
Known issues
The following are issues and workarounds for this version of Splunk Enterprise.
Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.
For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.
Highlighted issues
Publication date | Defect number | Description |
---|---|---|
2016-04-05 | SPL-109427 | LDAP SSL does not work in Splunk 6.3 (and later) for Windows 2003. Workaround is as follows:
2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it. |
2014-10-30 | SPL-92596 | After an upgrade from Splunk Enterprise 6.1.x or earlier to Splunk Enterprise 6.3 on Windows, the splunkweb service does not start automatically. Attempts to start it manually result in the following message: Error 1053: The service did not respond to the start or control request in a timely fashion. This is by design. While the splunkweb service does install, the splunkd service now handles all Splunk Web operations. See "The Splunk Web service installs but does not run" in "About Upgrading to 6.3."
|
2014-10-28 | — |
Due to a recent vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk. |
2014-10-28 | SPL-92435 | Forcing TLS1.2 or TLS1.1 in server.conf with SPLUNK_FIPS does not work.
|
Upgrade issues
This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.
Publication date | Defect number | Description |
---|---|---|
2014-10-28 | SPL-91835 | Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, remove the app before starting an upgrade. To prevent this issue from occurring, upgrade the app to version 1.1.5 before you upgrade Splunk Enterprise. |
Pre-6.2 | SPL-89640 | If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
|
Pre-6.2 | SPL-73386 | Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:
1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Data input issues
Publication date | Defect number | Description |
---|---|---|
2015-9-22 | SPL-101981 | Field extractions do not work when sourcetypes use quotes in the Getting Data In interface. |
2015-9-22 | SPL-106894 | Disabling a listening port appears to disable all listening ports. |
2015-9-22 | SPL-97193 | The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string. |
2015-9-22 | SPL-92870 | Token not visible in Visualizations Editor if the token contains "$" character. |
2015-9-22 | SPL-94995 | "link" input does not show expected value if choice has space or it is empty. |
2015-9-22 | SPL-98693 | "showClearButton" attribute does not render in Splunk Web if the attribute has no value. |
2015-7-7 | SPL-98163 | INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL. To mitigate this, create a separate extraction in props.conf where defined w3c extraction method:
EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++) |
2015-7-7 | SPL-99316 | Universal Forwarders stop sending data repeatedly throughout the day. To workaround, in limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
|
2015-7-7 | SPL-99796 | Universal Forwarder Crashing thread: Main Thread - Access violation, cannot read at address. The workaround is to remove the migrated script input: [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] |
2014-10-28 | SPL-88396 | After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI.
Workaround: Create a server class, where you can see the client name, and use that group when you add data. |
2014-10-28 | SPL-90527 | After gzipping a directory that has previously been indexed, a monitor re-indexes the contents of the gzipped directory. |
2014-10-28 | SPL-90738 | Monitoring a directory with an unknown sourcetype produces indexing errors. |
Pre-6.2 | SPL-83068 | Default-index can be set to random index. |
Pre-6.2 | SPL-34347 | wmi input default fields - with value including newlines doesn't search properly because of \r\n issue. |
Pre-6.2 | SPL-73825, SPL-73826 | Hostname override/Regex on path not working correctly for compressed file inputs on Windows. |
Pre-6.2 | SPL-74209 | Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
|
Charting, reporting, and visualization issues
Publication date | Defect number | Description |
---|---|---|
2015-10-3 | SPL-107365 | When charting.data.count property is set to 0 (for displaying all results), an incorrect results truncation warning message appears on the chart dashboard. |
2015-9-22 | SPL-97389 | When using timechart command, the embedded report shows different time format than the original report. |
2015-9-22 | SPL-97361 | In Simple XML, the <fields> tag is not compatible with custom RowExpansionRenderer function. |
2015-01-12 | SPL-94047 | While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column. |
2014-10-28 | SPL-92432 | Chart in dashboard panel does not honor interval settings.
Workaround: In the panel XML, specify a larger height to use the correct interval settings. |
Pre-6.2 | SPL-79768 | Changing map and tile parameters in the Vizualization Editor creates error in Console. |
Pre-6.2 | SPL-80568 | Highcharts set Y-axis value based on first point outside visible range. |
Pre-6.2 | SPL-81538 | When using pivot, stack mode is lost when "Scatter Chart" is selected. - loses stack mode. |
Pre-6.2 | SPL-73846 | New reports are not displayed in the report list until you refresh the window. |
Pre-6.2 | SPL-73569 | Pie maps do not have legend labels. |
Indexers and indexer clustering issues
Publication date | Defect number | Description |
---|---|---|
2016-10-31 | SPL-131071 | Index time-snapping logic could result in overlapping hot buckets, causing crashes. |
2015-09-27 | SPL-107095/104078 | Splunkd may crash due to assertion failure in Tailing. Crashing thread: tailreader0 or mainTailingThread. splunkd_stderr.log error with "StatWrap::isDir() const: Assertion `_valid' failed". At this time there is no work around.
|
2015-9-22 | SPL-102643 | Crash may occur on FilesystemOpExecutorWorker thread because the BucketMover object is deleted while active IndexerTJobs point to it. This can occur only upon shutdown, and should not result in data loss.
|
2015-9-22 | - | There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals. Searches that key off these lines need to select their desired name=x category in order to see a single thruput value. |
2015-9-22 | SPL-101184 | Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer. |
2015-9-22 | SPL-101954 | Search head clusters can miss jobs when counting against search quotas, resulting in too many jobs being dispatched to the set of search peers. |
2015-9-22 | SPL-102362 | Dynamic indexer discovery only supports one input. |
2015-9-22 | SPL-100980 | Single Indexer does not scale when receiving parsed data from multiple PipelineSets. |
2015-06-10 | SPL-102939 | Archive Processor cannot handle zip files if they contain Japanese languages in the file name. |
2014-10-28 | SPL-87816 | When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.
Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing. |
2014-10-28 | SPL-90630 | On a multisite cluster, no warning is given when search head names are the same. |
2014-10-28 | SPL-83636 | If you first configure a master with default RF/SF and then give the mis-configuration command, you get an error message that is wrong. |
2014-10-28 | SPL-90661 | Taking a peer offline with enforce counts on causes master to remain in fixup mode. |
2014-10-28 | SPL-90659 | Configure clusters with large numbers of buckets. For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf ) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.
For clusters with a large number of buckets (>100k), Splunk recommends changing the |
2014-10-28 | SPL-91861 | On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>. |
2014-10-28 | SPL-86799 | After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb. |
2014-10-28 | SPL-90331 | Multi-site cluster doesn't meet replication factor/search head factor due to bucket issue.
Workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list. |
2014-10-28 | SPL-78688 | Peer is able to change to an invalid (empty) replication port. |
2014-10-28 | SPL-91432 | On Windows when the master is down, the CLI command splunk offline hangs when run from one of the streaming target peers.
|
2014-10-28 | SPL-88434 | Inaccurate message "Detected possible tampering with this source" may display for valid data. |
2014-7-7 | SPL-98700 | splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id. The workaround is to remove the duplicated bucket. |
Pre-6.2 | SPL-70433 | Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. |
Pre-6.2 | SPL-90932 | WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option. |
Pre-6.2 | SPL-81934 | For clusters, may be unable to open search results output file for search results in a cluster. Workaround is to write to a temp file and rename to the target file. |
Pre-6.2 | SPL-81913 | Changing your configuration from multi site to non-multisite can result in unsearchable buckets. |
Pre-6.2 | SPL-81955 | Multisite peer takes approximately six minutes to restart when site configuration is changed. |
Pre-6.2 | SPL-82386 | Cluster master with distributed search disabled still dispatches searches to cluster peers. |
Pre-6.2 | SPL-81972, SPL-81963 | For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites, and then restart the master. Otherwise, the buckets might not meet the new site_replication_factor or site_search_factor or be fully searchable. You can roll the buckets manually or by issuing a rolling-restart command. |
Pre-6.2 | SPL-82038 | Cluster-config will not work if the parameter value has spaces in them. |
Pre-6.2 | SPL-77954 | In clusters, primary copy of bucket is left in weird state with chunk of data not added to journal.gz . This can cause event counts to be off between peers with a common bucket.
|
Pre-6.2 | SPL-73652 | Running splunk offline -enforce-counts incorrectly fails to stop the peer and Splunk does not exit.
|
Pre-6.2 | SPL-72484, SPL-74103 | Changing the server name on search head doesn't get reflected in the cluster master's cluster management page. |
Data model and Pivot issues
Publication date | Defect number | Description |
---|---|---|
Pre-6.2 | SPL-80285 | In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. For more information, see Add lookup files to Splunk. |
Pre-6.2 | SPL-80187 | In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. The workaround is to share the definition. For more information, see Add lookup files to Splunk |
Pre-6.2 | SPL-82262 | Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User. |
Pre-6.2 | SPL-81645 | Data model exhibits sticky UI when "transaction group by object" name has a single (x) character. |
Pre-6.2 | SPL-81781 | Data Model Manager: Acceleration Status and Access Count fails to update when you click "Update." |
Pre-6.2 | SPL-82133 | Data model allows users to upload a JSON file which has Field names with spaces but will not validate it. |
Pre-6.2 | SPL-82238 | Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected. |
Pre-6.2 | SPL-83686 | Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status. |
Pre-6.2 | SPL-81701 | Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once. |
Pre-6.2 | SPL-81781 | In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update". |
Pre-6.2 | SPL-81856 | Show all lines does not work in data model editor preview. |
Pre-6.2 | SPL-82164 | Migrating invalid data models from 6.0 to 6.1 fails. |
Pre-6.2 | SPL-58585 | In a Cluster, report acceleration and data model acceleration summaries are not replicated, which cause high cpu consumption in case of peer down. |
Pre-6.2 | SPL-77054 | Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. |
Integrated PDF generation and PDF Report Server issues
Publication date | Defect number | Description |
---|---|---|
2015-9-22 | SPL-98890 | Maps printed from Report page do not honor custom zoom and center. |
2015-9-22 | SPL-105413 | PDF Report Server appears in product despite the fact it is no longer supported. |
2015-03-19 | SPL-85497 | Unable to save generated PDFs using Chrome internal PDF viewer.
Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, see https://support.google.com/chrome/answer/142056. |
Pre-6.2 | SPL-58744 | If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line. |
Pre-6.2 | SPL-67491 | Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used. |
Search, saved search, alerting, scheduling, and job management issues
Publication date | Defect number | Description |
---|---|---|
2016-04-06 | SPL-107585 | Summary-generating search can become stuck in infinite loop when processing large multi-line events. |
2016-02-03 | SPL-111800 | A backslash preceding a whitespace causes a DELIM-based field extraction to not consider the whitespace as a valid delimiter. The workaround is to use a REGEX. |
2016-02-19 | SPL-102405 | The outputcsv search command gives no help when an invalid filename is used. Directory separator characters such as "/" and "\" are not allowed as an argument for outputcsv. |
2015-10-25 | SPL-106327 | Simultaneous "splunk restart splunkweb" and "splunk stop" cause crashing race condition in HTTPDispatch Thread. |
2015-09-06 | SPL-106294 | SearchResults complains in splunkd.log about a corrupt CSV file header without having the decency to name of the offending file or lookup table. Example: WARN SearchResults - Corrupt csv header, contains empty value (col #3) |
2015-07-22 | SPL-103247 | Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted. To mitigate this issue, use milliseconds instead of microseconds in your searches. |
2015-07-22 | SPL-106277 | When user performs a fetch from eventtypes/_new then creates a POST with the same attributes from the fetch, a color attribute causes an error. The workaround is to remove the "color" field before POSTing. |
2015-07-07 | SPL-99421 | Long name of app causes accelerated search to not complete normally and shows invalid results on Win 2k8 R2. To mitigate this, reduce the length of the app name. Report acceleration searches should then run properly within the context of the app. |
2015-07-07 | SPL-101164 | Indexed field extraction not extracting completely for certain json events. |
2014-12-22 | SPL-94910 | The replace function does not apply to fields names with an underscore in it. The workaround is to rename the fields to remove the underscores before the replace.
|
2014-11-13 | SPL-93039 | The relevancy search command does not work, always returning 0 or -inf .
|
2014-10-28 | SPL-92303 | Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results. |
2014-10-28 | SPL-91778 | Dispatch disk usage incorrectly includes temporary CSV result files for large event searches, which can lead to job queueing. |
2014-10-28 | SPL-87015 | chart count by source and *| cluster showcount=t | table cluster_count _raw ) no metadata/ result is available when user drills down on Count and Percent columns.
|
2014-10-28 | SPL-90139 | [timestamp] does not display in the Patterns tab when searches are run in fast mode. |
2014-10-28 | SPL-88228 | When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however. |
2014-10-28 | SPL-89332 | Report acceleration summaries do now show in Settings when you have hundreds of reports accelerated. |
2014-10-28 | SPL-79862 | When creating a tag on a field in an event listing, the tag is added but fails to show in event fields unless it is selected. |
2014-10-28 | SPL-90861 | If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. Not message is displayed, though the information is added to search.log. |
Pre-6.2 | SPL-81103 | Username surrounded by dollar signs cannot create saved searches. |
Pre-6.2 | SPL-82517 | Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings. |
Pre-6.2 | SPL-78612 | Deleting a dashboard with a scheduled PDF does not also delete the scheduled view. |
Pre-6.2 | SPL-79562 | Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned. |
Pre-6.2 | SPL-83129 | Eval Function strptime does not return results when 1970 date is used |
Pre-6.2 | SPL-79738, SPL-81136 | The iconify command fails to render icons in the event viewer.
|
Pre-6.2 | SPL-76798 | The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x
|
Pre-6.2 | SPL-67642 | reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated. |
Splunk Web and Home interface issues
Publication date | Defect number | Description |
---|---|---|
2015-7-7 | SPL-99687 | Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. To mitigate this, edit the following stanza in inputs.conf :
[WinEventLog://Security] evt_resolve_ad_obj = 0 |
2015-10-21 | SPL-107449 | After upgrade to 6.3 - UI is missing app icons and navigation drop downs due to cookie arrays failing to be parsed |
Pre-6.2 | SPL-80942 | Flashtimeline: 500 Internal Server Error when pasting long URL into panel name. |
Pre-6.2 | SPL-73818 | Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521. |
Distributed deployment, forwarder, and deployment server issues
Publication date | Defect number | Description |
---|---|---|
2015-11-06 | SPL-108220 | Unable to deploy an app through Deployment Server Forwarder Management. Error: app=<appname> was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app=<appname> via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server. |
2014-10-28 | SPL-91648 | Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server. |
2014-10-28 | SPL-89333 | Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage. |
2014-10-28 | SPL-85739 | When running a high number of deployment clients for a server, memory growth may be excessive. To mitigate this, set forceHttp10=always. |
Pre-6.2 | SPL-35700 | When deploying apps from a Windows deployment server to Unix deployment clients, scripts do not arrive with executable flag set |
Pre-6.2 | SPL-81637 | Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none". |
Pre-6.2 | SPL-75764 | Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
|
Pre-6.2 | SPL-82949 | When you add unsupported attributes to serverclass.conf in Forwarder Management, a blank page is displayed with no error that an unsupported attribute was added. Instead the message displays: FAILED_LOAD_DEPLOYMENT_SERVER.
|
Pre-6.2 | SPL-74427 | The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.
|
Distributed search and search head clustering issues
Publication date | Defect number | Description |
---|---|---|
2015-11-06 | SPL-106978 | Failed SHC captain election causes unnecessary change in server.conf. |
2015-04-14 | SPL-97352 | Temporary lookup folder $SPLUNK_HOME/var/run/splunk/lookup_tmp filling up on the search head. |
2015-03-30 | SPL-97385 | $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files. |
2014-10-28 | SPL-89809 | Updates to $SPLUNK_HOME/var/run/*.csv via outputcsv are not replicated across the cluster. |
2014-10-28 | SPL-89131 | In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save. |
2014-10-28 | SPL-90028 | Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact. |
2014-10-28 | SPL-91638 | For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member. |
2015-11-18 | SPL-109471 | For Real Time Scheduled Search in search head cluster, alerts are triggered twice |
2014-10-28 | SPL-87816 | When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.
Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing. |
2014-7-7 | SPL-99110 | Distributed search fails intermittently to a subset of peers with an unhelpful "Unknown error". To work around this, edit /etc/sysctl.conf to modify the following lines:
net.core.rmem_max = 134217728 net.core.wmem_max = 134217728 net.ipv4.tcp_rmem = 16384 87380 67108864 net.ipv4.tcp_wmem = 16384 87380 67108864 Restart splunkd. Repeat above steps for SH and the Indexer. Run sysctl -p for changes to take effect. Sometimes sysctl -p may not work due to caching and rebooting is a better option. Restart indexer. |
pre-6.2 | SPL-82244, SPL-90958 | Unexpected duplicate app: _cluster caused due to password hashing (). |
2016-02-15 | SPL-109514 | Number of concurrent searches increases in an idle SHC member |
Windows-specific issues
Publication date | Defect number | Description |
---|---|---|
2015-12-02 | SPL-110235 | Windows Indexers become unresponsive and hangs. No new searches are kicked off on the indexer, and the indexers may return 503 when logging in. |
2015-9-25 | SPL-101053 | The Windows Host Monitor "Application" input (WinHostMon://Application) has been deprecated. See The Windows host monitoring input no longer monitors application state. |
2015-9-22 | SPL-101289 | When the number of indexing pipeline sets is greater than four, indexing throughput decreases. |
2015-9-22 | SPL-102008 | On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference. |
2015-9-22 | SPL-101886 | The Splunk Enterprise login page logo displays incorrectly in IE version 9 when SSL is enabled and a trusted 3rd party certificate is in place. |
2015-7-7 | SPL-98978 | On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time. To fix the problem, restart Windows on the forwarder. |
2015-7-7 | SPL-91279 | The Splunk universal forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles. See Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2 on the Microsoft Support website for a hotfix download.
|
Pre-6.2 | SPL-80589 | On Windows Server 2012 and Server 2012 R2, an external bug causes the "% Processor_Time" counter to display 100 for multiple processes, even when the number of available CPU cores precludes that possibility. |
Pre-6.2 | SPL-78984 | The 32 bit Windows version of the universal forwarder fails to properly upgrade from non-default location. Note: Installing a 32-bit version of any Splunk software on top of 64-bit version is neither supported nor recommended. |
Pre-6.2 | SPL-83365 | Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
|
Pre-6.2 | SPL-77126 | The Registry data input incorrectly handles events with different cases in their paths. |
Pre-6.2 | SPL-82357 | The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
|
Pre-6.2 | SPL-81489 | Version 6.x of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows ), regardless of whether or not you disable the WINEVENT_* installation flags.
|
Pre-6.2 | SPL-75116 | If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.x instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf .
|
Pre-6.2 | SPL-73826 | The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows. |
Pre-6.2 | SPL-74209 | Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition. |
Pre-6.2 | SPL-48342 | LDAP authentication does not work on Windows over the IPv6 protocol. |
Pre-6.2 | SPL-73818 | Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521. |
REST, Simple XML, and Advanced XML issues
Publication date | Defect number | Description |
---|---|---|
2015-9-22 | SPL-96091 | Cannot use token in <option name="count">$token$</option>. |
2014-10-28 | SPL-91211 | Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values. |
2014-10-28 | SPL-32852 | Post process may not return expected events if the original job is truncated. |
2014-10-28 | SPL-86226 | User cannot navigate from a dashboard to a prebuilt panel to fix a simple XML error in the panel. |
2014-10-28 | SPL-91074 | (Mobile) Submit button does not render when instantiating a form using the client-side parser/factory. |
2014-10-28 | SPL-91996 | Panel that uses a duplicate ID when referencing a base search silently fails to render. |
Pre-6.2 | SPL-82233, SPL-76824 | Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event. |
Pre-6.2 | SPL-78179 | REST /saved/searches App Names With Special Characters Have Invalid Links. |
Pre-6.2 | SPL-74151 | Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page. |
Pre-6.2 | SPL-66511 | Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view. |
Pre-6.2 | SPL-65124 | Sorting as "asc" does not work for Dashboard of Panel Type: List. |
Pre-6.2 | SPL-64489, SPL-32852 | HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events. |
Pre-6.2 | SPL-67453 | When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard><foo></dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>. |
Web Framework issues
Publication date | Defect number | Description |
---|---|---|
Pre-6.2 | — |
If you do not set the "value" property when you first create a TimeRange view, you get an error if you try to change "earliest_time" and "latest_time" properties later. |
Unsorted issues
Publication date | Defect number | Description |
---|---|---|
2016-05-03 | SPL-116846 | User name must be "admin" to apply changes in distributed mode DMC. |
2015-9-22 | SPL-102312 | There is now a limit on the number of entries which may be automatically added to the learned app (see migration manual). |
2015-9-22 | SPL-101270 | In the DMC, the sort button overlaps with the column separator. |
2015-9-22 | SPL-103701 | Actions links should be removed from "Apps Browser." |
2015-9-22 | SPL-104243 | Memory leakage may occur when saving custom groups. |
2015-9-22 | SPL-103010 | Indexing throughput on forwarder with four pipelinesets drops 30% compared to two pipelinesets. |
2015-9-22 | SPL-103205 | Image tour may not work in Pivot page. |
2015-9-15 | SPL-109219 | DMC License does not display correctly after upgrading to 6.3. |
7-7-2015 | SPL-97942 | Capability defined in an app does not take affect when assigned to a role. The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:
[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table |
7-7-2015 | SPL-100322 | A view gets stuck with "loading" due to problematic navigation (default.xml). Workaround is to use label attribute for collection element:
<collection label="Others"> <view source="unclassified" match="Dashboard"/> </collection> |
7-7-2015 | SPL-98594 | Routing events to two different groups not working as expected. |
2015-05-04 | SPL-91962 | In a search head pooled environment, if you start your Splunk Enterprise instance before your NFS storage mounts, Splunk Enterprise starts but KV store fails to initialize. As a result, you cannot access KV store. Resolution: Make sure your NFS storage is mounted and reachable, then restart your instance of Splunk Enterprise. |
2014-11-10 | SPL-92831 | A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ". The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1). |
2014-10-28 | SPL-91346 | A user with a non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page.
|
2014-10-28 | SPL-91709 | Splunkd timeouts on setting up ES app on Windows. |
2014-10-28 | SPL-92162 | Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine. |
Pre-6.2 | SPL-81810 | License pool warning at license master keeps coming back after deleting it. The workaround is to delete the warnings on the peers first then the License Manager. |
Pre-6.2 | SPL-77139 | Licenser pool usage gets reflected only after restarting Splunkd. |
Pre-6.2 | SPL-82699 | SSO: Acceleration icon fails to display in Searches, Reports, and Alerts pages. |
Pre-6.2 | SPL-71645 | Report acceleration Summary folders (summaryHomePath ) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex ). The workaround is to create the folder manually.
|
Pre-6.2 | SPL-74337 | You cannot specify a destination folder when installing on OSX. |
Pre-6.2 | SPL-72484 | Cannot use the CLI to delete an index with a capital letter in its name. |
Pre-6.2 | SPL-68010 | The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO. |
Pre-6.2 | SPL-73636 | If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day. |
Pre-6.2 | SPL-69304 | If license slaves are running <6.0 version, they do not have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN .
|
PREVIOUS Welcome to Splunk Enterprise 6.3 |
NEXT Splunk Enterprise and anti-virus products |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.1
Feedback submitted, thanks!