Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

This section lists highlighted issues and issues that customers reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "About upgrading to 6.0 READ THIS FIRST" in the Installation Manual.

Publication date Defect Description
2014-18-11 Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Set your SSL version in the Securing Splunk Enterprise manual.
Pre-6.0.7 SPL-75354, SPL-75647 Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf.
Pre-6.0.7 SPL-73797 Bundle replication fails when serverName or search head pool GUID has a final segment containing only digits. This can affect users upgrading from pre 6.0.x versions of Splunk.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Date filed Issue number Description
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Date filed Issue number Description
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.
2013-09-10 SPL-74209, SPL-74167 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).

Workaround:
Specify the persistentQueue explicitly in the input definition.

Search issues

Date filed Issue number Description
2014-10-22 SPL-92298, SPL-98390 Workflow action event menu does not encode _raw field when used in link.uri
2014-09-16 SPL-90888 If a field value in summary index has an "=" (equal) sign in it, automatic field extraction will drop it.

Workaround:
The customer must reexecute the Template:Rex command to reparse the raw event created in the summary index and to recreate the search field extraction knowledge object:

{code} index=burch-summary | rex field=_raw "other_ip=(\b|[^_])(?P<other_ip>[^\\\")]+)" | stats count(other_ip) by other_ip {code}

2014-09-08 SPL-90600, SPL-90719, SPL-90717, SPL-90718 Unable to search a specific time frame due to time validation error

Workaround:
For Adhoc Searches: use earliest / latest in the search

For Dashboards: Pull more data then needed (larger date range). No other work around available.

Related Answers post at: http://answers.splunk.com/answers/154984/why-time-range-picker-on-default-splunk-61x-ui-shows-earliest-time-cannot-be-greater-than-latest-time-errors

2014-07-14 SPL-86818 High memory usage by firefox browser when using auto refreshing dashboards

Workaround:
Set *javascript.options.mem.high_water_mark* to *10* or something between *10 and 30* in the about:config page of Firefox.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-11 SPL-82972 Search bar is disabled if already selected timerange is selected again
2014-04-02 SPL-82566 Workflow action: special characters are not escaped properly
2014-02-21 SPL-80966 eval function commands() fails search when a search can't be parsed
2013-12-16 SPL-77989 Submit button in Simple xml will not re-run search without change to time-picker.
2013-10-24 SPL-75647, SPL-81623 Oneshot and Export searches shouldn't download search.log files from indexers
2013-10-17 SPL-75354 Opening saved searches for editing or running CLI searches are very slow.

Workaround:
Disable fetch_remote_search_log in limits.conf.
2013-09-06 SPL-74151 When using SimpleXML, an extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
2013-09-03 SPL-74028 "splunk list wmi" doesn't show active WMI collections, but "splunk cmd btool wmi list" does
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2014-07-08 SPL-86599 Search-head pooling does not honor all the setting from the alert_actions.conf in the shared pool apps
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Charting, reporting, and visualization issues

Date filed Issue number Description
2013-11-20 SPL-76824 Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event.
2013-09-06 SPL-74151 When using SimpleXML, an extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
2013-08-28 SPL-73846 New reports are not displayed in the report list until you refresh the window.

Data model and pivot issues

Date filed Issue number Description
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.
2013-09-12 SPL-74291 DataModel Pivot: Single Value Display not updating with real-time data
2013-09-11 SPL-74239 Data Model Editor: Data Model cannot be found after changing Permission while Accelerated

Indexer and indexer clustering issues

Date filed Issue number Description
2014-04-17 SPL-83169 on Windows, if peers' Windows explorer not closed for long enough time, adding a new index still requres a peer restart, not reload
2014-01-07 SPL-78797, SPL-103251 Buckets with a corrupted journal.gz are stuck in a PendingDiscard state with continuous fsck retries

Workaround:
Manually freeze all copies of the corrupted bucket(s) following this procedure -> https://confluence.splunk.com/display/SUP/Index+replication+delete+buckets

This work-around is now also documented [on Splunk Answers|http://answers.splunk.com/answers/184484/what-should-i-do-with-bad-buckets-in-a-clustered-e.html].

2013-09-11 SPL-74253 Clustering - Maintenance mode does not carry over across master restarts.
2013-09-05 SPL-74103 Changing the server name on search head doesn't get reflected in the cluster master's cluster management page.
2013-09-03 SPL-74022 Clustering - first/default statusof a new cluster to be searched on the searchhead is down, not met, etc.
2013-09-03 SPL-74001 Clustering: remove excess buckets doesn't remove excess hot buckets
2013-08-30 SPL-73968, SPL-75632 If a peer is not up while pushing a bundle, all peers will always restart.
2013-08-28 SPL-73839, SPL-73910 Clustering - peers stuck in a state where latest != active bundle w/ status validation successful
2013-08-23 SPL-73652 "splunk offline -enforce-counts" incorrectly fails to stop the peer (splunk does not exit)

Workaround:
How to avoid this issue

=> Do not use "--enforce-count" option

How to fix this issue when this already happened and got stuck with "Decommissioning" ? 1) Stop the Cluster Peer ("splunk stop") => CM should show the CP as "down" 2) Make sure searchable factor and replication factor are met in the view of Cluster Management => If not, there is another issue happening in addition to this bug. This bug happens even when all buckets have no problem. 3) Option: If you need to remove the 'decommissioned' CP from Cluster Management view, you need to restart Cluster Master. In dash, we can remove a down-ed peer or Graceful shutdown peer from master's list with out restarting the master. At CM, you have to do something like: $SPLUNK_HOME/bin/splunk remove cluster-peers -peers GUID1,GUID2,GUID3 ( SPL-86868 )

2013-08-06 SPL-72484 You cannot use the CLI to delete an index with a capital letter in its name.
2013-07-23 SPL-71556 Clustering-When the peers configured is less than the RP factor then Bundle push is not working
2013-07-03 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps.
2013-04-24 SPL-65862 Clustering UI: Sorting does not work
2013-03-20 SPL-63687 Clustering dashboard displays the removed peer list for ever
2012-06-25 SPL-52901, SPL-54729 Disabling a slave leaves the hot bucket treated incorrectly

Distributed search and search head clustering issues

Date filed Issue number Description
2013-09-10 SPL-74220 High REST response times on search peers due to system resource contention can cause user-facing search timeouts on search-head but fail to be reported on peers
2013-08-27 SPL-73797 Bundle Replication: serverName or search head pool GUID ending with 10 digits confuses /admin/bundles on indexers
2012-08-17 SPL-54982 Lookups large enough to index with distributed searches cause problems sometimes

Universal forwarder issues

Date filed Issue number Description
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

Workaround:
To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2013-12-13 SPL-77905 "./splunk list deploy-clients" limited to 30
2013-05-01 SPL-66453 Forwarder management: Not all clients appear in the UI when they have the same host.
2010-11-10 SPL-35308 Any app that updates its lookup table files can't be pushed out/managed using Deployment Server

Monitoring Console/DMC issues

Date filed Issue number Description
2014-05-06 SPL-83852 Mako failed to render error when accessing various management pages after upgrading to 6.1.0

Workaround:
{code}

Stop Splunk Web

   $SPLUNK_HOME/bin/splunk stop splunkweb

Download a patched _helpers.html file from Splunk's box.com account - https://splunk.box.com/s/i288znmr84rulbx6le25 Replace $SPLUNK_HOME/share/splunk/search_mrsparkle/templates/admin/_helpers.html with the patched _helpers.html file. Start Splunk Web

   $SPLUNK_HOME/bin/splunk start splunkweb

{code}

2014-01-02 SPL-78585 Latest event and size from the index endpoint is wrong since 6.0, hot bucket info is not updated

Splunk Web and interface issues

Date filed Issue number Description
2014-12-22 SPL-94886 Dashboard panels are inconsistent when referencing the same SID
2014-10-22 SPL-92298, SPL-98390 Workflow action event menu does not encode _raw field when used in link.uri
2014-07-14 SPL-86818 High memory usage by firefox browser when using auto refreshing dashboards

Workaround:
Set *javascript.options.mem.high_water_mark* to *10* or something between *10 and 30* in the about:config page of Firefox.
2014-04-17 SPL-83226 Logging in with User with non English characters will make Splunk unusable
2014-04-11 SPL-82972 Search bar is disabled if already selected timerange is selected again
2014-04-02 SPL-82566 Workflow action: special characters are not escaped properly
2013-11-20 SPL-76798 Time range picker is not customizable via times.conf the same as version 5 or as suggested by docs.
2013-10-17 SPL-75354 Opening saved searches for editing or running CLI searches are very slow.

Workaround:
Disable fetch_remote_search_log in limits.conf.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

2013-01-07 SPL-60133 Selected fields do not persist after upgrade to 5.0.x
2013-01-01 SPL-59980 No horizontal scroll bar in AD browser
2012-11-14 SPL-58476 Login screen shows expired license, before it is expire (on same day)

Windows-specific issues

Date filed Issue number Description
2015-01-05 SPL-95004, SPL-97080 Large delays in Windows Event Logs due to low network thruput caused by ~250ms pause after tcp sends 6-7 packets.
2014-09-25 SPL-91279 Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles.

Workaround:
See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download.
2014-09-16 SPL-90932 WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events.

Workaround:
Do not use this option.
2014-02-13 SPL-80630 Windows network monitoring is not running on windows 7/8 32-bit
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.

Rest, Simple XML, and Advanced XML issues

Date filed Issue number Description
2013-05-15 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.
2013-04-25 SPL-66700 warmToColdScript property not supported by REST API

Authentication and Authorization issues

For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.

Date filed Issue number Description
2014-06-04 SPL-85036, SPL-97734 roleMap attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf when user reloads auth (splunk reload auth or restarts Splunk.
2012-02-22 SPL-48342 LDAP strategy host field cannot work with ipv6 format address but computer name is okay

Admin and CLI issues

Date filed Issue number Description
2015-03-11 SPL-97942 Capability defined in an app does not take effect when assigned to a role

Workaround:
The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

2014-07-14 SPL-86818 High memory usage by firefox browser when using auto refreshing dashboards

Workaround:
Set *javascript.options.mem.high_water_mark* to *10* or something between *10 and 30* in the about:config page of Firefox.
2014-06-04 SPL-85036, SPL-97734 roleMap attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf when user reloads auth (splunk reload auth or restarts Splunk.
2013-12-13 SPL-77905 "./splunk list deploy-clients" limited to 30
2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.

Workaround:
Set server.conf [applicationsManager] allowInternetAccess = false
2013-05-02 SPL-66511 If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.
2013-01-22 SPL-60765, SPL-114571, SPL-115844 Bundle Replication: file size calculation for *.meta filtering is wrong

Workaround:
To quiet the warnings, you can disable delta replication in distsearch.conf: allowDeltaUpload = false.

This does not delta replication work. The underlying problem is still present.

Unsorted issues

Date filed Issue number Description
2016-03-30 SPL-116844, SPL-116522 The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed, which might negatively affect apps, add-ons, or scripts that use the commands or that reference the old working directory.
2016-03-30 SPL-116874 Splunk with SHA256 signature is not guaranteed on Windows 2003/XP
2014-04-03 SPL-82581 Admin user can not check other's private alert result
2014-03-07 SPL-81489 Version 6.* of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether you disable the WINEVENT_*installation flags.
2013-11-04 SPL-75974, SPL-77294 UF installer doesn't install Splunk_TA_Windows application when running from CLI
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

Workaround:
To work around this issue, create a splunk user on your system before attempting to run the installer.
2013-09-13 SPL-74337, BETA-496 You cannot specify a destination folder when installing on OSX.
2013-09-03 SPL-73981 Improve handling of FIPS flag on Windows x86 - error instead of crash
2013-08-23 SPL-73654 splunktcp compression syntax error bug
2013-08-23 SPL-73636 If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day.
2013-06-13 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN.

Uncategorized issues

Date filed Issue number Description
2014-09-17 SPL-90958 Unexpected duplicate app: _cluster caused due to password hashing
2014-03-17 SPL-81977 eai-hand-appslocal fails on verify_app_update_is_detected
2014-01-31 SPL-79842 On Windows, Indexer doesn't accept new connections on splunktcpin port after queue blockage is resolved
2013-11-11 SPL-76208, SPL-74902 TCPChannel Issue - Find/Fix root cause
2013-09-13 SPL-74317 There is error on page changing Visualization on IE 7 and IE 8
2013-09-12 SPL-74267 DataModel Editor: Edit buttons does not appear once Permissions set to Private for Accelerated DM
2013-09-09 SPL-74189 Constraints for two objects in the "Splunk's Internal Server Logs" data models are wrong
2013-09-09 SPL-74164 There is inconsistency in visualization between Search and Dashboard
2013-08-28 SPL-73835 Setting Rows Per Page causes empty panel in Events panel
2013-08-28 SPL-73826 Windows: hostname override not working properly
2013-08-28 SPL-73818 Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL.

Workaround:
To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.
2013-08-27 SPL-73798 An error occurred while generating a PDF of scheduled search with quotes in the title
2013-08-27 SPL-73756 Regex in etc/default/props.conf not matching IIS file name for IIS 7+
2013-08-26 SPL-73743 Cannot hide charting tick marks on x-axis (charting.axisLabelsX.majorTickVisibility)
2013-08-22 SPL-73569 Pie maps do not have legend labels.
2013-08-16 SPL-73214 DataModel Editor: Items in Edit drop-down menu stops working after Permission set back to Owner
2013-08-13 SPL-73029 heatmaps not shown in pdf
2013-07-25 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if thehomePath of the index is at the root of the filesystem, (homePath=D:\myindex orhomePath=/myindex).

Workaround:
Create the folder manually.
2013-07-17 SPL-71149, SPL-71561 Search head pooling - Unknown SID error on search page instead of "splunkd timed out" error message
2013-06-21 SPL-69772 DataModel Manager: two models with the same name and different apps not showing in All Apps list
2013-05-16 SPL-67491 PDF report: Events format settings like List, Table, MaxLines, and Wrapping don't apply to PDF report
2013-05-14 SPL-67268 Not able to "Export PDF" if Dashboard has no row or empty row
2013-04-30 SPL-66213 PDF server app is not working with latest Xvfb
2013-04-12 SPL-65124 Sorting as "asc" does not work for Dashboard of Panel Type: List.
2013-04-03 SPL-64489 HiddenPostProcess *silently* discards input events when the parent search is non-reporting and matches more than 10,000 events.
2012-11-26 SPL-58744 Area chart is not filled if the points are unconnected
2012-05-20 SPL-51553 bloomfilters not getting created in bloomHomePath after restart ONLY
2011-09-30 SPL-43791 Incorrect server status reported when there is a problem with the SSL/TLS configuration
2011-03-18 SPL-38082 Block signature reports YES gaps, NO tampering for data when the source is not well ordered in time
2011-01-03 SPL-36597 Splunk does not validate the process pointed to by splunkd.pid, causing stale, pre-crash pids to prevent splunk startup
PREVIOUS
Meet Splunk Enterprise 6
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.0.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters