Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect Description
2014-18-11 Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure SSL versions in the Securing Splunk Enterprise manual.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "About upgrading to 5.0 READ THIS FIRST" in the Installation Manual.

Publication date Defect Description
Pre-5.0.11 SPL-75354, SPL-75647 Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf.
Pre-5.0.11 SPL-73797 Bundle replication fails when serverName or search head pool GUID has a final segment containing only digits. This can affect users upgrading from pre 6.0.x versions of Splunk.
Pre-5.0.11 SPL-73386 Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect Description
Pre-5.0.11 SPL-43865 When you add a CSV or IIS source type, Splunk appends -1, -2 and so on to the source type name.
Pre-5.0.11 SPL-37087 When specifying a monitor input with a wildcard at the root level in Windows, Splunk logs an error and fails to index the desired files.
Pre-5.0.11 SPL-31576 Two equivalent monitor entries with various spellings (for example, variations on slashes on Windows, use of .. expressions in paths) produce unpredictable behavior in overlapping cases.
Pre-5.0.11 SPL-23555 monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended.
Pre-5.0.11 SPL-33760 A trailing slash (\) on a inputs.conf monitor stanza belonging to the source attribute will corrupt the sources.data file and Splunk will not start.
Pre-5.0.11 SPL-55544, SPL-51167 Index names cannot contain uppercase (capital) letters.
Pre-5.0.11 SPL-56043 Cannot edit a scripted input containing backslashes in Manager on OS X.
Pre-5.0.11 SPL-47146 Can't edit a UDP input if the value includes a value in the 'restrict to host' field.
Pre-5.0.11 SPL-54816 Adding an input using the CLI results in different capital case in source name if you use monitor vs oneshot.

Charting issues

Publication date Defect Description
Pre-5.0.11 SPL-48439 Setting the "stack mode" changes the 'multi-series mode'.
Pre-5.0.11 SPL-52051 The majorUnit parameter is not supported in JSChart for time axes (it is supported for numeric axes), but usage of it in Simple XML does not automatically force the chart to display in Flash. Instead, Splunk ignores any manually defined majorUnit setting you provide. As a workaround, include another unsupported-by-JSChart property definition to force the chart to display in Flash with your majorUnit setting in place. For example, if you are trying to set a 1 hour major unit (using a tag like <option name="charting.axisLabelsX.majorUnit">P0Y0M0DT1H0M0S</option>), add <option name="charting.scaleX">1</option> to the Simple XML for the chart. This causes the chart to render correctly in Flash with the major unit displaying in 1 hour increments along the X axis.

Index replication issues

Publication date Defect Description
2015-8-11 SPL-103810 selectiveIndexing does not index events.
Pre-5.0.11 SPL-48149 A cluster master allows a slave with a duplicate guid to add itself to the cluster.
Pre-5.0.11 SPL-50000 Can only specify useACK=true from outputs.conf, not from Manager.
Pre-5.0.11 SPL-52430 When issuing a rolling restart, 'Failed to start search process' messages are written to splunkd.log.
Pre-5.0.11 SPL-53066 Required fields are not indicated in the index replication pages in Manager.
Pre-5.0.11 SPL-53091 An ugly error message is shown in Splunk Web when a peer fails to connect to the master.
Pre-5.0.11 SPL-55641 Changing an instance to master from peer in Splunk Web does not remove master_uri or replication_port from server.conf, although everything works.
Pre-5.0.11 SPL-56144 If you configure a cluster master with replication factor of n and configure fewer than n peers, peers are redirected to the configuration page even if it is fully configured, until at least n peers are configured.
Pre-5.0.11 SPL-52828 A node that has been re-added to the cluster (after failure) does not get searched.
Pre-5.0.11 SPL-54063 Piping a search to the delete operator is not applied to replicated copies if the primary peer fails right after the delete happens.
Pre-5.0.11 SPL-54805 Indexing a small amount of data on a peer with clustering disabled and then stopping, and enabling clustering on it will result in warnings in the peer's splunkd.log about "status=skipping reason="could not get size for journal" and the data is unsearchable until clustering is disabled on that peer.
Pre-5.0.11 SPL-55216 When the specified replication port is not available, there is no error message and splunkd will not start.
Pre-5.0.11 SPL-56172 The clustering manager dashboard loads more slowly if there are many buckets.
Pre-5.0.11 SPL-56179 Peers cannot add themselves to cluster if splunkd SSL is disabled on the master, or if the peers have SSL disabled and the master has it enabled.
Pre-5.0.11 SPL-54657, SPL-53447 When configuring clustering peer, a misconfiguration of server.conf (for example, configuring an instance as a peer when there is no master available) could cause splunkd to hang.
Pre-5.0.11 SPL-55532 When you deploy a cluster master with no peers or search head and do not add any within 2-3 minutes, a duplicate error "Received an empty peer list from the master" is displayed.
Pre-5.0.11 SPL-52901 Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, which means the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master.
Pre-5.0.11 SPL-52062 Deleted files on a hot bucket exist only on the source peer and will be lost if the source peer goes down before rolling the bucket.
Pre-5.0.11 SPL-55972 During a rolling restart, the cluster master is showing indexes as unavailable for searching, despite having 2 of the 3 nodes available.
Pre-5.0.11 SPL-60897 If you disable a set of cluster peers and then run a distributed search across the now standalone set of indexers, you will get duplicate events.

Integrated PDF generation issues

Publication date Defect Description
Pre-5.0.11 SPL-74353 FireFox on Windows does not render chart panels in PDF. To work around this problem:

1. Install free PDF reader if not installed already.( http://get.adobe.com/reader/)

2.Go to Firefox -> options -> Applications

3. Set Adobe reader as default app for rendering PDF documents.

Pre-5.0.11 SPL-73029 Heat maps aren't printed.
Pre-5.0.11 SPL-48437 Split multi-series mode charts don't print to PDF.
Pre-5.0.11 SPL-48517 Shiny-type gauges display as minimal-style gauges in PDF printouts.
Pre-5.0.11 SPL-54782 Panel names that have words that are too long to wrap extend off the side of the page.
Pre-5.0.11 SPL-48566 PDF charts do not use the same colors as are used in the onscreen charts, and are inconsistent for a given field from panel to panel.

Report acceleration issues

Publication date Defect Description
Pre-5.0.11 SPL-55558 The breadcrumb trail for the Report Acceleration page in Manager always links back to the Search app instead of respecting app context.
Pre-5.0.11 SPL-56319 The Report Acceleration Summary page shows the same accelerated search created by both Admin and Power users on different lines.

Search, saved search, alerting, scheduling, and job management issues

Publication date Defect Description
Pre-5.0.11 SPL-78110 In distributed search environment, "reverse" search command returns records out of order
Pre-5.0.11 SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.
Pre-5.0.11 SPL-79341 Slient failure: No warning recorded when a shared scheduled search's scheduled time changes to None due to the owner/user being deleted
Pre-5.0.11 SPL-45787 Modification of _time in subsearch may results in returning of incorrect number of events. There is no warning or error message in logs, either. A workaround is to use main search if _time value is needed to be modified.
Pre-5.0.11 SPL-63698 Saved search stanzas that are bigger than 4K will increase the load time of an app. To work around this issue, split saved searches into multiple apps.
Pre-5.0.11 SPL-56028 date_*, such as date_hour field values are based on UTC, and they are not timezone-aware fields. Do not use these fields if you are searching events in non-UTC timezone.
Pre-5.0.11 SPL-46970 Sharing a previously private scheduled summary index-populating search in a search head pooling environment may result in duplicate runs of the search and therefore duplicate data.
Pre-5.0.11 SPL-46765 Using the spath command fails if a field was added from the search assistant.
Pre-5.0.11 SPL-51772 strptime() conversions which contain a timeformat string ending in "%H" do not work because Splunk interprets missing minutes as not matching the regex. To work around this issue, switch strftime to %H:00, strptime with %H:%M.
Pre-5.0.11 SPL-53157 Creating a realtime backfill saved search in savedsearches.conf does not happen if default_backfill = false in limits.conf.
Pre-5.0.11 SPL-53458 When using the tscollect command, if the string specified for namespace includes single quotes, they will be included in the name of the folder created on the filesystem, although double quotes do not have this problem.
Pre-5.0.11 SPL-54355 When adding a pre-existing shared saved search to a dashboard, users can't save the dashboard and can't edit the name of the existing saved search.
Pre-5.0.11 SPL-45760 In IE, when clicking on a dashboard (created by a very long search) and when taken to the flashtimeline, the search is not whole and it is broken.
Pre-5.0.11 SPL-54924 When starting from a saved search, changing the search string and pressing the search button doesn't clear the module context, and you get errors like "Search cloned false ID".
Pre-5.0.11 SPL-48546 The search assistant doesn't complete commands where the cursor is but instead replaces the last part of the search command.
Pre-5.0.11 SPL-54951 The search assistant continues to return values present only in deleted data.
Pre-5.0.11 SPL-56393 Time range validation in the Edit Search dialog incorrectly complains about latest time when it is validating earliest time, even if there is no error. To work around this issue, use epoch time format.

Splunk Web and Manager interface issues

Publication date Defect Description
Pre-5.0.11 SPL-73413 If the session timeout (Manager > System Settings > General Settings) is set to less than 60 seconds, the Splunk Web login page displays a "Your session has expired" warning message.
Pre-5.0.11 SPL-59089 In IE6, drilling down and then hitting the Back button on the browser can cause dropdowns to not work or the search in question to use incorrect values for source type.
Pre-5.0.11 SPL-36241, SPL-51601 If you upload a lookup table file (Manager > Lookups > Lookup tables files) and then try to configure a new lookup definition (Manager > Lookups > Lookup definitions > Add new), you may not be able to select the file. There are two workarounds. First, you can upload the file again, starting in the destination app context. For example, to upload it to the search app, make sure you start from the search app. Second, if the file is already uploaded, change the file's permission so that it is global. For example, in the permissions view, under "Object appears" select "All apps".
Pre-5.0.11 SPL-34123 The indexing status dashboard's "Index health" graph and "Analysis of index bucket" do not work for multiple indexes, only a single index.
Pre-5.0.11 SPL-52004 When you edit a dashboard using the Visualization Editor, any comment tags you had in your XML may be re-arranged.
Pre-5.0.11 SPL-46211 When you zoom several times, charts do not resize correctly when toggled into edit mode.
Pre-5.0.11 SPL-51024 If you misconfigure an LDAP strategy in authentication.conf, you can't fix it in Manager.
Pre-5.0.11 SPL-55858, SPL-55770 If you change the value in "Path to indexes" (Manager > System Settings > General Settings), you must use the CLI to restart Splunk. If you restart from within Manager, the change will not take effect.

Distributed deployment, forwarder, and deployment server issues

Publication date Defect Description

Security Issues

Publication date Defect Description
2016-04-01 SPL-116844 The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. This might negatively affect apps, add-ons, or scripts that use the commands or reference the old working directory. See the README for more information on mitigating this issue.
2015-05-05 SPL-111484 Crash in Main Tailing Thread AIX. To resolve this, increase the ulimits on the forwarders.
2015-8-11 SPL-102830 Remove Unused Flash Sound Component.
2015-8-11 SPL-103047 Updated openssl to .0.9.8gz.
2015-8-11 SPL-102133 XSS in PDF Generation by passing invalid arguments on IE6 and IE7.

For a full list of security issues, see the Security Advisory. A list of all recent advisories can be found in the Security Portal.

Other issues

Publication date Defect Description
Pre-5.0.11 SPL-65575 [pooling] stanza in /etc/system/local directory can render mounted bundle on search peer/indexer to fail
Pre-5.0.11 SPL-36597 Splunk startup script should handle stale PID files gracefully after server crashes.
Pre-5.0.11 SPL-35308 Any app that updates its lookup table files can't be pushed out/managed using deployment server.
Pre-5.0.11 SPL-26529 When transferring configuration files from one system to another, you must either bring along your splunk.secret, or revert your hashed fields to cleartext.
Pre-5.0.11 SPL-30065 Deployment server does not deploy apps whose names include non-ASCII characters. To work around this issue, you can rename the app on the client side after it has been deployed.
Pre-5.0.11 SPL-28471 Splunk Web is unreachable if an enabled deployment server in the same instance cannot access DNS.
Pre-5.0.11 SPL-56188 The dbinspect command only allows for information on the local server and does not work in the context of distributed search.
Pre-5.0.11 SPL-55827 The splunk list forward-server command does not indicate (ssl) when using common settings under default group.
Pre-5.0.11 SPL-38182 The universal forwarder fails to recognize that indexes should be remote when being specified via CLI. To work around this, specify the destination index manually in inputs.conf.

Windows-specific issues

Publication date Defect Description
Pre-5.0.11 SPL-70533 On Windows hosts with multiple CPUs, Splunk's performance monitor does not return values of greater than 100 for the % Processor Time counter, even though the counter itself might be returning greater values.
Pre-5.0.11 SPL-65186 Splunk is not able to delete indexes specified in indexes.conf if you specify non-native directory separators ("/" instead of the correct "\" on Windows) in the path specifier attributes for the index (such as homePath or coldPath). To work around the problem, edit indexes.conf and change the path specifiers to be "\" instead of "/".
Pre-5.0.11 - When you perform network-intensive activities in Splunk on Windows, such as running an app that invokes more than six concurrent real-time search requests, or configuring a deployment client to point to a deployment server which is on the same computer, the system could become inaccessible from the network within a period of 8 to 12 hours, or as long as 2 to 3 days, depending on the amount of network activity. For additional information on how to work around this problem, read "Workaround for network accessibility issues on Splunk Windows systems under certain conditions" in this manual.
Pre-5.0.11 SPL-59089 In Internet Explorer 6, if you click the "Back" button after drilling down into a chart or dashboard, some dropdowns in the chart can subsequently stop working. Additionally, the search that supports the chart can use incorrect values for the source type.
Pre-5.0.11 SPL-56946 If Splunk's Active Directory monitor encounters any kind of network error when communicating with a domain controller (DC) during the process of monitoring it, the active directory monitor terminates the offending thread, and no longer monitors that DC until Splunk relaunches Active Directory monitoring at the next monitoring interval. To work around this problem, install a universal forwarder on to each DC you want to monitor.
Pre-5.0.11 SPL-51303 The Windows universal forwarder does not automatically extract the date_* fields from Windows events. To work around this problem, use a search-time extraction on the indexer.
Pre-5.0.11 SPL-45590 The universal forwarder installer on Windows does not copy certificates from Windows/Samba shared directories.
Pre-5.0.11 SPL-42212 Splunk does not pass a warning message when it tries to index a corrupt or invalid gzip file on Windows.
Pre-5.0.11 SPL-29111 Splunk does not correctly set timestamps for comment lines in W3C-compliant (Internet Information Server (IIS) and Exchange) log files.
Pre-5.0.11 SPL-40354 In Internet Explorer, Splunk Web does not properly display multi-lined events preceded with spaces (such as Windows Event log events, WMI events or XML). To work around this, turn off "Wrap results" in the Options menu.
Pre-5.0.11 SPL-40332 Splunk on Windows does not properly update or save lookup tables when it accesses them with a search.
Pre-5.0.11 SPL-54836 If you upgrade a universal forwarder on Windows multiple times, the installer adds multiple universal forwarder items in the Windows "Installed programs" list.
Pre-5.0.11 SPL-43913 Splunk does not capture Registry events that occur within the first 30 seconds of either starting Registry Monitor or creation of a new Registry key, due to Registry Monitor's initialization lag.
Pre-5.0.11 SPL-48342 LDAP authentication does not work on Windows over the IPv6 protocol.
Pre-5.0.11 SPL-52403 If you specify an incorrect WMI Query Language (WQL) parameter in wmi.conf on a forwarder, the forwarder doesn't send any WMI data, even data retrieved from correct WQL queries elsewhere in the wmi.conf file.
Pre-5.0.11 SPL-53796 If you abort an upgrade by clicking the "Cancel" button to exit the installer, you then cannot roll back the upgrade later.
Pre-5.0.11 SPL-54615 Splunk's universal forwarder installer improperly ignores the PERFMON and MONITOR_PATH installation flags when you install it from the command line using msiexec /i.
Pre-5.0.11 SPL-56016 When you run the diag command, Splunk generates an "Error duping file" message. Splunk creates the diag file properly, however.
Pre-5.0.11 SPL-53796 If the Splunk installer cannot start its pre-flight checks during an upgrade, it improperly rolls back the upgrade, resulting in missing files in the %SPLUNK_HOME%\bin directory. Index files are not affected.

Unsorted issues

Publication date Defect Description
Pre-5.0.11 SPL-85036 In $SPLUNK_HOME/etc/system/local/authentication.conf, roleMap's attributes are removed by command "splunk reload auth" or restarting Splunk when bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local.
Pre-5.0.11 SPL-66213 PDF Report Server App doesn't work with latest Xvfb. Workaround: install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos
Pre-5.0.11 SPL-72543 The migration.conf file does not have a spec or example file and is missing from the configuration file reference. This file stores a manifest of all the migration steps performed on the instance.
Pre-5.0.11 SPL-43264. When you install Splunk on Ubuntu using the Ubuntu Software Center and the .deb package, Ubuntu displays an error message that the package is of bad quality. Workaround: install using the .tgz file.
Pre-5.0.11 SPL-43791 Splunk does not report server status correctly when there is a problem with SSL/TLS configuration.
Pre-5.0.11 SPL-38082 BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order.
Pre-5.0.11 SPL-36819 When starting Splunk, if there happens to be a duplicate bucket ID (same ID in both warm and hot DB), splunkd will crash due to an uncaught DatabaseDirectoryManagerException exception.
Pre-5.0.11 SPL-50742 The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility.
Pre-5.0.11 SPL-57181 Simple XML form searches using the populatingSavedSearch parameter will fail if any whitespace characters are present before and/or after the saved search name.
Pre-5.0.11 SPL-47926 When exporting events, time bounds are not respected if you have run the original event-generating search against a wider timerange.
Pre-5.0.11 SPL-53277 Treeviewer does not detect change of AD structure.
Pre-5.0.11 SPL-55567 The results_preview REST endpoint reports preview=0 when there are no results even if the job is still running.
Pre-5.0.11 SPL-55858 Changing the value of SPLUNK_DB and restarting from Manager does not respect the SPLUNK_DB change, whereas restarting from the commandline does.
Pre-5.0.11 SPL-51799 JSON output for events, results, and results_preview does not seem to respect segmentation=full.
Pre-5.0.11 SPL-50391 When you update an endpoint (for example, by a POST to apps/local/{name}), some endpoints return the updated entity (i.e. echo) and some don't.
Meet Splunk 5.0
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters