Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect Description
2014-18-11 Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Set your SSL version in the Securing Splunk Enterprise manual.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "About upgrading to 6.0 READ THIS FIRST" in the Installation Manual.

Publication date Defect Description
Pre-6.0.7 SPL-75354, SPL-75647 Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf.
Pre-6.0.7 SPL-73797 Bundle replication fails when serverName or search head pool GUID has a final segment containing only digits. This can affect users upgrading from pre 6.0.x versions of Splunk.
Pre-6.0.7 SPL-73386 Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect Description
2016-05-05 SPL-104727 Crashing thread: FSUpdaterThread - Indexer. Workaround is to remove the "fschangemanager_state" file.
2015-8-11 SPL-100269 Single event may get indexed as 2 separate events. To troubleshoot this, find the longest time the logger application will not update log file:
[monitor:///out/log/app_syslog/*]
    index=main
    sourcetype=syslog
    disabled = 0
    time_before_close = <Longest time the application is not going to update log file + 1>
Pre-6.0.7 SPL-79421 Modular inputs, including perfmon and WinEventLog inputs, are not passing the custom metadata fields (_meta or _TCP_ROUTING).
Pre-6.0.7 SPL-82811 Post Upgrade to Splunk 6.0 IIS log fail to index with TRUNCATE = 0
Pre-6.0.7 SPL-73826 Hostname override/Regex on path not working correctly for compressed file inputs on Windows.
Pre-6.0.7 SPL-74028 Running splunk list wmi doesn't show active WMI collections, but splunk cmd btool wmi list does.
Pre-6.0.7 SPL-74209 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
Pre-6.0.7 SPL-73756 Splunk does not correctly determine the source type for Internet Information Server (IIS) version 7 or later automatically. To work around this issue, explicitly specify the IIS source type when defining your IIS input.

Charting, reporting, and visualization issues

Publication date Defect Description
Pre-6.0.7 SPL-81881 "In handler 'savedsearch': Error while dispatching search" may display due to searches being queued or could not run real time due to concurrency limits
Pre-6.0.7 SPL-73846 New reports are not displayed in the report list until you refresh the window.
Pre-6.0.7 SPL-73569 Pie maps do not have legend labels.

Index replication issues

Publication date Defect Description
Pre-6.0.7 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning.
Pre-6.0.7 SPL-82244 Unexpected duplicate app: _cluster caused due to password hashing
Pre-6.0.7 SPL-73968 If a peer is down while pushing a bundle, all peers will always restart.
Pre-6.0.7 SPL-65862 Master's cluster management page does not sort peer names correctly.
Pre-6.0.7 SPL-74253 Maintenance mode does not carry over across master restarts. To work around this issue, re-initiate maintenance mode after restarting the master.
Pre-6.0.7 SPL-71556 Cannot push bundles if the number of peers configured is below the replication factor.
Pre-6.0.7 SPL-72484, SPL-74103 Changing the server name on search head doesn't get reflected in the cluster master's cluster management page.
Pre-6.0.7 SPL-74001 Running splunk remove excess-buckets does not remove excess hot buckets.
Pre-6.0.7 SPL-63687 Clustering dashboard displays the removed peer list indefinitely.
Pre-6.0.7 SPL-73652 Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit.
Pre-6.0.7 SPL-52901 Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, with the consequence that the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then you subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled, will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets, however, also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master.

Data model and Pivot issues

Publication date Defect Description
Pre-6.0.7 SPL-77054 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.
Pre-6.0.7 SPL-69772 If there are two or more models with the same name but in different apps, only one of them will be listed in the All Apps list.
Pre-6.0.7 SPL-74239 Accelerated data model disappears from list after permissions are changed.
Pre-6.0.7 SPL-74267 Edit buttons do not appear once permissions set to private for an accelerated data model.
Pre-6.0.7 SPL-73214 Items in the Edit drop-down menu stop working after permissions for a data model are changed to App/All Apps and then are set back to Owner. To work around this issue, exit the data model editor and start over.
Pre-6.0.7 SPL-74189 Constraints for two objects (Alerts and Summary Indexing Searches) in the sample data model Splunk's Internal Server Logs are wrong, so objects return 0 events.

Integrated PDF generation and PDF Report Server issues

Publication date Defect Description
Pre-6.0.7 SPL-66213 PDF Report Server App doesn't work with latest Xvfb. Workaround: install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos
Pre-6.0.7 SPL-60975 Alert emails sent in PDF result format have some info missing compared to text or csv results.
Pre-6.0.7 SPL-58744 If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line.
Pre-6.0.7 SPL-67491 Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used.
Pre-6.0.7 SPL-67268 Not able to export PDF if dashboard has no row or empty row.
Pre-6.0.7 SPL-73798 Generating a PDF of scheduled search with quotes in the title results in an error and no search results in the report.
Pre-6.0.7 SPL-73029 Heat maps aren't printed.

Search, saved search, alerting, scheduling, and job management issues

Publication date Defect Description
Pre-6.0.7 SPL-86599 When using search-head pooling, some email alert configurations from the alert_actions.conf are not applied, if they are in an app on the shared storage. Workaround, copy the configuration on the $SPLUNK_HOME/etc/system/local of each search-heads.
Pre-6.0.7 SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.
Pre-6.0.7 SPL-83129 Eval function strptime does not return results when 1970 date is used.
Pre-6.0.7 SPL-76798 The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x
Pre-6.0.7 SPL-74244 Drilldown on tstats output is incorrect and no error message is thrown.
Pre-6.0.7 SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.

Splunk Web and Home interface issues

Publication date Defect Description
Pre-6.0.7 SPL-92298 The URL made for workflow actions does not encode the field values properly. As a result, a field value with special characters in the URL (for example, ampersands) will result in incorrect values being passed.
Pre-6.0.7 SPL-81977 Upgrade an app from Manager -> Manage Apps return error: An error occurred while installing the app: 302. Workaround: download the app from splunkbase and install from file.
Pre-6.0.7 SPL-74243 When you try to select a cell in a table to copy the content, Splunk Web interprets the copy as a click and drills down.
Pre-6.0.7 SPL-73818 Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.
Pre-6.0.7 SPL-34123 The indexing status dashboard's Index health graph and Analysis of index bucket do not work for multiple indexes, only a single index.

Distributed deployment, forwarder, and deployment server issues

Publication date Defect Description
Pre-6.0.7 SPL-77905 "$SPLUNK_HOME/bin/splunk list deploy-clients" will only return up to 30 results.
Pre-6.0.7 SPL-78499 The splunkd.log file was growing quite large as every two minutes Deployment Server and Deployment Client were logging detail INFO logging. These level of detail should be moved to DEBUG.
Pre-6.0.7 SPL-75974 When you attempt to install the Splunk universal forwarder for Windows with the /quiet argument, it does not enable any Windows inputs. This is due to the fact that the Splunk Add-on for Windows, which is required to enable the inputs, does not install. To work around the issue, specify DISPLAY_WINDOWS_TA_DIALOG=1 in the installation command.
Pre-6.0.7 SPL-36597 Splunk startup script should handle stale PID files gracefully after server crashes.
Pre-6.0.7 SPL-64934 SSL compression settings in web.conf fail to disable compression and compression is turned OFF irrespective of useSplunkdClientSSLCompression setting in server.conf.
Pre-6.0.7 SPL-73737 Creating a server class via Splunk Web can time out with an error if there are many (<500) large (>5MB) apps.
Pre-6.0.7 SPL-71149 When a large number (>/=100) of users search concurrently on the same search head, some of them may see an error message about an unknown SID, and receive no results.
Pre-6.0.7 SPL-66453 Not all clients appear in the deployment server UI when they have the same host.
Pre-6.0.7 SPL-74220 High REST response times on search peers due to system resource contention cause user-facing search timeouts on search-head but fail to be reported on peers.
Pre-6.0.7 SPL-35308 Any app that updates its lookup table files can't be pushed out/managed using deployment server.
Pre-6.0.7 SPL-74427 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.

Windows-specific issues

Publication date Defect Description
Pre-6.0.7 SPL-90932 WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.0.7 SPL-80630 The Windows Network Monitoring input does not work on 32-bit Windows systems.
Pre-6.0.7 SPL-81489 Version 6.0.2 of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags.
Pre-6.0.7 SPL-79842 Indexers don't accept new connections on the splunktcpin port even after a queue blockage has been resolved.
Pre-6.0.7 SPL-79009 The Splunk Windows universal forwarder does not forward Windows Event Log or performance monitor data to the correct indexer or forwarder group, as defined by the _TCP_ROUTING attribute in the inputs.conf stanza for the input. Other input types forward data properly.
Pre-6.0.7 SPL-75974 When you attempt to install the Splunk universal forwarder for Windows with the /quiet argument, it does not enable any Windows inputs. This is due to the fact that the Splunk Add-on for Windows, which is required to enable the inputs, does not install. To work around the issue, specify DISPLAY_WINDOWS_TA_DIALOG=1 in the installation command.
Pre-6.0.7 SPL-75116 If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.0 instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf.
Pre-6.0.7 SPL-73826 The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows.
Pre-6.0.7 SPL-40332 Splunk on Windows does not properly update or save lookup tables when it accesses them with a search.
Pre-6.0.7 SPL-74209 Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
Pre-6.0.7 SPL-48342 LDAP authentication does not work on Windows over the IPv6 protocol.
Pre-6.0.7 SPL-73818 Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.
5-27-15 SPL-96573 For windows IIS log files, sourcetype is defined as iis but shows up as iis-2, iis-3, etc. The suggested workaround is to use sourcetype renaming.

REST, Simple XML, and Advanced XML issues

Publication date Defect Description
Pre-6.0.7 SPL-77989 Submit button in Simple xml will not re-run search without change to time-picker.
Pre-6.0.7 SPL-66700 The warmToColdScript property not supported by REST API.
Pre-6.0.7 SPL-73743 Setting charting.axisLabelsX.majorTickVisibility to hide does not work.
Pre-6.0.7 SPL-73835 Setting Rows Per Page causes empty panel in Events panel.
Pre-6.0.7 SPL-74151 Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
Pre-6.0.7 SPL-66511 Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.
Pre-6.0.7 SPL-74031 In Simple XML, an empty paragraph tag is injected into HTML blocks.
Pre-6.0.7 SPL-65124 Sorting as "asc" does not work for Dashboard of Panel Type: List.
Pre-6.0.7 SPL-64489, SPL-32852 HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events. _!--62-->
Pre-6.0.7 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Web Framework issues

Publication date Defect Description
Pre-6.0.7 - If you don't set the "value" property when you first create a TimeRange view, you'll get an error if you try to change "earliest_time" and "latest_time" properties later.

Unsorted issues

Publication date Defect Description
2016-04-01 SPL-116844 The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. This might negatively affect apps, add-ons, or scripts that use the commands or reference the old working directory. See the README for more information on mitigating this issue.
Pre-6.0.7 SPL-85036 In $SPLUNK_HOME/etc/system/local/authentication.conf, roleMap's attributes are removed by command "splunk reload auth" or restarting Splunk when bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local.
Pre-6.0.7 SPL-78585 In the setting pages for the indexes list, the counter for the "Latest event" is not refreshing for events in the hot buckets.
Pre-6.0.7 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually.
Pre-6.0.7 SPL-74337 You cannot specify a destination folder when installing on OSX.
Pre-6.0.7 SPL-72484 Can't use the CLI to delete an index with a capital letter in its name.
Pre-6.0.7 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.
Pre-6.0.7 SPL-73636 If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day.
Pre-6.0.7 SPL-69304 If license slaves are running <6.0 version, they don't have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN.
Pre-6.0.7 SPL-51553 Bloomfilters are sometimes not created in bloomHomePath after restart.
Pre-6.0.7 SPL-43791 Splunk does not report server status correctly when there is a problem with SSL/TLS configuration.
Pre-6.0.7 SPL-38082 BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order.
Pre-6.0.7 SPL-90888 If a value in a field in a summary index has an "=" (equal) sign in it, applying a stats command will drop the equal sign
5-27-2015 SPL-80740 fill_summary_index.py script for back filling summary events runs its dedup search over all time; which may cause scalability concerns.
PREVIOUS
Meet Splunk Enterprise 6
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.0.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters