Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

  • Splunk installs on Windows may encounter the following error while attempting to pick a time frame via the GUI: "Earliest time cannot be greater than latest time" even though the times are correct. The work around is to add "earliest=" and "latest=" to the search instead of using the GUI. (SPL-90600)

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "About upgrading to 6.0 READ THIS FIRST" in the Installation Manual.

  • Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:
1. Create a special power/admin user who can run scheduled searches.
2. Assign this user ownership of the scheduled searches .
3. Share the searches at the app level and grant read/write permission to the correct set of users. (SPL-73386)
  • Bundle replication fails when serverName or search head pool GUID has a final segment containing only digits. This can affect users upgrading from pre 6.0.x versions of Splunk. (SPL-73797)
  • Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf. (SPL-75354, SPL-75647)
  • On Windows 2003 Server (32bit), events are not sent to indexer after migration for upgrade from 6.0.1 Universal Forwarder to 6.0.4 Universal Forwarder. (SPL-83947)

Data input issues

  • Splunk does not correctly determine the source type for Internet Information Server (IIS) version 7 or later automatically. To work around this issue, explicitly specify the IIS source type when defining your IIS input. (SPL-73756)
  • Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition. (SPL-74209)
  • Running splunk list wmi doesn't show active WMI collections, but splunk cmd btool wmi list does. (SPL-74028)
  • Hostname override/Regex on path not working correctly for compressed file inputs on Windows. (SPL-73825, SPL-73826)
  • Post Upgrade to Splunk 6.0 IIS log fail to index with TRUNCATE = 0 (SPL-82811)
  • The Splunk file-input tracking files, called both "the Fishbucket" and BTree, misbehave when hitting the configured maximum size, or 500MB by default. These files exist at the path $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/ and consist of two files named btree_index.dat and btree_records.dat.
    • On windows, when this pair of files hits the ceiling the second (and subsequent times), Splunk will encounter errors in trying to rename them similar to "ERROR BTreeCP - error moving save dir 'D:\Splunk\var\lib\splunk\fishbucket\splunk_private_db\save' to old 'D:\Splunk\var\lib\splunk\fishbucket\splunk_private_db\save.old' while truncating"
    • On UNIX, no logged errors will occur, but significant reindexing can occur.
    • A workaround is to configure the maximum size of these files to a very large size, such as several GB. http://answers.splunk.com/answers/86081/reduce-fishbucket-size . By changing the log level for the BTreeCP to INFO, indicative messages will exist prior to problem onset, such as "03-18-2014 17:27:04.714 +0000 INFO BTreeCP - database size '524290072' exceeded max disk sz allowed '524288000'" (SPL-82042)

For some splunk instance adding blaclist or whitelist to inputs for WinEventLog:Security caus splunkd.log to fill with error message "ERROR ExecProcessor - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='security'" .This is just annoyance in log otherwise functionality works fine.(SPL-83520)

  • Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields (_meta or _TCP_ROUTING) (SPL-79421)
  • Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields (_*, _meta or _TCP_ROUTING) (SPL-79421)

Charting, reporting, and visualization issues

  • Pie maps do not have legend labels. (SPL-73569)
  • New reports are not displayed in the report list until you refresh the window. (SPL-73846)
  • "In handler 'savedsearch': Error while dispatching search" may display due to searches being queued or could not run real time due to concurrency limits (SPL-81881)

Index replication issues

  • Disabling clustering on a peer node and then attempting to re-enable it later causes hot buckets to be handled incorrectly, with the consequence that the peer cannot be added back into the cluster. This scenario occurs when you take an existing peer node and disable clustering on it (turning it into a standalone indexer), and then you subsequently re-enable clustering to turn it back into a peer on its original cluster. In this situation, any hot buckets that were created on the peer but not rolled when clustering was still enabled, will get rolled after you disable clustering and restart the indexer. At that point, they get marked as standalone buckets, since the indexer is no longer a peer. Those buckets, however, also exist on the remaining cluster as replicated buckets, since they were streamed to other peers while the indexer in question was still a peer. If you then re-enable clustering on the peer and restart it, the bucket conflict causes the peer to fail to register with the master. (SPL-52901)
  • Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit. (SPL-73652)
  • Clustering dashboard displays the removed peer list indefinitely. (SPL-63687)
  • Running splunk remove excess-buckets does not remove excess hot buckets. (SPL-74001)
  • Changing the server name on search head doesn't get reflected in the cluster master's cluster management page. (SPL-72484, SPL-74103)
  • Cannot push bundles if the number of peers configured is below the replication factor. (SPL-71556)
  • Maintenance mode does not carry over across master restarts. To work around this issue, re-initiate maintenance mode after restarting the master. (SPL-74253)
  • Master's cluster management page does not sort peer names correctly. (SPL-65862)
  • If a peer is down while pushing a bundle, all peers will always restart. (SPL-73968)
  • Manually modifying indexes.conf to add a new index stanza and running splunk apply cluster-bundle can cause peer(s) to unexpectedly restart rather than reload (SPL-82152)
  • Unexpected duplicate app: _cluster caused due to password hashing (SPL-82244)
  • Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. (SPL-70433)

Data model and Pivot issues

  • Constraints for two objects (Alerts and Summary Indexing Searches) in the sample data model Splunk's Internal Server Logs are wrong, so objects return 0 events. (SPL-74189)
  • Items in the Edit drop-down menu stop working after permissions for a data model are changed to App/All Apps and then are set back to Owner. To work around this issue, exit the data model editor and start over. (SPL-73214)
  • Edit buttons do not appear once permissions set to private for an accelerated data model. (SPL-74267)
  • Accelerated data model disappears from list after permissions are changed. (SPL-74239)
  • Single value display in a data model is not updating with real-time data. (SPL-74291)
  • If there are two or more models with the same name but in different apps, only one of them will be listed in the All Apps list. (SPL-69772)
  • Limits in filters on the Pivot interface have several known issues including error messages when the stats function is edited in Splunk Web. (SPL-74163)
  • Expanding the App drop-down menu in the Create New Data Model dialog box will create data model. (SPL-74648)
  • Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. (SPL-77054)
  • Indexers/search-head/cluster-masters with a large number of indexes : a large number of SummaryDirector searches are triggered and the instances are becoming unresponsive. Workaround [[1]]. (SPL-76956)

Integrated PDF generation and PDF Report Server issues

  • Schedule PDF delivery for email of a dashboard that includes post processing runs as a separate search process and provides 0 results (SPL-82301)
  • Heat maps aren't printed. (SPL-73029)
  • Generating a PDF of scheduled search with quotes in the title results in an error and no search results in the report. (SPL-73798)
  • Not able to export PDF if dashboard has no row or empty row. (SPL-67268)
  • Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used. (SPL-67491)
  • If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line. (SPL-58744)
  • Alert emails sent in PDF result format have some info missing compared to text or csv results. (SPL-60975)
  • PDF Report Server App: Printing PDF on debug/pdf page is broken. (SPL-73938)
  • PDF Report Server App doesn't work with latest Xvfb. (SPL-66213) Workaround: install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos

Search, saved search, alerting, scheduling, and job management issues

  • If you use | reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated. (SPL-67642)
  • Drilldown on tstats output is incorrect and no error message is thrown. (SPL-74244)
  • The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x (SPL-76798)
  • The iconify command fails to render icons in the event viewer. (SPL-79738, SPL-81136)
  • Error "The process cannot access the file because it is being used by another process" in splunkd.log in reference to dispatch search.log. Error does not affect search. (SPL-82288)
  • Eval function strptime does not return results when 1970 date is used. (SPL-83129)
  • If you use | reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated. (SPL-67642)
  • When using search-head pooling, some email alert configurations from the alert_actions.conf are not applied, if they are in an app on the shared storage. Workaround, copy the configuration on the $SPLUNK_HOME/etc/system/local of each search-heads. (SPL-86599)

Splunk Web and Home interface issues

  • The indexing status dashboard's Index health graph and Analysis of index bucket do not work for multiple indexes, only a single index. (SPL-34123)
  • Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521. (SPL-73818)
  • When browsing an Active Directory tree with a depth over 39 nodes, no horizontal scroll bar is shown. (SPL-59980)
  • When you try to select a cell in a table to copy the content, Splunk Web interprets the copy as a click and drills down. (SPL-74243)
  • Upgrade an app from Manager -> Manage Apps return error: An error occurred while installing the app: 302 (SPL-81977) Workaround: download the app from splunkbase and install from file.
  • Too many custom timeranges in the UI, can cause the default ranges to not be displayed in the droplist. (SPL-86219)
  • The URL made for workflow actions does not encode the field values properly. As a result, a field value with special characters in the URL (for example, ampersands) will result in incorrect values being passed. (SPL-92298)

Distributed deployment, forwarder, and deployment server issues

  • The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer. (SPL-74427)
  • Any app that updates its lookup table files can't be pushed out/managed using deployment server. (SPL-35308)
  • Splunk Web becomes unreachable if an enabled deployment server in the same instance cannot access DNS. (SPL-28471)
  • High REST response times on search peers due to system resource contention cause user-facing search timeouts on search-head but fail to be reported on peers. (SPL-74220)
  • Not all clients appear in the deployment server UI when they have the same host. (SPL-66453)
  • When a large number (>/=100) of users search concurrently on the same search head, some of them may see an error message about an unknown SID, and receive no results. (SPL-71149)
  • SSL compression settings in web.conf fail to disable compression and compression is turned OFF irrespective of useSplunkdClientSSLCompression setting in server.conf. (SPL-64934)
  • Splunk startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
  • When you attempt to install the Splunk universal forwarder for Windows with the /quiet argument, it does not enable any Windows inputs. This is due to the fact that the Splunk Add-on for Windows, which is required to enable the inputs, does not install. To work around the issue, specify DISPLAY_WINDOWS_TA_DIALOG=1 in the installation command. (SPL-75974)
  • The splunkd.log file was growing quite large as every two minutes Deployment Server and Deployment Client were logging detail INFO logging. These level of detail should be moved to DEBUG.(SPL-78499)
  • After deployment an app, the ConfObjectManagerDB complains when the local.meta is not present and triggers "Checksum mismatch" error (SPL-74255)
  • Duplicate entries in Forwarder Management for some of the Deployment Clients(SPL-80215)
  • Deployment Clients on Windows incorrectly truncate long hostnames, as well as uppercase the name; this is a regression from Splunk 5.x (SPL-82528)
  • "$SPLUNK_HOME/bin/splunk list deploy-clients" will only return up to 30 results (SPL-77905)
  • Pushing large cluster bundles that do not complete before the default timeout may result in the bundle not getting set to an Active status. Running “$SPLUNK_HOME/bin/splunk show cluster-bundle-status” shows the Latest and Active bundles are different even hours later. Cluster Master’s splunkd.log entry: “-0700 ERROR ClusterMasterPeerHandler - Cannot add peer=xxx.xxx.xxx.xxx mgmtport=8089 (reason: non-zero pending job count=2075)” and Cluster peer’s splunkd.log: “-0700 WARN CMSlave - handleHeartbeatDone: successful heartbeat and re-add not received but proxy is in disconnected state. Forcing re-add.” (SPL-83316)
  • [splunktcp://<port>] input does not inherit default setting "connection_host = ip" from [splunktcpin] stanza, leads to intermittent forwarder connection timeouts. (SPL-84550). Issue details and workaround solution: http://answers.splunk.com/answers/142625/event-latency-due-to-intermittent-forwarder-indexer-timed-out-issues
  • Downloads of knowledge bundles from search heads to search peers could result in bundle corruption on the peers due to timeouts. (SPL-82334)

Windows-specific issues

  • Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521. (SPL-73818)
  • LDAP authentication does not work on Windows over the IPv6 protocol. (SPL-48342)
  • Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition. (SPL-74209)
  • The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows. (SPL-73826)
  • If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.0 instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf. (SPL-75116)
  • When you attempt to install the Splunk universal forwarder for Windows with the /quiet argument, it does not enable any Windows inputs. This is due to the fact that the Splunk Add-on for Windows, which is required to enable the inputs, does not install. To work around the issue, specify DISPLAY_WINDOWS_TA_DIALOG=1 in the installation command. (SPL-75974)
  • The Splunk Windows universal forwarder does not forward Windows Event Log or performance monitor data to the correct indexer or forwarder group, as defined by the _TCP_ROUTING attribute in the inputs.conf stanza for the input. Other input types forward data properly. (SPL-79009)
  • Indexers don't accept new connections on the splunktcpin port even after a queue blockage has been resolved. (SPL-79842)
  • Version 6.0.2 of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags. (SPL-81489)
  • ADmon: Timestamp fields (pwdLastSet, badPasswordTime, lastlogonTimestamp, etc.) are not being retrieved accurately from the AD record starting release 6.0(SPL-83047)
  • Installation of Windows Universal Forwarder 6.0 or later version under Windows 2003 32-bit, can fail with "Splunk Installer was unable to launch Splunk's First Time Run. Error Code 1" or "Splunk Installer was unable to launch Splunk's Pre Flight Checks. Error Code: -1073741795". Workaround: install earlier Windows UF 5.0.8 (SPL-83043)
  • The Windows Network Monitoring input does not work on 32-bit Windows systems. (SPL-80630)
  • WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option. (SPL-90932)

REST, Simple XML, and Advanced XML issues

  • When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard><foo></dashboard>the endpoint actually receives:<dashboard><foo></dashboard>. (SPL-67453)
  • HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events. (SPL-64489, SPL-32852)
  • Sorting as "asc" does not work for Dashboard of Panel Type: List. (SPL-65124)
  • In Simple XML, an empty paragraph tag is injected into HTML blocks. (SPL-74031)
  • Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view. (SPL-66511)
  • Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page. (SPL-74151)
  • Setting Rows Per Page causes empty panel in Events panel. (SPL-73835)
  • Setting charting.axisLabelsX.majorTickVisibility to hide does not work. (SPL-73743)
  • The warmToColdScript property not supported by REST API. (SPL-66700)
  • Submit button in Simple xml will not re-run search without change to time-picker. (SPL-77989)

Web Framework issues

  • If you don't set the "value" property when you first create a TimeRange view, you'll get an error if you try to change "earliest_time" and "latest_time" properties later.

Unsorted issues

  • BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
  • Splunk does not report server status correctly when there is a problem with SSL/TLS configuration. (SPL-43791)
  • Bloomfilters are sometimes not created in bloomHomePath after restart. (SPL-51553)
  • If license slaves are running <6.0 version, they don't have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN. (SPL-69304)
  • If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day. (SPL-73636)
  • The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO. (SPL-68010)
  • Can't use the CLI to delete an index with a capital letter in its name. (SPL-72484)
  • You cannot specify a destination folder when installing on OSX. (SPL-74337)
  • Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually. (SPL-71645)
  • In the setting pages for the indexes list, the counter for the "Latest event" is not refreshing for events in the hot buckets (SPL-78585)
  • In server.conf, setting maxThreads or maxSockets in the httpServer stanza to a value of -1 results in an effective value of 0, contrary to what server.conf.spec says (SPL-82389)
  • roleMap's attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf by command "splunk reload auth" or restarting Splunk when bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local (SPL-85036)
  • If a value in a field in a summary index has an "=" (equal) sign in it, applying a stats command will drop the equal sign (SPL-90888)
Meet Splunk Enterprise 6
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.0.4

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters