Splunk® Enterprise

Release Notes

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.

Highlighted issues

Publication date Defect number Description
2016-4-21 SPL-119575 In 6.4.1 and later adding a search peer with a higher version number issues a warning when using the REST API. The search peer is successfully added.
2016-04-05 SPL-109427 LDAP SSL does not work in Splunk 6.3 (and later) for Windows 2003. Workaround is as follows:

1) obtain Ciphers configured on Windows AD 2003 server.

2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.

Due to a vulnerability found in SSLv3, you should update your Splunk Enterprise configuration to use a different version of SSL. See Configure allowed and restricted SSL versions in the Securing Splunk Enterprise manual and the Blog entry: Mitigating the POODLE attack in Splunk.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Publication date Defect number Description
2014-10-28 SPL-91835 Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, remove the app before starting an upgrade. To prevent this issue from occurring, upgrade the app to version 1.1.5 before you upgrade Splunk Enterprise.
Pre-6.2 SPL-89640 If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
Pre-6.2 SPL-73386 Admin users can't schedule saved searches of users unless the saved searches are shared. To work around this problem:

1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Publication date Defect number Description
2017-3-1 SPL-127095 Duplicate events with indexer discovery following outages on indexer cluster.
2015-9-22 SPL-101981 Field extractions do not work when sourcetypes use quotes in the Getting Data In interface.
2015-9-22 SPL-97193 The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string.
2015-9-22 SPL-92870 Token not visible in Visualizations Editor if the token contains "$" character.
2015-7-7 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL. To mitigate this, create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

2015-7-7 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day. To workaround, in limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2015-7-7 SPL-99796 Universal Forwarder Crashing thread: Main Thread - Access violation, cannot read at address. The workaround is to remove the migrated script input: [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
2014-10-28 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI.

Workaround: Create a server class, where you can see the client name, and use that group when you add data.

2014-10-28 SPL-90527 After gzipping a directory that has previously been indexed, a monitor re-indexes the contents of the gzipped directory.
2014-10-28 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
Pre-6.2 SPL-83068 Default-index can be set to random index.
Pre-6.2 SPL-34347 wmi input default fields - with value including newlines doesn't search properly because of \r\n issue.
Pre-6.2 SPL-73825, SPL-73826 Hostname override/Regex on path not working correctly for compressed file inputs on Windows.
Pre-6.2 SPL-74209 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.

Charting, reporting, and visualization issues

Publication date Defect number Description
2015-9-22 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-9-22 SPL-97361 In Simple XML, the <fields> tag is not compatible with custom RowExpansionRenderer function.
2015-01-12 SPL-94047 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-10-28 SPL-92432 Chart in dashboard panel does not honor interval settings.

Workaround: In the panel XML, specify a larger height to use the correct interval settings.

Pre-6.2 SPL-79768 Changing map and tile parameters in the Vizualization Editor creates error in Console.
Pre-6.2 SPL-80568 Highcharts set Y-axis value based on first point outside visible range.
Pre-6.2 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
Pre-6.2 SPL-73569 Pie maps do not have legend labels.

Indexers and indexer clustering issues

Publication date Defect number Description
2015-11-16 SPL-107606 Inconsistency between summary and datamodel_summary files.
2015-9-22 - There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals. Searches that key off these lines need to select their desired name=x category in order to see a single thruput value.
2015-9-22 SPL-101184 Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer.
2015-9-22 SPL-102362 Dynamic indexer discovery only supports one input.
2015-9-22 SPL-100980 Single Indexer does not scale when receiving parsed data from multiple PipelineSets.
2015-06-10 SPL-102939 Archive Processor cannot handle zip files if they contain Japanese languages in the file name.
2014-10-28 SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

2014-10-28 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-10-28 SPL-83636 If you first configure a master with default RF/SF and then give the mis-configuration command, you get an error message that is wrong.
2014-10-28 SPL-90659 Configure clusters with large numbers of buckets. For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

For clusters with a large number of buckets (>100k), Splunk recommends changing the service_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds.

2014-10-28 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-10-28 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-10-28 SPL-90331 Multi-site cluster doesn't meet replication factor/search head factor due to bucket issue.

Workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list.

2014-10-28 SPL-78688 Peer is able to change to an invalid (empty) replication port.
2014-10-28 SPL-91432 On Windows when the master is down, the CLI command splunk offline hangs when run from one of the streaming target peers.
2014-10-28 SPL-88434 Inaccurate message "Detected possible tampering with this source" may display for valid data.
2014-7-7 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id. The workaround is to remove the duplicated bucket.
Pre-6.2 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning.
Pre-6.2 SPL-90932 WinEventLog (Windows Event Log) with "start_from = newest" attributes in inputs.conf indexes events more than once. This cause duplicated events. Do not use this option.
Pre-6.2 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster. Workaround is to write to a temp file and rename to the target file.
Pre-6.2 SPL-81913 Changing your configuration from multi site to non-multisite can result in unsearchable buckets.
Pre-6.2 SPL-81955 Multisite peer takes approximately six minutes to restart when site configuration is changed.
Pre-6.2 SPL-82386 Cluster master with distributed search disabled still dispatches searches to cluster peers.
Pre-6.2 SPL-81972, SPL-81963 For a multisite cluster, you must roll the peers' hot buckets if you change the values of any of these attributes: site_replication_factor, site_search_factor, or available_sites, and then restart the master. Otherwise, the buckets might not meet the new site_replication_factor or site_search_factor or be fully searchable. You can roll the buckets manually or by issuing a rolling-restart command.
Pre-6.2 SPL-82038 Cluster-config will not work if the parameter value has spaces in them.
Pre-6.2 SPL-72484, SPL-74103 Changing the server name on search head doesn't get reflected in the cluster master's cluster management page.

Data model and Pivot issues

Publication date Defect number Description
2015-11-16 SPL-105566 Default time range in Search Preferences is not applied to new Pivots.
Pre-6.2 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. For more information, see Add lookup files to Splunk.
Pre-6.2 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. The workaround is to share the definition. For more information, see Add lookup files to Splunk
Pre-6.2 SPL-82262 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
Pre-6.2 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
Pre-6.2 SPL-81781 Data Model Manager: Acceleration Status and Access Count fails to update when you click "Update."
Pre-6.2 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
Pre-6.2 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
Pre-6.2 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
Pre-6.2 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
Pre-6.2 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
Pre-6.2 SPL-81856 Show all lines does not work in data model editor preview.
Pre-6.2 SPL-82164 Migrating invalid data models from 6.0 to 6.1 fails.
Pre-6.2 SPL-58585 In a Cluster, report acceleration and data model acceleration summaries are not replicated, which cause high cpu consumption in case of peer down.
Pre-6.2 SPL-77054 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Integrated PDF generation and PDF Report Server issues

Publication date Defect number Description
2015-9-22 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2015-9-22 SPL-105413 PDF Report Server appears in product despite the fact it is no longer supported.
2015-03-19 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, see https://support.google.com/chrome/answer/142056.

Pre-6.2 SPL-58744 If there are unconnected points in an area chart, the chart on dashboard is filled (as an area chart), but the PDF report is only a line.
Pre-6.2 SPL-67491 Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used.

Search, saved search, alerting, scheduling, and job management issues

Publication date Defect number Description
2016-06-08 SPL-122219, SPL-137049, SPL-137048 "Orphaned Scheduled Searches" search can fail in a rest call timeout if LDAP, SAML, requests for all users take more than 60 seconds

Increase the timeout for | REST specified here: http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Rest

| rest timeout=<int>

You can modify the saved search inside the "search" app either using the UI or by adding an entry to etc/apps/search/local/savedsearches.conf that overlays the search field, which ever is more convenient.

2016-02-03 SPL-111800 A backslash preceding a whitespace causes a DELIM-based field extraction to not consider the whitespace as a valid delimiter. The workaround is to use a REGEX.
2016-04-05 SPL-116082 User-specific commands will be ignored after upgrade to version 6.4.0.
2016-02-19 SPL-102405 The outputcsv search command gives no help when an invalid filename is used. Directory separator characters such as "/" and "\" are not allowed as an argument for outputcsv.
2015-09-06 SPL-106294 SearchResults complains in splunkd.log about a corrupt CSV file header without having the decency to name of the offending file or lookup table. Example: WARN SearchResults - Corrupt csv header, contains empty value (col #3)
2015-07-22 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted. To mitigate this issue, use milliseconds instead of microseconds in your searches.
2015-07-07 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Win 2k8 R2. To mitigate this, reduce the length of the app name. Report acceleration searches should then run properly within the context of the app.
2015-07-07 SPL-101164 Indexed field extraction not extracting completely for certain json events.
2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in it. The workaround is to rename the fields to remove the underscores before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13 SPL-93039 The relevancy search command does not work, always returning 0 or -inf.
2014-10-28 SPL-92303 Some events are line broken improperly when forwarding from a universal forwarder, leading to a possible event count mismatch with expected results.
2014-10-28 SPL-91778 Dispatch disk usage incorrectly includes temporary CSV result files for large event searches, which can lead to job queueing.
2014-10-28 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-10-28 SPL-90139 [timestamp] does not display in the Patterns tab when searches are run in fast mode.
2014-10-28 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.
2014-10-28 SPL-89332 Report acceleration summaries do now show in Settings when you have hundreds of reports accelerated.
2014-10-28 SPL-79862 When creating a tag on a field in an event listing, the tag is added but fails to show in event fields unless it is selected.
2014-10-28 SPL-90861 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log.
Pre-6.2 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
Pre-6.2 SPL-82517 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
Pre-6.2 SPL-78612 Deleting a dashboard with a scheduled PDF does not also delete the scheduled view.
Pre-6.2 SPL-79562 Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned.
Pre-6.2 SPL-83129 Eval Function strptime does not return results when 1970 date is used
Pre-6.2 SPL-79738, SPL-81136 The iconify command fails to render icons in the event viewer.
Pre-6.2 SPL-76798 The times.conf spec file still refers to adding submenus in order to customize time range presets; this feature does not exist in Splunk Enterprise 6.x
Pre-6.2 SPL-67642 reverse and more than 1000 events are returned in the original search, then click on the bucket in the flashtimeline, no events are shown because all the events after first 1000 events are truncated.
2016-03-10 SPL-115269 In certain condition, search results link from result sharing workflow don't work on SHC members other than the one who ran the search
2016-03-10 SPL-115477 In certain condition, accessing the jobs management dashboard would get one of these errors in the UI:
  • This EntityLister module could not retrieve its results. A 503 error was returned with the following text "Service Unavailable".
  • [JobManager module] 'str' object has no attribute 'os_startIndex'

Splunk Web and Home interface issues

Publication date Defect number Description
2025-7-22 SPL-124923 When user switchs licensing (settings > licensing) to Forwarder or Free, Settings >Data Inputs gets 500 Internal Server Error.
2016-04-22 SPL-109165 Interactive Field Extractor Hangs when using "^" as delimiter. Workaround is to use props and transforms to specify the delimiter of your choice.
2016-04-01 SPL-113843 Splunk TCP Input Performance: Deployment doesn't work with pipelinesets.
2016-04-01 SPL-113844 Splunk TCP Input Performance: Instance doesn't work with pipelinesets.
2016-04-01 SPL-117137 When using appServerPorts = 0 and SSL Splunkweb will not start in 6.4.0.
2015-7-7 SPL-99687 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. To mitigate this, edit the following stanza in inputs.conf:

[WinEventLog://Security] evt_resolve_ad_obj = 0

Pre-6.2 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
Pre-6.2 SPL-73818 Early versions of IE10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

Distributed deployment, forwarder, and deployment server issues

Publication date Defect number Description
2014-10-28 SPL-91648 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-10-28 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-10-28 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive. To mitigate this, set forceHttp10=always.
Pre-6.2 SPL-35700 When deploying apps from a Windows deployment server to Unix deployment clients, scripts do not arrive with executable flag set
Pre-6.2 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
Pre-6.2 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
Pre-6.2 SPL-82949 When you add unsupported attributes to serverclass.conf in Forwarder Management, a blank page is displayed with no error that an unsupported attribute was added. Instead the message displays: FAILED_LOAD_DEPLOYMENT_SERVER.
Pre-6.2 SPL-74427 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed search and search head clustering issues

Publication date Defect number Description
2016-08-22 SPL-126640 [SHC] Out of synch SHC member became captain- which caused all the other SHC members to throw "destructive configuration resync"
2016-08-02 SPL-125219 [SHC] Unable to share Tag created from Event Actions>Action
2016-04-05 SPL-114079 SHC bootstrap times out on windows at 40+ nodes, works fine on linux.
2015-11-06 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf.
2015-04-14 SPL-97352 Temporary lookup folder $SPLUNK_HOME/var/run/splunk/lookup_tmp filling up on the search head.
2015-03-30 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.
2014-10-28 SPL-89809 Updates to $SPLUNK_HOME/var/run/*.csv via outputcsv are not replicated across the cluster.
2014-10-28 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-10-28 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-10-28 SPL-91638 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2015-11-18 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice
2014-10-28 SPL-87816 When implementing an indexer cluster or search head cluster, pass4SymmKey cannot be set in the [general] stanza. The value in the [clustering] and [shclustering] stanzas override the value in the [general] stanza.

Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.

2014-7-7 SPL-99110 Distributed search fails intermittently to a subset of peers with an unhelpful "Unknown error". To work around this, edit /etc/sysctl.conf to modify the following lines:

net.core.rmem_max = 134217728 net.core.wmem_max = 134217728 net.ipv4.tcp_rmem = 16384 87380 67108864 net.ipv4.tcp_wmem = 16384 87380 67108864 Restart splunkd. Repeat above steps for SH and the Indexer. Run sysctl -p for changes to take effect. Sometimes sysctl -p may not work due to caching and rebooting is a better option. Restart indexer.

pre-6.2 SPL-82244, SPL-90958 Unexpected duplicate app: _cluster caused due to password hashing ().

Windows-specific issues

Publication date Defect number Description
2016-04-22 SPL-110019 Mac OS X Universal Forwarder won't connect to deployment server. Workaround is to restart the client once network connectivity is restored.
2015-9-25 SPL-101053 The Windows Host Monitor "Application" input (WinHostMon://Application) has been deprecated. See The Windows host monitoring input no longer monitors application state.
2015-9-22 SPL-101289 When the number of indexing pipeline sets is greater than four, indexing throughput decreases.
2015-9-22 SPL-102008 On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference.
2015-9-22 SPL-101886 The Splunk Enterprise login page logo displays incorrectly in IE version 9 when SSL is enabled and a trusted 3rd party certificate is in place.
2015-7-7 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time. To fix the problem, restart Windows on the forwarder.
2014-10-30 SPL-92596 After an upgrade from Splunk Enterprise 6.1.x or earlier to Splunk Enterprise 6.4.x on Windows, the splunkweb service does not start automatically. Attempts to start it manually result in the following message: Error 1053: The service did not respond to the start or control request in a timely fashion. This is by design. While the splunkweb service does install, the splunkd service now handles all Splunk Web operations. See "The Splunk Web service installs but does not run" in "About Upgrading to 6.4."
2015-7-7 SPL-91279 The Splunk universal forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles. See Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2 on the Microsoft Support website for a hotfix download.
Pre-6.2 SPL-80589 On Windows Server 2012 and Server 2012 R2, an external bug causes the "% Processor_Time" counter to display 100 for multiple processes, even when the number of available CPU cores precludes that possibility.
Pre-6.2 SPL-78984 The 32 bit Windows version of the universal forwarder fails to properly upgrade from non-default location. Note: Installing a 32-bit version of any Splunk software on top of 64-bit version is neither supported nor recommended.
Pre-6.2 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
Pre-6.2 SPL-77126 The Registry data input incorrectly handles events with different cases in their paths.
Pre-6.2 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
Pre-6.2 SPL-81489 Version 6.* of the universal forwarder always installs the Splunk Add-on for Windows (Splunk_TA_Windows), regardless of whether or not you disable the WINEVENT_*installation flags.
Pre-6.2 SPL-75116 If you have the Splunk Add-on for Windows version 4.6.3 and earlier installed on a Splunk 6.x instance, Splunk collects Windows Registry data, even if the Registry monitoring inputs have been disabled by any means. To fix the issue, upgrade the Splunk Add-on for Windows to version 4.6.4 or later, or remove the WinRegMon:// stanza from inputs.conf.
Pre-6.2 SPL-73826 The hostname override/regular expression on path does not work correctly for compressed file inputs on Windows.
Pre-6.2 SPL-74209 Splunk on Windows does not create persistent queues for input stanzas that contain unusual characters (such as < and >). To work around this issue, specify the persistentQueue explicitly in the input definition.
Pre-6.2 SPL-48342 LDAP authentication does not work on Windows over the IPv6 protocol.
Pre-6.2 SPL-73818 Early versions of Internet Explorer (IE) 10 on some Windows 8 systems will not load some pages in Splunk Web if Splunk Web is configured to use SSL. To work around this issue, update IE to the latest version or update Windows to at least version 10.0.9200.16521.

REST, Simple XML, and Advanced XML issues

Publication date Defect number Description
2015-9-22 SPL-96091 Cannot use token in <option name="count">$token$</option>.
2014-10-28 SPL-91211 Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values.
2014-10-28 SPL-32852 Post process may not return expected events if the original job is truncated.
2014-10-28 SPL-86226 User cannot navigate from a dashboard to a prebuilt panel to fix a simple XML error in the panel.
2014-10-28 SPL-91074 (Mobile) Submit button does not render when instantiating a form using the client-side parser/factory.
2014-10-28 SPL-91996 Panel that uses a duplicate ID when referencing a base search silently fails to render.
Pre-6.2 SPL-82233, SPL-76824 Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event.
Pre-6.2 SPL-78179 REST /saved/searches App Names With Special Characters Have Invalid Links.
Pre-6.2 SPL-74151 Simple XML: extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page.
Pre-6.2 SPL-66511 Creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.
Pre-6.2 SPL-65124 Sorting as "asc" does not work for Dashboard of Panel Type: List.
Pre-6.2 SPL-64489, SPL-32852 HiddenPostProcess silently discards input events when the parent search is non-reporting and matches more than 10,000 events.
Pre-6.2 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Web Framework issues

Publication date Defect number Description
If you do not set the "value" property when you first create a TimeRange view, you get an error if you try to change "earliest_time" and "latest_time" properties later.

Distributed Management Console Issues

Publication date Defect number Description
2016-05-03 SPL-116846 User name must be "admin" to apply changes in distributed mode DMC.
2015-9-22 SPL-101270 In the DMC, the sort button overlaps with the column separator.

Unsorted issues

Publication date Defect number Description
2016-04-22 SPL-112896 Crash in Paginator::cmp for thread TcpChannelThread. Workaround is to change non-ASCII names (e.g. Alerts) to ASCII only.
2016-04-22 SPL-111776 Splunkd crashes in splunkd!Crypto::decrypt upon startup when undecryptable bindDNpassword exists in authentication.conf. Workaround is to rehash the password by entering it in plaintext within authentication.conf, then restarting splunk.
2016-04-22 SPL-111952 WARN LMDirective - directive cmd=D_set_feature_state args='SAMLAuth,ENABLED' failed: reason='feature='SAMLAuth' is invalid'. Workaround is to upgrade the LS to the same version as LM. (Clone: SPL-106389)
2016-04-01 SPL-116844 The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. This might negatively affect apps, add-ons, or scripts that use the commands or reference the old working directory. See the README for more information on mitigating this issue.
2016-04-01 SPL-112384 Use of passphrase-protected splunkweb cert with server.conf [sslConfig] requireClientCert=true screws up client-side Python code. This configuration is not a security requirement and should not be used for now.
2015-9-22 SPL-102312 There is now a limit on the number of entries which may be automatically added to the learned app (see migration manual).
2015-9-22 SPL-103701 Actions links should be removed from "Apps Browser."
2015-9-22 SPL-104243 Memory leakage may occur when saving custom groups.
2015-9-22 SPL-103010 Indexing throughput on forwarder with four pipelinesets drops 30% compared to two pipelinesets.
2015-9-22 SPL-103205 Image tour may not work in Pivot page.
7-7-2015 SPL-97942 Capability defined in an app does not take affect when assigned to a role. The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:
display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"]
display.events.type = table
7-7-2015 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml). Workaround is to use label attribute for collection element:

<collection label="Others"> <view source="unclassified" match="Dashboard"/> </collection>

7-7-2015 SPL-98594 Routing events to two different groups not working as expected.
2015-05-04 SPL-91962 In a search head pooled environment, if you start your Splunk Enterprise instance before your NFS storage mounts, Splunk Enterprise starts but KV store fails to initialize. As a result, you cannot access KV store. Resolution: Make sure your NFS storage is mounted and reachable, then restart your instance of Splunk Enterprise.
2014-11-10 SPL-92831 A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ". The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).
2014-10-28 SPL-91346 A user with a non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page.
2014-10-28 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
Pre-6.2 SPL-81810 License pool warning at license master keeps coming back after deleting it. The workaround is to delete the warnings on the peers first then the License Manager.
Pre-6.2 SPL-77139 Licenser pool usage gets reflected only after restarting Splunkd.
Pre-6.2 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts pages.
Pre-6.2 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if the homePath of the index is at the root of the filesystem, (homePath=D:\myindex or homePath=/myindex). The workaround is to create the folder manually.
Pre-6.2 SPL-74337 You cannot specify a destination folder when installing on OSX.
Pre-6.2 SPL-72484 Cannot use the CLI to delete an index with a capital letter in its name.
Pre-6.2 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.
Pre-6.2 SPL-73636 If your license master is down at midnight, it will not generate a rolloverSummary event in license_usage.log, and the license usage report view > Previous 30 days dashboard will have a gap in the data for the previous day.
Pre-6.2 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in the License Usage view, the split by index field will show a field named UNKNOWN.
Last modified on 30 June, 2017
Welcome to Splunk Enterprise 6.4
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.4.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters