Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

6.0.6

Splunk 6.0.6 was released on September 3, 2014.

The following issues have been resolved in this release:

Highlighted issues

  • Upgrade OpenSSL to 1.0.1i. ( SPL-88587)
  • Cross-site Scripting vulnerability - Splunk fails to properly sanitize users-supplied input. (SPL-85360)

Indexer issues

  • BucketMover gives incorrectly provides frozen bucket error. (SPL-83022)
  • splunkd generates warning messages incorrectly during shutdown. (SPL-84579)
  • Updates to indexes.conf not being applied without restart. (SPL-86305)

Windows-specific issues

  • splunk-optimize crashes on Windows. (SPL-84551)
  • conf-mutator.pid lacks cleanup strategy for crashes with PID-collision. (SPL-85226)
  • Installation of Windows Universal Forwarder 6.0 or later under Windows 2003 32-bit, can fail with the following messages: "Splunk Installer was unable to launch Splunk's First Time Run. Error Code 1" or "Splunk Installer was unable to launch Splunk's Pre Flight Checks. Error Code: -1073741795". Workaround: install earlier Windows UF 5.0.8. (SPL-83043)
  • Splunk uses different python Installation. (SPL-82675)
  • On Windows 2003 Server (32bit), events are not sent to indexer after migration for upgrade from 6.0.1 Universal Forwarder to 6.0.4 Universal Forwarder. (SPL-83947)

Distributed deployment, forwarder, and deployment server issues

  • Pushing large cluster bundles that do not complete before the default timeout may result in the bundle not getting set to an Active status. Running “$SPLUNK_HOME/bin/splunk show cluster-bundle-status” shows the Latest and Active bundles are different even hours later. Cluster Master’s splunkd.log entry: “-0700 ERROR ClusterMasterPeerHandler - Cannot add peer=xxx.xxx.xxx.xxx mgmtport=8089 (reason: non-zero pending job count=2075)” and Cluster peer’s splunkd.log: “-0700 WARN CMSlave - handleHeartbeatDone: successful heartbeat and re-add not received but proxy is in disconnected state. Forcing re-add.” (SPL-83316)
  • Crashes in a DS+SH instance at FreeHeap. (SPL-84530)
  • Main splunkd stops responding unexpectedly SPL-84993
  • After deleting and re-adding an existing peer to a search head, a new remote connection is not attempted. (SPL-84931)

Search

  • DispatchSearch warns of exceeding a certain object count but fails to identify the object in question and the configuration setting in scope. (SPL-83823)
  • Search head crashes on "AlertNotifierWorker" Thread. (SPL-83964)
  • "Unknown sid" when doing search which return large amount of events. (SPL-84141)
  • Searches that are created with spaces in the name are not properly fetched. (SPL-84391)
  • Intermittent 'File not found’ browser error when trying to export very large result set (eg. 700K) to .csv file. )SPL-84894)
  • Splunk autoKV is incapable of handling user data with leading/trailing whitespace in fields. (SPL-79644)
  • Error "The process cannot access the file because it is being used by another process" in splunkd.log in reference to dispatch search.log. Error does not affect search. (SPL-82288)
  • remote_timeline_fetchall = 1 in limits.conf causes searches spending long time in Finalizing status. (SPL-82385)
  • Incomplete interesting fields list in the search dashboard with timeliner. (SPL-82522)
  • Field Extraction does not work after upgrading search head to 6.0.2 from 4.3.7. (SPL-82607)
  • DispatchSearch warns of exceeding a certain object count but fails to identify the object in question and the conf setting in scope. (SPL-83823)
  • Cluster search command does not return cluster_count by default. (SPL-83560)
  • Improve handling "unknown sid" error on the search page. (SPL-83001)
  • Splunk Search causes memory spikes followed by splunkd crash. (SPL-82869)

Clustering Issues

  • If peers don't return bundle status due to download/network issues, but re-add themselves, the master is stuck infinitely on a bundle push. (SPL-84891)
  • Cluster master configuration bundle push through Splunk Web lists wrong number of peers. (SPL-85674)
  • When using macros in event type in a Distributed Cluster environment, error: "Error in 'SearchParser': Could not find macro 'Michal_test' that takes 0 arguments." (SPL-86935)
  • [splunktcp://<port>] input does not inherit default setting "connection_host = ip" from [splunktcpin] stanza, leads to intermittent forwarder connection timeouts. (SPL-84550/SPL-85899).
  • AckQ causes permanent data stall when a single pData is larger than entire AckQ size. (SPL-82109)

Alerting Issues

  • Pooled search-head does not honor mail server defined in alert_actions.conf. (SPL-85809)

Input Issues

  • Universal Forwarder parsing queue becomes full with very little actual data. (SPL-85716)
  • DNS resolution is slow, no notable warnings or errors are recorded. (SPL-85903)
  • Inconsistent TailProcessor behavior with symbolic links/Whitelist/Wildcard. (SPL-81350)
  • Post-upgrade to Splunk 6.0 IIS log fails to index with TRUNCATE = 0. (SPL-82811)
  • For some Splunk instances, adding blacklist or whitelist to inputs for WinEventLog:Security causes splunkd.log to fill with error messages, including: "ERROR ExecProcessor - message from", "c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe", and "splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='security". (SPL-83520)
  • Crashing thread: DispatchReaper -- 'ComponentException: Failed to get LDAP user="" from any configured servers'. (SPL-83783)
  • Search heads request truncated replicated bundle listing from indexers, causing problems if a bundle >30 entries in the past is needed. (SPL-86759)

Simple xml issues

  • Radial/Filler/Marker gauge gets stuck between 0 - 1. (SPL-83770)

PDF issues

  • Font color in PDFs produced by pdf generation preview differs from the font color visible in the dashboards in Splunk Web. (SPL-86380)
  • [PDF report] event format settings with single value doesn't apply to PDF report. (SPL-77361)

Splunk Web

  • Event count tab is not being updated after drilling down in the timeline and then deselecting. (SPL-86793)
  • Time range picker with extra values will drop the original ones. (SPL-86219)
  • Permissions to a global Nav menu may override another Nav menu. (SPL-83717)
  • Too many custom time ranges can cause the default ranges to not be displayed in the drop-down list. (SPL-86219)
  • Content of a saved search is missing if saved search name is "." or ".." (SPL-58676)

Distributed management console

  • Crashing thread: DispatchReaper -- 'ComponentException: Failed to get LDAP user="" from any configured servers'. (SPL-83783)
  • disableDefaultPort=true in server.conf causes undesired message flood in splunkd.log. (SPL-82245)
  • Duplicate entries in Forwarder Management for some of the Deployment Clients. (SPL-80215)

Unsorted issus

  • Improve error message for the Http server thread limit ["HttpListener - Can't handle request"]. (SPL-83445)
  • Forwarder uses too much memory in Solaris. (SPL-83338)
  • Intermediate tier universal forwarder with useACK = true stops forwarding due to "timed out expecting ACK when it receives acks out of order". (SPL-81323)
  • Universal forwarder crashing thread: TcpOutEloop. (SPL-76689)
  • When searching with the multikv command for events with more than 3000 lines, Splunk Web returns error. (SPL-84692)
  • Duplicate events with useACK=true at an unacceptable rate SPL-84314
PREVIOUS
6.0.7
  NEXT
6.0.5

This documentation applies to the following versions of Splunk® Enterprise: 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters