Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.

Refer to the System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features in this manual.

Highlighted issues

Publication date Defect number Description
2016-04-01 SPL-116844 The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. This might negatively affect apps, add-ons, or scripts that use the commands or reference the old working directory. See the README for more information on mitigating this issue.
2015-9-9 SPL-102337 Multiple threads accessing Conf system causes issues for CPU resources. A new configuration setting has been added to provide a workaround for this. To work around this issues, set the following configuration in limits.conf.
[auto_summarizer]
enable_saved_searches_cache = true
2014-11-04
The PDF Report Server App, which was deprecated in version 6.0, has been removed. In Splunk 6.2, you cannot generate PDFs from dashboards that are implemented using advanced XML.
2014-10-30 SPL-92596 After an upgrade to 6.2 on Windows, the splunkweb service does not start automatically. Attempts to start it manually result in the following message: Error 1053: The service did not respond to the start or control request in a timely fashion. This is by design. While the splunkweb service does install, the splunkd service now handles all Splunk Web operations. See "The Splunk Web service installs but does not run" in "About Upgrading to 6.2."
2014-10-28
Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk.
2014-10-28 SPL-92435 Forcing TLS1.2 or TLS1.1 in server.conf with SPLUNK_FIPS does not work.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Date filed Issue number Description
2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts

Workaround:
Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Date filed Issue number Description
2016-06-22 SPL-123264, SPL-122215, SPL-123266, SPL-123268 (Windows Only) Splunk constantly thinks short filenames are new when it doesn't match pattern in a wildcard-monitored directory
2015-10-09 SPL-107716 Splunk UF doesn't process newly created files in the monitored directory (reparse point)
2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL

Workaround:
Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

2014-03-10 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
2013-10-29 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.
2013-09-10 SPL-74209, SPL-74167 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).

Workaround:
Specify the persistentQueue explicitly in the input definition.

Search issues

Date filed Issue number Description
2015-10-06 SPL-107501, SPL-115840 Expanding an event row containing a very long single line string causes browser to become unresponsive

Workaround:
Disable drilldown before running search.
2015-05-29 SPL-102337, SPL-104596, SPL-104597 Multiple threads accessing Conf system causes issues for CPU resources.

Workaround:
To work around this issue, set the following configuration in limits.conf.

[auto_summarizer] enable_saved_searches_cache = true

2015-04-23 SPL-100170 Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search.
2014-11-13 SPL-93039 The relevancy search command does not work, always returning 0 or -inf.
2014-10-15 SPL-91996, SPL-91818 No error if ref panel can't render because of ID collision.
2014-09-15 SPL-90861, SPL-90396, SPL-90886 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log.
2014-08-06 SPL-88427 CronScheduler issues WARN messages on startup that can safely be ignored.
2014-08-02 SPL-88230 Because the Search RSS feed URIs do not include locale, clicking on them leads to an error page.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-03-27 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
2014-03-15 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster.

Workaround:
Write to a temp file and rename to the target file.
2014-02-21 SPL-80966 eval function commands() fails search when a search can't be parsed
2014-02-21 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
2013-12-18 SPL-78179 REST /saved/searches App names with special characters have invalid links.
2013-11-27 SPL-77126 The Registry data input incorrectly handles events with different cases in their paths.
2013-10-17 SPL-75354 Opening saved searches for editing or running CLI searches are very slow.

Workaround:
Disable fetch_remote_search_log in limits.conf.
2013-09-06 SPL-74151 When using SimpleXML, an extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
2013-09-03 SPL-74028 "splunk list wmi" doesn't show active WMI collections, but "splunk cmd btool wmi list" does
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2

Workaround:
Reduce length of name of the app and report acceleration searches will run properly within the context of the app.
2014-12-08 SPL-94047, SPL-98628 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-08-15 SPL-89332 Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-11 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
2014-03-10 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
2014-03-07 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Charting, reporting, and visualization issues

Date filed Issue number Description
2017-07-24 SPL-143311, SPL-78612 Deleting a dashboard with a scheduled PDF does not also delete the scheduled view on stand alone SH
2014-10-15 SPL-91996, SPL-91818 No error if ref panel can't render because of ID collision.
2014-09-24 SPL-91211 Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values.
2014-09-19 SPL-91074, SPL-91065 Submit button does not get rendered when instantiating a form via the client-side parser/factory
2014-01-27 SPL-79562 Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned.
2013-11-20 SPL-76824 Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event.
2013-09-06 SPL-74151 When using SimpleXML, an extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
2013-08-28 SPL-73846 New reports are not displayed in the report list until you refresh the window.

Data model and pivot issues

Date filed Issue number Description
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2

Workaround:
Reduce length of name of the app and report acceleration searches will run properly within the context of the app.
2014-12-08 SPL-94047, SPL-98628 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-08-15 SPL-89332 Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-11 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
2014-03-10 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
2014-03-07 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Indexer and indexer clustering issues

Date filed Issue number Description
2014-12-11 SPL-94250 Rolling restart takes out maintenance mode
2014-10-13 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-09-29 SPL-91432 On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers.
2014-09-12 SPL-90770 Cumulative raw data size for indexes on the 'Index Clustering' page is not accurate
2014-09-09 SPL-90659 Indexer clustering requires manual changes to service_interval at runtime

Workaround:
For clusters with a large number of buckets (>100k), Splunk recommends changing theservice_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.
2014-09-09 SPL-90661 Taking a peer offline with enforce counts on causes master to remain in fixup mode.
2014-09-08 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-08-29 SPL-90331 Multi-site indexer cluster doesn't meet replication factor/search head factor due to bucket issue.

Workaround:
From the endpoint, add the buckets missing RF/SF to the to_fix list.

endpoint: https://[host]:[port]/services/cluster/master/buckets/{bucket_id}/fix

2014-07-29 SPL-87816 When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza.

Workaround:
Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.
2014-07-14 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-05-27 SPL-84540 SHP + Clustered - edit cluster-config -mode clears away replication_port in server.conf, should rename setting to shp_replication_port
2014-05-01 SPL-83693 Clustering manager reports data not searchable though search factor is met
2014-04-29 SPL-83636 If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong.
2014-03-18 SPL-82038 Cluster-config does not work if a parameter value includes a space character.
2014-03-17 SPL-81972, SPL-81963 For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites.

Workaround:
For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites, and then restart the master. Otherwise, the buckets might not meet the new site_replication_factor or site_search_factor or be fully searchable. You can roll the buckets manually or by issuing a rolling-restart command.
2014-03-17 SPL-81955 Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed.
2014-03-14 SPL-81913 Changing your configuration from multi site to non-multisite can result in unsearchable buckets.
2014-01-06 SPL-78688 Peer is able to change to an invalid (empty) replication port
2013-12-11 SPL-77792 Different # events returned for identical buckets on different sites because partial uncompressed slice exists on one peer's bucket but not on others
2013-09-11 SPL-74253 Clustering - Maintenance mode does not carry over across master restarts.
2013-08-23 SPL-73652 "splunk offline -enforce-counts" incorrectly fails to stop the peer (splunk does not exit)

Workaround:
How to avoid this issue

=> Do not use "--enforce-count" option

How to fix this issue when this already happened and got stuck with "Decommissioning" ? 1) Stop the Cluster Peer ("splunk stop") => CM should show the CP as "down" 2) Make sure searchable factor and replication factor are met in the view of Cluster Management => If not, there is another issue happening in addition to this bug. This bug happens even when all buckets have no problem. 3) Option: If you need to remove the 'decommissioned' CP from Cluster Management view, you need to restart Cluster Master. In dash, we can remove a down-ed peer or Graceful shutdown peer from master's list with out restarting the master. At CM, you have to do something like: $SPLUNK_HOME/bin/splunk remove cluster-peers -peers GUID1,GUID2,GUID3 ( SPL-86868 )

2013-08-06 SPL-72484 You cannot use the CLI to delete an index with a capital letter in its name.
2013-07-03 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps.
2013-03-20 SPL-63687 Clustering dashboard displays the removed peer list for ever

Distributed search and search head clustering issues

Date filed Issue number Description
2015-02-26 SPL-97352 $SPLUNK_HOME/var/run/splunk/lookup_tmp is filling up on search-head, no reaping seems to occur
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.

Workaround:
The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

2014-08-25 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-08-14 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-08-02 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.
2014-05-27 SPL-84540 SHP + Clustered - edit cluster-config -mode clears away replication_port in server.conf, should rename setting to shp_replication_port
2014-03-28 SPL-82386 Cluster master with distributed search disabled still dispatches searches to cluster peers.

Universal forwarder issues

Date filed Issue number Description
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

Workaround:
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

Workaround:
To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2015-12-20 SPL-111356, SPL-112912, SPL-112913, SPL-112996 A plus button of the machine type filter of the forwarder management page does not display on IE version 11
2014-10-02 SPL-91648, SPL-91358 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-08-15 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-06-20 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive.

Workaround:
To mitigate this, set forceHttp10=always.
2013-12-13 SPL-77905 "./splunk list deploy-clients" limited to 30

Splunk Web and interface issues

Date filed Issue number Description
2015-10-06 SPL-107501, SPL-115840 Expanding an event row containing a very long single line string causes browser to become unresponsive

Workaround:
Disable drilldown before running search.
2014-09-26 SPL-91346, SPL-91344 A user with a non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page.
2014-08-02 SPL-88230 Because the Search RSS feed URIs do not include locale, clicking on them leads to an error page.
2014-07-16 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-02-26 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
2013-11-20 SPL-76798 Time range picker is not customizable via times.conf the same as version 5 or as suggested by docs.
2013-10-17 SPL-75354 Opening saved searches for editing or running CLI searches are very slow.

Workaround:
Disable fetch_remote_search_log in limits.conf.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Windows-specific issues

Date filed Issue number Description
2015-11-13 SPL-109430 In Windows only, inheritance is broken for folders created by splunkd. Files created are accessible only to the user as whom splunkd is running.
2015-05-07 SPL-101053 The Windows Host Monitor "Application" input (WinHostMon://Application) has been deprecated.

Workaround:
In the Installation Manual, under the topic "About upgrading to 6.3 - READ THIS FIRST", see the section "The Windows host monitoring input no longer monitors application state".
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-01 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time.

Workaround:
To fix the problem, restart Windows on the forwarder.


2014-10-20 SPL-92192, SPL-92193, SPL-96184, SPL-100199, SPL-105086 When evt_dc_name is not specified for Wineventlog input (and SID resolution) is enabled, use the local DC (not PDC) for SID resolution
2014-09-25 SPL-91279 Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles.

Workaround:
See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.

Rest, Simple XML, and Advanced XML issues

Date filed Issue number Description
2013-05-15 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Authentication and Authorization issues

Date filed Issue number Description
2012-02-22 SPL-48342 LDAP strategy host field cannot work with ipv6 format address but computer name is okay

Admin and CLI issues

Date filed Issue number Description
2015-03-11 SPL-97942 Capability defined in an app does not take effect when assigned to a role

Workaround:
The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

2014-04-07 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page.
2013-12-13 SPL-77905 "./splunk list deploy-clients" limited to 30
2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.

Workaround:
Set server.conf [applicationsManager] allowInternetAccess = false
2013-05-02 SPL-66511 If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.

Uncategorized issues

Date filed Issue number Description
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink

Workaround:
Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml)

Workaround:
Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.

Workaround:
The workaround is to remove the duplicated bucket.
2015-03-25 SPL-98594 Routing events to two different groups not working as expected.

Workaround:
1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2015-02-26 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-01-30 SPL-96089 Deleting a newly created index hangs splunkd
2015-01-14 SPL-95451 KV Store refuses to start when permissions on kvstore/mongo/splunk.key are "too open"

Workaround:
Change permissions of the path /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key from 666 to 600.
2014-12-19 SPL-95174, ERP-1343, ERP-1346 Searches fail on corrupted journal.gz files
2014-10-31 SPL-92596 After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion."

Workaround:
This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html
2014-10-24 SPL-92432, SPL-99583 Chart in dashboard panel does not honor interval settings.

Workaround:
In the panel XML, specify a larger height to use the correct interval settings.
2014-10-17 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-09-21 SPL-91206 SHClustering + KVStore: removing member from SHC does not remove from mongo replica set
2014-09-20 SPL-91110 Schedule Search page accepting incorrect cron scheduler format
2014-09-17 SPL-90958 Unexpected duplicate app: _cluster caused due to password hashing
2014-09-12 SPL-91962, SPL-92016 In a search head pooled environment, if you start your Splunk Enterprise instance before your NFS storage mounts, Splunk Enterprise starts but KV store fails to initialize. As a result, you cannot access KV store.

Workaround:
Make sure your NFS storage is mounted and reachable, then restart your instance of Splunk Enterprise.
2014-09-11 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
2014-09-04 SPL-90510 ERROR KVStorageProvider - Could not update replica set configuration, error domain 5, err code 13432, Error message: exception: _id may not change for members
2014-08-26 SPL-90139 <timestamp> does not display in the Patterns tab when searches are run in fast mode.
2014-06-30 SPL-86226 User should have ability to navigate to Panel in case of error
2014-06-16 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround:
Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.


2014-04-22 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
2014-04-14 SPL-83068 Default index can be set to random index.
2014-04-01 SPL-82517 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
2014-03-23 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
2014-03-13 SPL-81856 Show all lines does not work in data model editor preview.
2014-03-12 SPL-81810 Licensing - license pool warning at license master keeps coming back after deleting it.

Workaround:
Delete the warnings on the peers first, then the License Manager.
2014-03-12 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range.
2014-02-07 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions.

Workaround:
For more information, see Add lookup files to Splunk.
2014-02-06 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared.

Workaround:
Share the definition. For more information, see Add lookup files to Splunk.
2014-01-31 SPL-79862 When creating a tag on a field in an event listing, the tag is added but fails to show in event fields unless it is selected.
2014-01-31 SPL-79842 On Windows, Indexer doesn't accept new connections on splunktcpin port after queue blockage is resolved
2013-12-30 SPL-78462 homePath.maxDataSizeMB and coldPath.maxDataSizeMB being ignored on Windows
2013-12-13 SPL-77954 Primary copy of bucket left in strange state with chunk of data not added to journal.gz causing event counts to be off between peers with a common bucket
2013-11-27 SPL-77139 Licenser pool usage gets reflected only after restarting splunkd.
2013-09-13 SPL-74337, BETA-496 You cannot specify a destination folder when installing on OSX.
2013-09-03 SPL-73981 Improve handling of FIPS flag on Windows x86 - error instead of crash
2013-08-28 SPL-73826 Windows: hostname override not working properly
2013-08-28 SPL-73818 Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL.

Workaround:
To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.
2013-08-27 SPL-73798 An error occurred while generating a PDF of scheduled search with quotes in the title
2013-08-13 SPL-73029 heatmaps not shown in pdf
2013-07-25 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if thehomePath of the index is at the root of the filesystem, (homePath=D:\myindex orhomePath=/myindex).

Workaround:
Create the folder manually.
2013-06-13 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN.
2013-05-14 SPL-67268 Not able to "Export PDF" if Dashboard has no row or empty row
2013-04-30 SPL-66213 PDF server app is not working with latest Xvfb
2013-04-12 SPL-65124 Sorting as "asc" does not work for Dashboard of Panel Type: List.
2011-09-30 SPL-43791 Incorrect server status reported when there is a problem with the SSL/TLS configuration
2011-03-18 SPL-38082 Block signature reports YES gaps, NO tampering for data when the source is not well ordered in time
2010-10-08 SPL-34347 wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue
PREVIOUS
Welcome to Splunk Enterprise 6.2
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters