Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

5.0.2

Splunk 5.0.2 was released on February 6, 2013.


The following issues have been resolved in this release of Splunk:

Resolved highlighted issues

  • Significant increase in indexer latency and reduction in throughput of up to 75% related to execution of MaxDataSize settings in indexes.conf, which can result in the indexer(s) refusing forwarder connections. This issue is more likely to manifest in deployments with slower storage volumes. (SPL-58689)
  • A 500 Internal Server Error is displayed when using Manager to edit or create a saved search, add a data input, list or edit indexes, or edit user roles. (SPL-58872, SPL-58650).

Resolved data input issues

  • In Australia, with devices set to Australia/Sydney (Australia Eastern), logs get generated as 11/16/11 10:30:00 EST, and Splunk (or the machine) interprets EST as US Eastern. (SPL-56076)
  • WARNs about "Endpoint has not specified a type for val=auto, will return this as a string in JSON API." in splunkd.log when adding an index via the CLI. (SPL-53640)
  • Indexer throttled and indexing paused with "...too many tsidx files in bucket=* Is splunk-optimize working? if not, low disk space may be the cause..." message displayed in Splunk Web. (SPL-58922)
  • Indexing processor spends too much time hot bucket metadata files, resulting in slowed indexer performance. (SPL-58859)
  • Indexed host name will become "$decideOnStartup" when uploading data via Splunk Web. (SPL-57073)
  • Summary index fields that contain characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_). (SPL-58300)
  • Scripted inputs defined in Manager do not work with search head pooling configurations. (SPL-57429)
  • splunk-admon.exe consumes excessive amount of memory. (SPL-57409)
  • Cannot update fields in a disabled index. (SPL-56752)
  • A warning should be issued when indexes are set to write to a volume's path without referencing the volume in homePath or coldPath. (SPL-56031)

Resolved charting issues

  • The "Edit report" link is missing when you load a saved report from Splunk Web. (SPL-59182)
  • JSChart should choose _time as the x-axis field even if it is not the first field in the results. (SPL-56805)

Resolved index replication issues

  • Rename the 'cluster' special app to '_cluster', which is more indicative of its special nature and migration requirements. (SPL-57536)
  • Allow multiple apps to be pushed onto peers from master-apps. Refer to this topic in Managing Indexers and Clusters for information on cluster app limitations. (SPL-57373)
  • Replication connection failures show up as "WARN BucketReplicator - Failed to replicate warm bucket" in splunkd.log (but the bucket is still replicated). (SPL-55413)
  • Setting sslVerifyServerCert=true is not being picked up and no validation takes place when clients are replicated. (SPL-56368)
  • The splunk list cluster-master-generation command does not list peer list for generation. (SPL-53096)
  • Clustering peers get stuck at the license agreement prompt when restarting the first time after an upgrade if you run a rolling restart. (SPL-52871)
  • If an invalid active bundle exists on the master, slave keeps downloading it every second and spams splunkd.log. (SPL-51320)
  • Lots of "Examining bucket" debug messages in web_service.log when viewing index replication dashboard. (SPL-56240)
  • "A splunktcp forwarder port is not configured in inputs.conf" error message appears on forwarder/search head/master when it should only appear on the affected slave. (SPL-56019)
  • Crash in ReplicationDataReceiverThread, no space left on disk. (SPL-56817)
  • Searching directly on a slave only works on searchable & primary bucket. (SPL-57197)
  • Running ./splunk edit cluster-config does not allow 'max_peer_build_load' and 'max_peer_rep_load' to be edited. (SPL-57193, SPL-56665)
  • Peer unable to handle failed replication (reason: state mismatch for bucket status on target, actual=Complete expected=NonStreamingTarget). (SPL-56671)
  • If a primary peer's connection is interrupted and the master node is restarted before it comes back up, another peer can be designated the primary, which causes problems when the original primary peer comes back up. (SPL-56515)
  • Off by one error for max outstanding build jobs parameter (we allow 6 when max is set to 5). (SPL-56246)
  • Deletes not handled properly on buckets that are already searchable if the peer from which the events were deleted fails. (SPL-51974, SPL-58208)
  • CLI help for index replication topics is missing. (SPL-57455)
  • Shutting down a peer can hang/time out if the master is down. (SPL-57144)
  • Running splunk list peer-buckets and cluster-buckets commands fail to to display all buckets. (SPL-56104)
  • A peer shouldn't be green/searchable when status is pending. (SPL-55876)
  • The default value of max_peer_build_load in server.conf.spec is incorrectly stated as 5, should be 2. (SPL-56640)

Resolved integrated PDF generation issues

  • When a PDF is generated of a dashboard that includes one or more panels with table visualizations, it's possible that the PDF versions of the tables will include columns for fields that are not seen in the original dashboard tables. The PDF table columns may also appear in a different order than they do in the original dashboard tables. Splunk adds any field in the original stats results of the search to the PDF version of a table, even if the field is restricted from showing in the original dashboard table by the dashboard XML. (SPL-56255)
  • PDF wizard uses "admin_xxxx" name for non-English dashboards. (SPL-56279)
  • Row numbers are missing in PDF of simple results tables. (SPL-56248)
  • PDF generation does not work on HPUX or the PowerPC architecture. (SPL-56049)
  • Rendering reports broken with error referencing "searchFieldList". (SPL-56809)
  • Print to PDF doesn't include panels that have an ampersand (&) character in the title. (SPL-57419)
  • When on non-x86 system, if a remote report server is available, we should be using that. Otherwise, no PDF support should be provided. (SPL-57359)
  • If you create a search in manager with an email alert for pdf results (or edit an existing search to add pdf) you get only csv. (SPL-58921)
  • When disabled, the Generate PDF button still responds to clicks. (SPL-58231)
  • Sparklines can sometimes extend off the right side of a table. (SPL-58207)
  • PDF report should not print empty charts when there are no results. (SPL-56189)

Resolved report acceleration issues

  • In Manager, report names appearing on the Report Acceleration Summaries and Report Acceleration Summary Details pages (under Reports using this summary) may be followed by a period. (SPL-56540)
  • Under very specific conditions Splunk can erroneously summarize data in a manner that causes subtle charting errors. This happens when you accelerate a search with an unbounded time range (earliest and/or latest time not set) and a timechart without an explicit span setting. (SPL-56001)
  • Numeric calculations in prestats mode don't emit precision. (SPL-56070)
  • When you switch to Free and then create a summarization (which is not supported in Free), the following error is shown "TSUM: LicenseRestriction: [HTTP 402] Current license does not allow the requested action" (SPL-56339)
  • If two summaries from searches in two different apps have the same hash, the link to each of them in Manager goes to the same search. (SPL-56040)
  • Status of a summary is always pending unless it's building. (SPL-56451)
  • Show source fails intermittently with "DispatchSearch - Could not find target event on the remote server, unable to form the proper distributed search". (SPL-55970)
  • The values() command doesn't work in non-prestats mode. (SPL-56081)
  • Configured namespace data is not cleaned when running ./splunk clean all. (SPL-55894)

Resolved search, saved search, alerting, scheduling, and job management issues

  • Killed or otherwise 'zombie' search jobs are not flagged as such in Splunk Web, and are displayed differently on different tabs. (SPL-54026)
  • Summary index file header gets indexed when using the collect command. (SPL-58176)
  • Searches do not match with numeric values for indexed fields with uppercase characters. (* Searches do not match with numeric values for indexed fields with uppercase characters. (SPL-60142)
  • Searches using _indextime consume large amounts of RAM. (SPL-58601)
  • Using loadjob on a large search artifact can use a large amount of memory. Loadjob now handles the data on disk instead of in memory, however, for large artifacts access performance may be reduced. (SPL-58653)
  • Searches can time out when fetching full events due to remote timelining where the search head->indexer connection is unstable. (SPL-57454)
  • Running a timechart command with the span option, such as "index=_internal | timechart span=1h count by clientip" returns the error "Error in 'bin' command: Option 'span' should not be specified more than once." (SPL-57184)
  • Sorting in postprocess search broken for more than 50k results. (SPL-56641)
  • Scheduled RT search creates too many preview dispatch directories. (SPL-57584)
  • Using the name option with a value of "*" in the summary indexing backfill script will not capture any searches with criteria: are enabled, scheduled, and has summary indexing action. (SPL-56841)
  • No way to make a saved search use action.email.inline=1 from Manager. (SPL-56830)
  • Setting [searchresults] max_mem_usage_mb in limits.conf improperly overrides maxresultrows. (SPL-56815)
  • Search queued message shown even afte the search starts running. (SPL-56433, SPL-56435)

Resolved Splunk Web and Manager interface issues

  • The "Edit report" link is missing when you load a saved report from Splunk Web. (SPL-59182)
  • Restart Splunk link is broken in Chinese Splunk Web. (SPL-49823)
  • The Send to background button tooltip is truncated. (SPL-58426)
  • Strings in the App dropdown are not localized in Manager pages. (SPL-57403)
  • Changing the source type setting for any input in Manager is not saved. (SPL-57022)
  • Uploading a lookup file in manager fails with "Encountered the following error while trying to save: In handler 'lookup-table-files': Source file is outside of staging area". (SPL-56835)
  • Error "ERROR AdminManager - Invalid Link hostname" when adding port value to link hostame under Manager » System settings » Email alert settings. (SPL-56833)
  • Edit dashboard options not localized in Splunk Web. (SPL-56484)
  • Strings in Field Picker are not localized. (SPL-56207)
  • "Save & share results" is not localized. (SPL-56204)

Resolved Windows-specific issues

  • On Windows 8 and Windows Server 2012, nothing happens when you click on the "Browse Server" button when adding files or directories to monitor from the "Add data" wizard page. This is due to an issue with Internet Explorer 10, which comes with these operating systems. (SPL-55994)
  • Performance monitor (perfmon) stanzas not created in inputs.conf on fresh install of universal forwarder. (SPL-57560)
  • Indexes defined on Windows as volumes with forward slashes cause Splunk to fail to restart. (SPL-56868, SPL-56832)
  • Windows server 2008 R2 VM crashes w/blue screen when pre-installed (as a system image) splunkd service starts on first boot. (SPL-56861)
  • Changing the case of a hive name causes regmon to re-checkpoint. (SPL-37647)
  • Data successfully forwarded and indexed but forwarder's splunkd.log fills with this one-line message: "ERROR SQLitePersistentStorageImpl - [] Error inserting _pInsertStatement in SQLitePersistentStorageImpl::write: SQL logic error or missing database" This is a benign error. Disable this module's logging by adding the following entry to a new or existing %SPLUNK_HOME%\etc\log-local.cfg and restart Splunk: for the [splunkd] stanza add entry: category.SQLitePersistentStorageImpl = FATAL Restart Splunk. (SPL-61702)

Resolved unsorted issues

  • Splunk can experience intermittent crashes in different threads on AIX due to a unresolved gcc bug in AIX. (SPL-49004)
  • On startup splunkd says "My newly generated GUID is X", then "My newly generated GUID is Y", X ≠ Y. (SPL-57592)
  • Errors on startup about "Possible typo in stanza [distributedSearch]" due to removal of invalid parameter. (SPL-57577, SPL-58095)
  • CLI command error: 'local-index' is not a valid argument for the 'enable/disable/display' command. (SPL-57501)
  • CLI command error: 'jobs' is not a valid argument for the 'list' command. (SPL-57500)
  • The diag command should not include tsidxstats files. (SPL-57543)
  • External REST handlers can't handle unicode. (SPL-57103)
  • When an index has been disabled, but splunkd hasn't yet been restarted (as is required), a REST request to delete it should return a clearer error message. (SPL-56819)
  • btool inputs list ignores --dir argument, returns results from live instance. (SPL-56626)
  • After configuring a new universal forwarder, the splunk list forward-server sometimes takes a short while to list correct forward server status. (SPL-55793)
  • If you create a dropdown with a populating search where the results include a back-slash, you cannot then use that token in a search. (SPL-58362)
  • Setting phoneHomeIntervalInSecs on a Linux deployment client to a high number (10 minutes) causes client to not download updated changes from deployment server. (SPL-57589)
  • In dynamic drilldown, Japanese characters are passed as UTF-16, expected UTF-8. (SPL-57534)
  • Text fields ignore seed value in simple XML. (SPL-57532)
  • Email alert sent, but no warning in the logs or scripted alerts when a search peer is missing. (SPL-57391)
  • Splunk's bin/python doesn't start up on HP/UX 11.11i machines without /dev/urandom. (SPL-57317)
  • Crash in TcpOutEloop thread during shutdown. (SPL-56875)
  • License slave master-uri incorrectly parsed with a trailing slash. (SPL-56836)
  • Rebuilding archived bucket throws error ERROR - Error opening <bucket> The process cannot access the file because it is being used by another process. (SPL-56834)
  • Username with embedded space running existing saved search fails with 404 error in SimpleResultsTable module. (SPL-56587)
  • Splunk diag fails to exclude files with --exclude command in universal forwarder. (SPL-56399)
  • " WARN AdminManager - Endpoint has not specified a type for val=openLDAP" errors in splunkd.log when mapping LDAP groups via Splunk Web. (SPL-55928)
  • Splunk lacks date parser support for AM/PM for Japanese and Korean. (SPL-55733)
  • The default outputs.conf/forwardedindex blacklist targeting _internal make no sense for a search head. (SPL-52440)
  • When provided with an invalid value for the 'count' argument, the 'rest' search command produces an error that does not correctly explain what the expected value for 'count' should be. (SPL-57148)
PREVIOUS
Changelog for 5.0.3
  NEXT
5.0.1

This documentation applies to the following versions of Splunk® Enterprise: 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters