPL-36241, SPL-51601)
  • "Metadata results from this peer are incomplete: the peer has over 100000 entries" message in the summary dashboard in large environment (SPL-58112). To work around this issue, increase the value of [metadata] maxcount=500000 in limits.conf.
  • In IE6, drilling down and then hitting the Back button on the browser can cause dropdowns to not work or the search in question to use incorrect values for source type. (SPL-59089)
  • The "Edit report" link is missing when you load a saved report from Splunk Web. To work around this issue, edit the report in Manager > Searches and Reports. (SPL-59182)
  • The "Next" link in Splunk Web should be grayed out after displaying by default 10K events in 4.3.x and 1K events in 5.0.x. Clicking "Next" at this point will display an empty page. (SPL-64905)
  • The paginator calculates the number of pages based on oldest buckets instead of the most recent which causes some pages to be inaccessible or blank. (SPL-73077)
  • If the session timeout (Manager > System Settings > General Settings) is set to less than 60 seconds, the Splunk Web login page displays a "Your session has expired" warning message. (SPL-73413)

Distributed deployment, forwarder, and deployment server issues

  • The splunk list forward-server command does not indicate (ssl) when using common settings under default group. (SPL-55827)
  • The dbinspect command only allows for information on the local server and does not work in the context of distributed search. (SPL-56188)
  • Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
  • Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed. (SPL-30065)
  • When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext. (SPL-26529)
  • You can't use Manager to specify an app for deployment server to deploy, you can only specify server classes. (SPL-29903)
  • Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
  • Forwarder startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
  • Distributed search bundle replication from *nix to Windows with illegal Windows file name characters in file name can cause bundle extraction to fail. This operation can loop and cause unwanted disk space to be used that is normally used for bundle extraction. (SPL-39464)
  • Different results for sub-searches when there is a mismatch of versions between search-heads (5.0.0, 5.0.1, 5.0.2) and search-peers (on older version 3.* or 4.*). Workaround is to upgrade search-peers to 5.0.*. (SPL-59398)
  • An attribute, syslogSourceType, for syslog routing does not work. (SPL-64400)
  • Search heads request truncated replicated bundle listing from indexers, causing problems if a bundle >30 entries in the past is needed. (SPL-86758)

Windows-specific issues

  • On Windows 8 and Windows Server 2012, nothing happens when you click on the "Browse Server" button when adding files or directories to monitor from the "Add data" wizard page. This is due to an issue with Internet Explorer 10, which comes with these operating systems. To work around this issue, install and use another Web browser, such as Google Chrome or Mozilla Firefox. (SPL-55994)
  • If the Splunk installer cannot start its pre-flight checks during an upgrade, it improperly rolls back the upgrade, resulting in missing files in the %SPLUNK_HOME/bin directory. Index files are not affected. (SPL-53796)
  • When you run the diag command, Splunk generates an "Error duping file" message. Splunk creates the diag file properly, however. (SPL-56016)
  • Splunk's universal forwarder installer improperly ignores the PERFMON and MONITOR_PATH installation flags when you install it from the command line using msiexec /i. (SPL-54615)
  • If you abort an upgrade by clicking the "Cancel" button to exit the installer, you then cannot roll back the upgrade later. (SPL-53796)
  • If you specify an incorrect WMI Query Language (WQL) parameter in wmi.conf on a forwarder, the forwarder doesn't send any WMI data, even data retrieved from correct WQL queries elsewhere in the wmi.conf file. (SPL-52403)
  • LDAP authentication does not work on Windows over Internet Protocol version 6 (IPv6). (SPL-48342)
  • When you add a custom Registry Monitor input with regmon-filters.conf or add a HKEY_LOCAL_MACHINE input through Splunk Web, Splunk also improperly adds a HKEY_USERS input. (SPL-47565)
  • Splunk does not capture Registry events that occur within the first 30 seconds of either starting Registry Monitor or creation of a new Registry key, due to Registry Monitor's initialization lag. (SPL-43913)
  • If you upgrade a universal forwarder on Windows multiple times, the installer adds multiple universal forwarder items in the Windows "Installed programs" list. (SPL-54836)
  • Splunk on Windows does not properly update or save lookup tables when it accesses them with a search. (SPL-40332)
  • In Internet Explorer, Splunk Web does not properly display multi-lined events preceded with spaces (such as Windows Event log events, WMI events or XML). To work around this, turn off "Wrap results" in the Options menu. (SPL-40354)
  • Splunk does not correctly set timestamps for comment lines in W3C-compliant (Internet Information Server (IIS) and Exchange) log files. (SPL-29111)
  • Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows. (SPL-42212)
  • The universal forwarder installer on Windows does not copy certificates from Windows- or Samba-shared directories. (SPL-45590)
  • The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer. (SPL-51303)
  • If Splunk's Active Directory monitor encounters any kind of network error when communicating with a domain controller (DC) during the process of monitoring it, the active directory monitor terminates the offending thread, and no longer monitors that DC until Splunk relaunches Active Directory monitoring at the next monitoring interval. To work around this problem, install a universal forwarder on to each DC you want to monitor. (SPL-56471, SPL-56946)
  • In Internet Explorer 6, if you click the "Back" button after drilling down into a chart or dashboard, some dropdowns in the chart can subsequently stop working. Additionally, the search that supports the chart can use incorrect values for the source type. (SPL-59089)
  • Indexing multiple zip archives of EVT files with identically named contents can cause missing events if a file is not completely indexed before the next one is unarchived. Index one archive at a time instead. (SPL-60693, SPL-61081)
  • Splunk does not properly index archives of EVT files which contain subdirectories. (SPL-61056)
  • When you perform network-intensive activities in Splunk on Windows, such as invoking more than six concurrent real-time search requests, or configuring a deployment client to point to a deployment server which is on the same computer, the system could become inaccessible from the network within a period of 8 to 12 hours. For additional information on how to work around this problem, read "Workaround for network accessibility issues on Splunk Windows systems under certain conditions" in this manual. (SPL-56429, SPL-59963, SPL-60511)
  • Deployment Server initiating a restart after application deployment on Windows UF takes longer than Windows allows. Windows event system reports the generic error: A timeout was reached 30000 milliseconds while waiting for a transaction response (SPL-61193)
  • When a Windows Event Log file (.evt/evtx) is read by [monitor::] stanza, Splunk stops indexing Event Log in the middle if Splunk is restarted while Splunk is still reading the evt(x) file (SPL-61602)
  • On Windows hosts with multiple CPUs, Splunk's performance monitor does not return values of greater than 100 for the % Processor Time counter, even though the counter itself might be returning greater values. (SPL-70533)

Unsorted issues

  • The "quota" attribute for the licenser/pools REST endpoint is inconsistent between the XML and JSON outputs. (SPL-53124)
  • When you update an endpoint (for example, by a POST to apps/local/{name}), some endpoints return the updated entity (i.e. echo) and some don't. (SPL-50391)
  • JSON output for events, results, and results_preview does not seem to respect segmentation=full. (SPL-51799)
  • Changing the value of SPLUNK_DB and restarting from Manager does not respect the SPLUNK_DB change, whereas restarting from the commandline does. (SPL-55858)
  • The results_preview REST endpoint reports preview=0 when there are no results even if the job is still running. (SPL-55567)
  • Endpoints do not consistently provide eai:attributes/fields information. (SPL-50881)
  • Treeviewer does not detect change of AD structure. (SPL-53277)
  • When exporting events, time bounds are not respected if you have run the original event-generating search against a wider timerange. (SPL-47926)
  • Cannot delete a disabled index via the REST API. (SPL-56114)
  • Simple XML form searches using the populatingSavedSearch parameter will fail if any whitespace characters are present before and/or after the saved search name. (SPL-57181)
  • The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. (SPL-38182) To work around this, specify the destination index manually in inputs.conf.
  • The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility. (SPL-50742)
  • When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception. (SPL-36819)
  • BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
  • Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)
  • Splunk can experience intermittent crashes in different threads on AIX due to a unresolved gcc bug in AIX. (SPL-49004)
  • When you install Splunk on Ubuntu using the Ubuntu Software Center and the .deb package, Ubuntu displays an error message that the package is of bad quality. Workaround: install using the .tgz file (SPL-43264).
  • Splunk on AIX hangs on first time run (SPL-58929). To work around this issue, add the following to $SPLUNK_HOME/etc/splunk-launch.conf: SPLUNK_IGNORE_ICU_TIMEZONES=1. Do not add this setting unless you are experiencing the hanging issue.
  • MainTailingThread crashes splunkd with a message that says 'Assertion failed: bytesToHash < 1048576' (SPL-58292)
  • After upgrade from 4.3.x, splunkd.log is reporting a lot of ERROR ProcessDispatchedSearch - PROCESS_SEARCH - Error opening "": No such file or directory (SPL-63237)
  • Splunkd.log reports ERROR HTTPClient - Invalid URI fragment "": can't find hostname (SPL-63568)
  • Splunk Web crashes or becomes unresponsive when clicking Next link quickly in event list. (SPL-64911, SPL-65692)
  • In non-License Master, "See License Manager" link in a license warning message is linked to the Splunk instance itself, not its license master. Visit License Master's Manager -> Licensing view for warning/alert messages. (SPL-42070)
  • roleMap's attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf by command "splunk reload auth" or restarting Splunk when bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local (SPL-85036)
PREVIOUS
Meet Splunk 5.0
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 5.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters