Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect number Description
2015-04-23 SPL-100103 KV store collections are purged when owning app is disabled
2015-03-17 SPL-96265 Orphan KVStore process stops Splunk from restarting.
2015-03-06 SPL-95603 Auto filling of user credentials causes login failure on Safari, Firefox, and Internet Explorer.
2014-11-04 SPL-92670 The latest versions of both the Splunk and Splunkforwarder RPMs for linux (i386 and x86_64) claim to provide libraries to the system when they really do not. This could cause other applications that depend on those libraries to fail to install or to run.
The PDF Report Server App, which was deprecated in version 6.0, has been removed. In Splunk 6.2, you cannot generate PDFs from dashboards that are implemented using advanced XML.
2014-11-03 SPL-92500 Windows installer fails on non-English Windows systems.
2014-10-30 SPL-92596 After an upgrade to 6.2 on Windows, the splunkweb service does not start automatically. Attempts to start it manually result in the following message: Error 1053: The service did not respond to the start or control request in a timely fashion. This is by design. While the splunkweb service does install, the splunkd service now handles all Splunk Web operations. See "The Splunk Web service installs but does not run" in "About Upgrading to 6.2."
Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk.
2014-10-28 SPL-92435 Forcing TLS1.2 or TLS1.1 in server.conf with SPLUNK_FIPS does not work.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Publication date Defect number Description
2015-04-14 SPL-94540 Unable to Install Splunk 6.2 on SunOS 10 Sparc machines with "`SUNW_1.22.6' not found" error. To work around this problem:

1. Set variables ( $ LD_NOVERSION=1 ; LD_NOVERSION_32=1 ; LD_NOVERSION_64=1 )
2. Set them as env variables ( $ export LD_NOVERSION LD_NOVERSION_32 LD_NOVERSION_64 )
3. Run Splunk ( $ $SPLUNK_HOME/bin/splunk start )

2015-04-07 SPL-93893, SPL-95121 Splunk Enterprise 6.2.x installer fails if the MSI database on the machine is partially corrupted.
2014-10-28 SPL-90648 When you upgrade a Windows universal forwarder that runs as a domain user from version 6.1.3, the installer changes the service account to the Local System user. To work around the problem, upgrade the forwarder to 6.1.4 first, then upgrade to 6.2.
2014-10-28 SPL-91835 Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, remove the app before starting an upgrade. To prevent this issue from occurring, upgrade the app to version 1.1.5 before you upgrade Splunk Enterprise.
2014-10-28 SPL-92490 web.conf setting for updateCheckerBaseURL=0 now displays "Your Browser could not connect to Splunk.com...need to be connected to the Internet to find out when updates to your Splunk software are available". It does not disable Splunk automatic checking for new versions.
Pre-6.2 SPL-89640 If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
Pre-6.2 SPL-75354 Opening saved searches for editing or running CLI searches are very slow. Workaround: disable fetch_remote_search_log in limits.conf.
Pre-6.2 SPL-73386 Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect number Description
2014-11-19 SPL-93063 Index list is incomplete under Input Settings, not all index names display.
2014-10-28 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI.

Workaround: Create a server class, where you can see the client name, and use that group when you add data.

2014-10-28 SPL-90527 After gzipping a directory that has previously been indexed, a monitor reindexes the contents of the gzipped directory.
2014-10-28 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
Pre-6.2 SPL-79421 Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields (_*, _meta or _TCP_ROUTING)
Pre-6.2 SPL-83068 Default-index can be set to random index.
Pre-6.2 SPL-34347 wmi input default fields - with value including newlines doesn't search properly because of \r\n issue.
Pre-6.2 SPL-73825, SPL-73826 Hostname override/Regex on path not working correctly for compressed file inputs on Windows.
Pre-6.2 SPL-74028 Running splunk list wmi doesn't show active WMI collections, but splunk cmd btool wmi list does.
Pre-6.2 SPL-74209 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.

Charting, reporting, and visualization issues

Publication date Defect number Description
2015-01-12 SPL-94277 While creating a Pivot, when I split rows by time and select the format "Year", it returns this value: 2014-01-01 00:00:00.
2015-01-12 SPL-94047 While creating a Pivot, when using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2015-01-12 SPL-92587, SPL-93662 FlashTimeline disappears after zooming to selection or double click.
2014-11-21 SPL-93439 Username containing a "." or "@"character fails to create private dashboard

Workaround: creating non-private dashboards continues to work, if the role allows it

2014-10-28 SPL-92432 Chart in dashboard panel does not honor interval settings.

Workaround: In the panel XML, specify a larger height to use the correct interval settings.

Pre-6.2 SPL-79768 Changing map and tile parameters in the Vizualization Editor creates error in Console.
Pre-6.2 SPL-80568 Highcharts set Y-axis value based on first point outside visible range.
Pre-6.2 SPL-81538 When using pivot, stack mode is lost when "Scatter Chart" is selected. - loses stack mode.
Pre-6.2 SPL-73846 New reports are not displayed in the report list until you refresh the window.
Pre-6.2 SPL-73569 Pie maps do not have legend labels.

Indexers and indexer clustering issues

Publication date Defect number Description
2017-08-17 SPL-96089 Deleting a newly created index hangs splunkd
2015-10-14 SPL-108023 "remove excess-buckets" removes all buckets created under Multi-Site clustering if CM was moved from Multisite to Single Site
2014-10-28 SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

2014-10-28 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-10-28 SPL-88923 summary created by tscollect does not show all pool members.
2014-10-28 SPL-83636 If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong.
2014-10-28 SPL-91567 Batch primary jobs are scheduled last. They should be scheduled first.
2014-10-28 SPL-90983 In indexing cluster, found a few corrupted buckets from search peer that might affect the report summary getting correct results.
2014-10-28 SPL-90661 Taking a peer offline with enforce counts on causes master to remain in fixup mode.
2014-10-28 SPL-90659 Configure clusters with large numbers of buckets. For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

2014-10-28 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-10-28 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-10-28 SPL-90331 Multi-site cluster doesn't meet replication factor/search head factor due to bucket issue.

Workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list.

2014-10-28 SPL-84540 For search head pooling on a cluster master or clustered search_head, editing the cluster-config-mode clears replication_port.

Workaround: rename setting to shp_replication_port.

2014-10-28 SPL-78688 Peer is able to change to an invalid (empty) replication port.
2014-10-28 SPL-91432 On Windows when the master is down, the CLI command splunk offline hangs when run from one of the streaming target peers.
2014-10-28 SPL-90770 Cumulative raw data size for indexes on the Index Clustering page is not accurate. It uses a division factor of 1000/1000/1000 instead of 1024/1024/1024.
2014-10-28 SPL-90409 Removing excess buckets does not remove all the excess buckets and causes "fully searchable" criteria in the UI to fail.
2014-10-28 SPL-88434 Inaccurate message "Detected possible tampering with this source" may display for valid data.
Pre-6.2 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning.
Pre-6.2 SPL-90932 WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.2 SPL-77792 Different number of events returned for identical buckets on different sites because partial uncompressed slice exists on one peer's bucket but not on others
Pre-6.2 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster. Workaround is to write to a temp file and rename to the target file.
Pre-6.2 SPL-81913 Changing your configuration from multi site to non-multisite can result in unsearchable buckets.
Pre-6.2 SPL-81955 Multisite peer takes approximately six minutes to restart when site configuration is changed.
Pre-6.2 SPL-82386 Cluster master with distributed search disabled still dispatches searches to cluster peers.
Pre-6.2 SPL-81972, SPL-81963 For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites, and then restart the master. Otherwise, the buckets might not meet the new site_replication_factor or site_search_factor or be fully searchable. You can roll the buckets manually or by issuing a rolling-restart command.
Pre-6.2 SPL-82038 Cluster-config will not work if the parameter value has spaces in them.
Pre-6.2 SPL-77954 In clusters, primary copy of bucket is left in weird state with chunk of data not added to journal.gz. This can cause event counts to be off between peers with a common bucket.
Pre-6.2 SPL-78797 When buckets with a truncated journal.gz appear in a cluster, streaming targets are unable to make the bucket searchable when fsck attempts to rebuild the tsidx and other supporting files.
Pre-6.2 SPL-73652 Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit.
Pre-6.2 SPL-74253 Maintenance mode does not carry over across master restarts. To work around this issue, re-initiate maintenance mode after restarting the master.
Pre-6.2 SPL-72484, SPL-74103 Changing the server name on search head doesn't get reflected in the cluster master's cluster management page.
Pre-6.2 SPL-63687 Clustering dashboard displays the removed peer list indefinitely.

Data model and Pivot issues

Publication date Defect number Description
Pre-6.2 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. For more information, see Add lookup files to Splunk.
Pre-6.2 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. The workaround is to share the definition. For more information, see Add lookup files to Splunk
Pre-6.2 SPL-82262 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
Pre-6.2 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
Pre-6.2 SPL-81781 Data Model Manager: Acceleration Status and Access Count fails to update when you click "Update."
Pre-6.2 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
Pre-6.2 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
Pre-6.2 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
Pre-6.2 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
Pre-6.2 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
Pre-6.2 SPL-81856 Show all lines does not work in data model editor preview.
Pre-6.2 SPL-82164 Migrating invalid data models from 6.0 to 6.1 fails.
Pre-6.2 SPL-77054 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Integrated PDF generation and PDF Report Server issues

Publication date Defect number Description
2015-03-19 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, see https://support.google.com/chrome/answer/142056.

Pre-6.2 SPL-66213 PDF Report Server App doesn't work with latest Xvfb. Workaround is to install xorg-x11-server-Xvfb.x86_64 0:1.10.6-1.el6.centos.
Pre-6.2 SPL-73938 PDF Report Server App: Printing PDF on debug/pdf page is broken.
Pre-6.2 SPL-58744 If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line.
Pre-6.2 SPL-67491 Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used.
Pre-6.2 SPL-67268 Not able to export PDF if dashboard has no row or empty row.
Pre-6.2 SPL-73798 Generating a PDF of scheduled search with quotes in the title results in an error and no search results in the report.
Pre-6.2 SPL-73029 Heat maps are not printed.

Search, saved search, alerting, scheduling, and job management issues

Publication date Defect number Description
2015-02-02 SPL-94792 The Patterns tab breaks in implementations that use search head clustering. If you are using search head clustering, the patterns tab can be disabled for any given role by removing the pattern_detect capability from that role.
2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in it. The workaround is to rename the fields to remove the underscores before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-12-01 SPL-92736 Scheduler ignores user/owner user_pref time zone setting for cron scheduled searches, runs cron scheduled search in relation to system time.
2014-11-13 SPL-93039 The relevancy search command does not work, always returning 0 or -inf.
2014-10-28 SPL-92303 Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
2014-10-28 SPL-91778 Dispatch disk usage incorrectly includes temporary CSV result files for large event searches, which can lead to job queueing.
2014-10-28 SPL-80966 eval function commands() fails search when a search can't be parsed.
2014-10-28 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-10-28 SPL-90139 [timestamp] does not display in the Patterns tab when searches are run in fast mode.
2014-10-28 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.
2014-10-28 SPL-88230 Because the Search RSS feed URIs do not include locale, clicking on them will lead to an error page.
2014-10-28 SPL-89332 Report acceleration summaries do now show in Settings when you have hundreds of reports accelerated.
2014-10-28 SPL-79862 When creating a tag on a field in an event listing, the tag is added but fails to show in event fields unless it is selected.
2014-10-28 SPL-91110 Scheduler Search page silently accepts incorrect cron scheduler format. Saved search then runs at an incorrect time.
2014-10-28 SPL-90861 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. Not message is displayed, though the information is added to search.log.
Pre-6.2 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
Pre-6.2 SPL-82517 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
Pre-6.2 SPL-78612 Deleting a dashboard with a scheduled PDF does not also delete the scheduled view.
Pre-6.2 SPL-79562 Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned.
Pre-6.2 SPL-83129 Eval Function strptime does not return results when 1970 date is used
Pre-6.2 SPL-79738, SPL-81136 The iconify command fails to render icons in the event viewer.
Pre-6.2 SPL-76798 The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x
Pre-6.2 SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.

Splunk Web and Home interface issues

Publication date Defect number Description
2015-04-21 SPL-98887 Splunk Enterprise does not show Internet Explorer 8 users an "incompatible browser" screen when they log in through SSO.
2015-01-22 SPL-95745 In search, when you choose dates in November using the Time & Date Range selector, the end date is shortened by one day after you click Apply. Workaround: Reselect the end date and click Apply.
2014-10-28 SPL-92298 The URL made for workflow actions does not encode the field values properly. As a result, a field value with special characters in the URL (for example, ampersands) will result in incorrect values being passed.
Pre-6.1.5 SPL-86219 Too many custom timeranges in the UI, can cause the default ranges to not be displayed in the droplist.
Pre-6.2 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
Pre-6.2 SPL-58476 Login screen shows expired license on expiration date before it is expires (i.e. same day).
Pre-6.2 SPL-82581 Admin user can not check other's private alert result.
Pre-6.2 SPL-73818 Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

Distributed deployment, forwarder, and deployment server issues

Publication date Defect number Description
2015-03-24 SPL-98561 Issuing splunk reload deploy-server can crash splunkd if serverclass.conf contains whitelist and/or blacklist that is out of sequence number. splunkd_stderr.log will report the appropriate stanza to review. Gap in numbered regexes: expected attribute=whitelist.1 not found (context: stanza='serverClass:myapp')
2015-01-12 SPL-93988 Deployment server misleadingly records an attempt to uninstall an app. "Updating record action=Install result=Ok". "Updating record action=Install result=Fail".
2014-10-28 SPL-91648 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-10-28 SPL-91273 Splunk instrumentation misidentifies remote scheduled searches as historical searches, which can affect data displayed in the Distributed Management Console.
2014-10-28 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-10-28 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive. To mitigate this, set forceHttp10=true.
Pre-6.2 SPL-35700 When deploying apps from a Windows deployment server to Unix deployment clients, scripts do not arrive with executable flag set
Pre-6.2 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
Pre-6.2 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
Pre-6.2 SPL-82949 When you add unsupported attributes to serverclass.conf in Forwarder Management, a blank page is displayed with no error that an unsupported attribute was added. Instead the message displays: FAILED_LOAD_DEPLOYMENT_SERVER.
Pre-6.2 SPL-80215 Duplicate entries in Forwarder Management for some of the Deployment Clients.
Pre-6.2 SPL-28471 Splunk Web becomes unreachable if an enabled deployment server in the same instance cannot access DNS.
Pre-6.2 SPL-74427 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.
Pre-6.2 SPL-83461 Internal ACK's queue on indexer is getting fragmented.This can cause increase of memory on the Forwarder and/or Data duplication

Distributed search and search head clustering issues

Publication date Defect number Description
2015-11-06 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf.
2015-04-20 SPL-99116 After enabling the Distributed Management Console (DMC) in distributed mode in an indexing cluster, the search head may not be able to search all the peers. The error will mention splunk_server_group : "Search filters specified using splunk_server/splunk_server_group do not match any search peer". To work around the issue, go to the DMC setup page and click Apply. To avoid the issue, run the DMC in standalone mode.
2015-04-14 SPL-97352 Temporary lookup folder $SPLUNK_HOME/var/run/splunk/lookup_tmp filling up on the search head.
2015-01-12 SPL-93913 Scheduling PDF delivery for Report on a Search Head Cluster crashes search head.
2015-01-09 SPL-94522 Search head cluster caches in-memory jobs, leading to increasing memory growth.

Workaround: Set status_cache_size = 2000 in etc/system/limits.conf.

2014-10-28 SPL-89809 Updates to $SPLUNK_HOME/var/run/*.csv via outputcsv are not replicated across the cluster.
2014-10-28 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-10-28 SPL-91206 In a search head cluster with KVStore, removing a member from the cluster does not remove it from the replica set.
2014-10-28 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-10-28 SPL-91638 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2014-10-28 SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

2014-10-28 SPL-91780 In a search head cluster, saved search artifacts are not available to all search head cluster peers via loadJobs or bringJobs.
2014-10-28 SPL-84540 For search head pooling on a cluster master or clustered search_head, editing the cluster-config-mode clears replication_port.

workaround: rename setting to shp_replication_port.

Pre-6.2 SPL-86599 When using search-head pooling, some email alert configurations from the alert_actions.conf are not applied, if they are in an app on the shared storage. Workaround, copy the configuration on the $SPLUNK_HOME/etc/system/local of each search-heads.
pre-6.2 SPL-82244, SPL-90958 Unexpected duplicate app: _cluster caused due to password hashing ().
Pre-6.2 SPL-71149 When a large number (>/=100) of users search concurrently on the same search head, some of them may see an error message about an unknown SID, and receive no results.

Windows-specific issues

Publication date Defect number Description

ported browser to access this feature.

2015-05-06 SPL-92192, SPL-100199 When evt_dc_name is not specified for Wineventlog input and SID resolution is enabled, Splunk Enterprise uses the PDC not the local DC for SID resolution.
2015-03-20 SPL-95121, SPL-93893 Splunk 6.2 installer fails if msi database on the machine is partially corruputed. MSI log will contain the message: GetPreviousSettings: Error: DetermineContextForAllProducts failed witht: 0x65b.
2014-10-28 SPL-73981 FIPS mode in Win32 may case crash. To mitigate this, never attempt to enable FIPS on Win3.
2014-10-28 SPL-60765 Delta replication tends to fail on Windows due to file size "differences" caused by Windows-style line endings (\r\n).
Pre-6.2 SPL-85389 Upgrading of Splunk on Windows to 6.1.4 may throw pop-up “Splunk Installer was unable to set the CALS on the Splunk Files”. ExitCode=’13’ ”, this message can be ignored.
Pre-6.2 SPL-90932 WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.2 SPL-80589 On Windows Server 2012 and Server 2012 R2, an external bug causes the "% Processor_Time" counter to display 100 for multiple processes, even when the number of available CPU cores precludes that possibility.
Pre-6.2 SPL-80630 The Windows Network Monitoring input does not work on 32-bit Windows systems.
Pre-6.2 SPL-83043 Installation of Windows Universal Forwarder 6.0 or later version under Windows 2003 32-bit, can fail with "Splunk Installer was unable to launch Splunk's First Time Run. Error Code 1" or "Splunk Installer was unable to launch Splunk's Pre Flight Checks. Error Code: -1073741795". Workaround: install earlier Windows UF 5.0.8
Pre-6.2 MSAPP-2633 An issue with Splunk Enterprise 6.1 caused the dashboards and menus in the Splunk App for Windows Infrastructure 1.0.1 update to not render. To fix the problem, download and install version 1.0.2 of the app.
Pre-6.2 SPL-78984 The 32 bit Windows version of the universal forwarder fails to properly upgrade from non-default location. Note: Installing a 32-bit version of any Splunk software on top of 64-bit version is neither supported nor recommended.
Pre-6.2 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
Pre-6.2 SPL-78462 Splunk Enterprise on Windows ignores the homePath.maxDataSizeMB and coldPath.maxDataSizeMB attributes in indexes.conf.
Pre-6.2 SPL-77126 The Registry data input incorrectly handles events with different cases in their paths.
Pre-6.2 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
Pre-6.2 SPL-81489 Version 6.* of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags.
Pre-6.2 SPL-79009, SPL-79421 The Splunk Windows universal forwarder does not forward Windows Event Log or performance monitor data to the correct indexer or forwarder group, as defined by the _TCP_ROUTING attribute in the inputs.conf stanza for the input. Other input types forward data properly.
Pre-6.2 SPL-75116 If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.x instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf.
Pre-6.2 SPL-73826 The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows.
Pre-6.2 SPL-40332 Splunk on Windows does not properly update or save lookup tables when it accesses them with a search.
Pre-6.2 SPL-74209 Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
Pre-6.2 SPL-48342 LDAP authentication does not work on Windows over the IPv6 protocol.
Pre-6.2 SPL-73818 Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

REST, Simple XML, and Advanced XML issues

Publication date Defect number Description
2014-11-14 SPL-63024 SPL-91858 SPL-92595 The series names in a piechart panel may turn to "undefined" if the panel is resized. The workaround is to reload the page.
2014-10-28 SPL-91211 Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values.
2014-10-28 SPL-32852 Post process may not return expected events if the original job is truncated.
2014-10-28 SPL-91711 Failure with Schedule PDF for a panel with a search containing a table or other transforming commands. Returns "No matching events found."
2014-10-28 SPL-86226 User cannot navigate from a dashboard to a prebuilt panel to fix a simple XML error in the panel.
2014-10-28 SPL-91074 (Mobile) Submit button does not render when instantiating a form using the client-side parser/factory.
2014-10-28 SPL-91996 Panel that uses a duplicate ID when referencing a base search silently fails to render.
Pre-6.2 SPL-82636 Not able to use "Edit Source" menu from Dashbord list.
Pre-6.2 SPL-82233, SPL-76824 Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event.
Pre-6.2 SPL-78179 REST /saved/searches App Names With Special Characters Have Invalid Links.
Pre-6.2 SPL-66700 The warmToColdScript property is not supported by REST API.
Pre-6.2 SPL-74151 Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
Pre-6.2 SPL-66511 Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.
Pre-6.2 SPL-65124 Sorting as "asc" does not work for Dashboard of Panel Type: List.
Pre-6.2 SPL-64489, SPL-32852 HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events.
Pre-6.2 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Web Framework issues

Publication date Defect number Description
If you do not set the "value" property when you first create a TimeRange view, you get an error if you try to change "earliest_time" and "latest_time" properties later.

Unsorted issues

Publication date Defect number Description
2015-05-04 SPL-91962 In a search head pooled environment, if you start your Splunk Enterprise instance before your NFS storage mounts, Splunk Enterprise starts but KV store fails to initialize. As a result, you cannot access KV store. Resolution: Make sure your NFS storage is mounted and reachable, then restart your instance of Splunk Enterprise.
2015-02-23 SPL-95451 The KV store feature is unable to initialize properly when the permissions of file $SPLUNK_HOME/var/lib/splunk/kvstore/mongo/splunk.key are more open than r--------. This corresponds to owner read-only and is equivalent to octal mode 400. To prevent this issue, make sure that the permissions on this file are not more open than described here.
2015-01-05 SPL-92740 The app key value store (KV store) is not available with a free license.
2014-11-10 SPL-92831 A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ". The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).
2014-12-12 SPL-94017 mongod creates up to 65k files in /dev/shm/, using up to 500MB of space. Workaround is to "export MONGOC_DISABLE_SHM=1", or adding it to splunk-launch.conf.
2014-11-24 SPL-93577 The details per pool on the "License usage manager" view does not handle pools names with spaces in it. Workaround, access the search details and add double quotes around the pool="pool name with spaces" condition.
2014-10-28 SPL-91346 A user with a non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page.
2014-10-28 SPL-91709 Splunkd timeouts on setting up ES app on Windows.
2014-10-28 SPL-88427 CronScheduler issues WARN messages on startup that can safely be ignored.
2014-10-28 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-10-28 SPL-91396 Spunk introspection for CPU time uses metrics that can result in a sum of cpu_systm_pct, cpu_idle_pct, and cpu_user_pct that is greater than 100%.
Pre-6.2 SPL-85036 roleMap's attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf by command "splunk reload auth" or restarting Splunk when bindDNpassword is empty. A workaround is to use an app's local directory instead of $SPLUNK_HOME/etc/system/local.
Pre-6.2 SPL-81810 License pool warning at license master keeps coming back after deleting it. The workaround is to delete the warnings on the peers first then the License Manager.
Pre-6.2 SPL-77139 Licenser pool usage gets reflected only after restarting Splunkd.
Pre-6.2 SPL-82389 server.conf In [httpServer] server stanza, maxThreads/maxSockets do not accept negative numbers.
Pre-6.2 SPL-80918 Datapreview: endpoint doesn't allow for deleting sourcetype properties.
Pre-6.2 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts pages.
Pre-6.2 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually.
Pre-6.2 SPL-74337 You cannot specify a destination folder when installing on OSX.
Pre-6.2 SPL-72484 Cannot use the CLI to delete an index with a capital letter in its name.
Pre-6.2 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.
Pre-6.2 SPL-73636 If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day.
Pre-6.2 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN.
Pre-6.2 SPL-43791 Splunk does not report server status correctly when there is a problem with SSL/TLS configuration.
Pre-6.2 SPL-38082 BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order.
Last modified on 17 August, 2017
Welcome to Splunk Enterprise 6.2
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters