Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF


Splunk 5.0.3 was released on May 28, 2013.

The following issues have been resolved in this release of Splunk:

Resolved security issues

This version of Splunk addresses the following security vulnerabilities:

  • Reflected XSS in Splunk Web (SPL-59895, CVE-2012-6447)
  • Unquoted service path in universal forwarder on Windows (SPL-60250)
  • Plaintext recovery attack and DoS in OpenSSL 0.9.8x (SPL-61546)

For more information about these issues, refer to this listing on the Security Portal.

Resolved highlighted issues

  • Indexes and Data Inputs Manager pages time out with a "500 - internal server error" in environments where indexers hold many buckets in warm/hot directories, because of excessive response time for GET requests to the /services/admin/indexes endpoint. (SPL-61718)
  • Deployment server: 'splunk reload deploy-server' command causes Linux host to freeze. (SPL-62493, SPL-63795, SPL-62304, SPL-62021, SPL-67089)

Resolved data input issues

  • During upgrade, if a Splunk instance times out with the message, "Conf is currently being modified by process <some process ID>", run the command splunk clean locks on the instance and retry the upgrade. (SPL-60905)
  • In rare cases, a monitor input for rotating log files can result in log.* being completely re-indexed. (SPL-58862, SPL-64370)
  • Monitoring wildcards in the root directory, or Windows directories on unix can cause data duplication. AKA [monitor:///logfile.log.*] or [monitor://c:\program files\something.*] on UNIX are not currently handled correctly. (SPL-55853, SPL-66464, SPL-63085)
  • Rotated file "*.log.{n}" is re-read entirely a few minutes after "*.log" is indexed, resulting in duplicate data. (SPL-56831)
  • For modular inputs, linebroken events larger than 4KB may be broken arbitrarily. (SPL-63685)
  • Restart while actively reading evtx files can cause Splunk to stop indexing that input. (SPL-61602)
  • Corruption in .data files leads to blocked indexing queue. (SPL-59600)
  • Batch inputs cannot index Windows Event logs. (SPL-64358)
  • MainTailingThread crash on AIX universal forwarder. (SPL-62864)

Resolved index replication issues

  • Using the delete operator on clustered data can potentially result in unintended events getting deleted. In most cases it will result in intended events not getting deleted. (SPL-56812)
  • When there are network issues between peers, lots of small buckes are created because the master continues to schedule replications to that peer. (SPL-56244, SPL-60092)
  • Message in splunkd.log on peer is confusing when the peer is disconnected from the replication port ("Received unexpected <n> byte message!") (SPL-56302)
  • splunkd.log gets spammed with "master is not enabled on this node" messages every second. when you disable clustering on the master. (SPL-50709)
  • splunkd.log gets spammed with "INFO CMMasterHTTPProxy - updated genid=1 with guid=..." on search head and and "CMSlave - event=writeBucketsToSearch" on peers. (SPL-64125)
  • splunkd.log is full of commitPendingGeneration messages. (SPL-63400)
  • Cluster master can crash with signal 11 in HTTPRequestHandlerThread shortly after an indexer-peer crashes. (SPL-59908, SPL-63310)
  • Frozen buckets are not handled properly after a master restart; the knowledge that a bucket has been frozen is not persisted and is lost if the master is restarted. (SPL-65100)
  • When pushing a new config to the cluster, the Cluster Master got stuck in a restart loop with one of the peers when peer was out of commission. (SPL-63003)

Resolved search, saved search, alerting, scheduling, and job management issues

  • Searches that contain subsearches do not return data in environments where search heads are running version 5.0.x and indexers are running version 4.3.x. (SPL-62457)
  • Searches with subsearches that use the join command in environments where search heads are running 5.0.x and indexers are running 4.3.x return different data than environments with both search heads and indexers running 4.3.x. (SPL-59398)
  • The simultaneous running of many summary indexing searches that use the 'stash_new' command can result in namespace collision, which can cause errors in splunkd.log similar to "WARN FileClassifierManager - The file '/var/fflanda/splunk/var/spool/splunk/RMD5257b69c72240c88d_342014304.stash_new' is invalid. Reason: binary" and block summary indexing searches from running. To work around this issue, turn off binary checking by editing $SPLUNK_HOME/etc/local/props.conf and setting the value of NO_BINARY_CHECK=1 under the [stash_new] stanza. (SPL-59578)
  • Some new search objects (rtsearch command, and its objects) are not included in the CLI help yet. (SPL-56409)
  • Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)
  • In AutoKV prior to 5.0, an event that contained key value pairs encapsulated in double-quotes and included a trailing ' / ' was treated as one value. Now, the backslash acts as an escape for the double-quote, causing AutoKV to consume everything up to the next double quote as part of the value. (SPL-58852)
  • Using the outputlookup command with append=true outputs inconsistent numbers of results. (SPL-63997)
  • Extremely slow start times when running searches on pooled search heads in Splunk Web. (SPL-63579)
  • Real-time search/alerts sometimes have unacceptable latency (>10 seconds). (SPL-60620, SPL-60376)
  • Search head return double results from 4.3.2 indexers when using append command. (SPL-60049)
  • splunkd search consumes unreasonable amounts of memory when reading events with a large _raw. (SPL-57336)
  • Search performance issues after upgrading from 5.0.1. (SPL-65627)
  • Searching against summary index replacces fields that contain characters that are not in a-z, A-Z, and 0-9 ranges with an underscore (_). (SPL-58300)
  • rex command fails to update a multivalue field to a new single value. (SPL-64395)
  • No results while searching for terms that include %20. (SPL-64361)
  • Linear max lag increase for scheduled searches, possible connection with increases quota elapsed_ms. (SPL-62321)
  • Real Time Alerts not working consistently in 5.0.2. (SPL-62129)

Resolved Splunk Web and Manager interface issues

  • Tags created via Splunk Web of fields that include special characters are double-encoded in tags.conf and will not display correctly. (SPL-53510)
  • "Metadata results from this peer are incomplete: the peer has over 100000 entries" message in the summary dashboard in large environment. (SPL-58112)
  • Indexes and Data Inputs Manager pages time out because of excessive response time for GETs to /services/admin/indexes on indexers with many buckets in warm/hot directories. (SPL-61718)
  • "Your network connection may have been lost or Splunk web may be down." banner messages in Splunk Web on pooled search heads, Splunk Web becomes unresponsive. (SPL-63230)
  • Splunk Web becomes unresponsive due to cherrypy threadpool issue. "Splunkd daemon timed out" banner messages in Splunk Web. (SPL-66828)
  • Show source doesn't work when using srchFilter based on automatic lookup-generated field. (SPL-64388)
  • TSUM: manager page takes too long to load. Which can lead to the Report Acceleration Summaries page displaying whitespace where the summary of searches should be displayed. (SPL-56252)

Resolved distributed deployment, forwarder, and deployment server issues

  • Different results for sub-searches when there is a mismatch of versions between search-heads (5.0.0, 5.0.1, 5.0.2) and search-peers (on older version 3.* or 4.*). (SPL-59398)
  • All users of the same search head can see app deletion messages. (SPL-65784)
  • Default search head pooling polling intervals are too aggressive for environments with high number of users, become detrimental to performance. The values of poll.interval.check and poll.interval.rebuild have been raised to 1 minute each. (SPL-62772)

Resolved Windows-specific issues

  • If you tell Splunk to monitor a Windows Event Log (.evt or .evtx) file using a [monitor://] stanza in inputs.conf, then restart Splunk while it is reading the requested file, Splunk abandons reading that file further, only indexes the data collected from the part of the file it has already read, and mistakenly ignores the file as having been fully read later. (SPL-61602)
  • A problem with Splunk's Registry Monitor driver can cause the Splunk Registry monitor process (splunk-regmon.exe) to hang when you attempt to restart Splunk, thus preventing other Splunk services from restarting successfully. To fix the problem, you must reboot the server. (SPL-64212)
  • splunkd running on Windows runs out of ephemeral ports, resulting in "Splunkd daemon is not responding" errors in webservice.log. (SPL-60511)
  • Batch inputs cannot index Windows Event logs. (SPL-64358)

Resolved unsorted issues

  • Poor indexing performance paired with ERROR StreamGroup and ERROR STMgr in splunkd.log caused by null characters in configuration files. (SPL-58854)
  • The "quota" attribute for the licenser/pools REST endpoint is inconsistent between the XML and JSON outputs. (SPL-53124)
  • Splunk on AIX hangs on first time run. To work around this issue, add the following to $SPLUNK_HOME/etc/splunk-launch.conf: SPLUNK_IGNORE_ICU_TIMEZONES=1. Do not add this setting unless you are experiencing the hanging issue. (SPL-58929)
  • MainTailingThread crashes splunkd with a message that says 'Assertion failed: bytesToHash < 1048576' (SPL-58292, SPL-60604, SPL-67106, SPL-64104)
  • Splunkd.log of indexer/search peer is flooded with the benign message: WARN NetUtils - write failed with :32 (and/or :104). Workaround set in log.cfg [splunkd] category.NetUtils = CRIT (SPL-61961, SPL-63625)
  • Splunk Web crashes or becomes unresponsive when clicking Next link quickly in event list. (SPL-64911, SPL-65692)
  • Deleting an index that uses the volume setting causes splunkd to crash with "Crashing thread: indexerPipe". (SPL-60990)
  • Crash in HTTPRequestHandlerThread when Splunk is scanned by a security scanner. (SPL-60736, SPL-62334)
  • Crash in AsyncQueuedMessageDispatcher_connection_.... - assert_fail in PhoneHomeListener::handleMessage. (SPL-59477)
  • Overloaded disk (high iowait) causes logins to timeout. (SPL-59129)
  • splunkd is stopped after deleting index which has "homePath.maxDataSizeMB" parameter setting. (SPL-58345)
  • btool output needs to explicitly differentiate between repository locations. (SPL-57545)
  • SSL_ERROR on search head, searching halted due to insufficient entropy in random number generator in version of OpenSSL 0.9.8x. OpenSSL version upgraded to 0.9.8y. (SPL-63544, SPL-56723, SPL-64394)
  • Applying intentions failed 'rawargs' ERROR in the UI when drilling down in a search with | xmlkv, json spath drill-down does not work correctly. (SPL-66922, SPL-59671)
  • limits.conf.spec has two entries for use_dispatchtmp_dir. (SPL-65673)
  • REST always returns a result when in previous versions 0 results were returned. (SPL-64751)
  • Main splunkd crash > HTTPRestDispatcher > seg fault. (SPL-64378)
  • diag fails on windows when unicode file exist in $SPLUNK_HOME/etc. (SPL-63703)
  • ERROR HTTPServer - Exception in handleRequest Could not decode attribute errors in splunkd.log when license slaves lost communication wiuth the master. (SPL-57540)
  • Repeated crash with assertion failure in _writeWithTimeout. (SPL-62009)
  • Spaces in userid (LDAP) causes spaces in SID. (SPL-61655)

This documentation applies to the following versions of Splunk® Enterprise: 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters