Related Answers
This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.
Download topic as PDF
Known issues
The following are issues and workarounds for this version of Splunk Enterprise.
Issues are listed in all relevant sections. Some issues appear more than once.
Refer to the "System requirements" in the Installation Manual for a list of supported platforms and architectures.
For a list of deprecated features and platforms, refer to "Deprecated features" in this manual.
Upgrade issues
This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.
| Date filed | Issue number | Description |
|---|---|---|
| 2014-08-20 | SPL-89640 | When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts Workaround: Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise. |
| 2013-08-19 | SPL-73386 | Users are not allowed to run historical scheduled search Workaround: 1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Data input issues
| Date filed | Issue number | Description |
|---|---|---|
| 2016-12-05 | SPL-133461, SPL-144794, SPL-144795, SPL-144796, SPL-144797, SPL-144799 | Compressed files are deleted from sinkhole even if decompression fails |
| 2016-10-24 | SPL-130802, SPL-129109 | After upgrading from UF 6.3.2 to either UF 6.3.6 or 6.4.3 or 6.5.0/1, monitored files with Structured header are read at the wrong offset by WTF resulting in duplicate, missed, broken events Workaround: downgrade back to UF 6.3.2 OR
Since issue occurs only when the monitored file is freshly opened to read the new update (not using existing FD), updating the time_before_close setting for the particular input with an appropriate value would be a workaround. For example,
[monitor://C:\inetpub\logs\IISW3CLogs]
disabled = 0
whitelist= .*\.log
followTail = 0
sourcetype = iis
ignoreOlderThan = 7d
time_before_close = 300 |
| 2016-09-21 | SPL-129086, SPL-131945, SPL-131946, SPL-131947 | Garbled field name when indexing zip file (UTF-16LE) |
| 2015-11-12 | SPL-109362 | When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage |
| 2015-10-09 | SPL-107716 | Splunk UF doesn't process newly created files in the monitored directory (reparse point) |
| 2015-05-22 | SPL-101981 | Field extractions do not work when sourcetypes use quotes in the Getting Data In interface. |
| 2015-03-17 | SPL-98163 | INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL Workaround: Create a separate extraction in props.conf where defined w3c extraction method: EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++) |
| 2014-03-10 | SPL-81637 | Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none". |
| 2013-10-29 | SPL-75764 | Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux. |
| 2013-10-11 | SPL-75116 | The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza Workaround: Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk. |
| 2013-09-10 | SPL-74209, SPL-74167 | Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). Workaround: Specify the persistentQueue explicitly in the input definition. |
Search issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-01-19 | SPL-135296, SPL-105039, SPL-152728, SPL-152729, SPL-152735, SPL-152815, SPL-152817 | SearchResults complains in splunkd.log about a corrupt CSV file header without naming the problematic file or lookup table Workaround: Manually search all csv files and locate the header with a blank column. |
| 2016-10-10 | SPL-129956 | Memory leak in Chrome/Firefox with realtime searches after 6.2 Workaround: Likely workaround would be to reduce the dashboard refresh interval. |
| 2016-10-07 | SPL-129875, SPL-138849, SPL-138850, SPL-138851, SPL-138852 | Turkey timezone change to +03:00 (permanent Daylight Saving) |
| 2016-08-22 | SPL-127061, SPL-135415, SPL-135416 | xpath default value always returned and absolute path is not working |
| 2016-06-08 | SPL-122219, SPL-137049, SPL-137048 | "Orphaned Scheduled Searches" search can fail in a rest call timeout if LDAP, SAML, requests for all users take more than 60 seconds Workaround: Increase the timeout for | REST specified here: http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Rest | rest timeout=<int> You can modify the saved search inside the "search" app either using the UI or by adding an entry to etc/apps/search/local/savedsearches.conf that overlays the search field, which ever is more convenient.
|
| 2016-03-17 | SPL-116082 | Custom search commands that are defined for only a specific user will no longer run. |
| 2015-06-17 | SPL-103247 | Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted. |
| 2015-06-01 | SPL-102405 | Search operator outputcsv provides no explanation for the rejection of a file name with OS separators: "/" or "\" Workaround: Do not incorporate / or \ into the name of your outputlookup filename. |
| 2015-04-23 | SPL-100170 | Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search. |
| 2014-12-22 | SPL-94910 | The replace function does not apply to fields names with an underscore in them. Workaround: Rename the fields before the replace. ... | rename *_* AS *-* | replace "something" by "somethingelse" |
| 2014-11-13 | SPL-93039 | The relevancy search command does not work, always returning 0 or -inf. |
| 2014-10-15 | SPL-91996, SPL-91818 | No error if ref panel can't render because of ID collision. |
| 2014-10-02 | SPL-91638, SPL-107375 | For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member. |
| 2014-09-15 | SPL-90861, SPL-90396, SPL-90886 | If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log. |
| 2014-04-16 | SPL-83129 | Eval function strptime does not return results when 1970 date is used. |
| 2014-04-04 | SPL-82650 | A report created and scheduled by admin cannot be embedded by a power user. |
| 2014-03-27 | SPL-82357 | The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems. |
| 2014-03-15 | SPL-81934 | For clusters, may be unable to open search results output file for search results in a cluster. Workaround: Write to a temp file and rename to the target file. |
| 2014-02-21 | SPL-80942 | Flashtimeline: 500 Internal Server Error when pasting long URL into panel name. |
| 2013-12-18 | SPL-78179 | REST /saved/searches App names with special characters have invalid links. |
| 2013-09-06 | SPL-74151 | When using SimpleXML, an extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page. |
| 2013-08-19 | SPL-73386 | Users are not allowed to run historical scheduled search Workaround: 1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Saved search, alerting, scheduling, and job management issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-11-29 | SPL-146802 | Distributed environment requires index defined on search head for log event alerts |
| 2016-10-25 | SPL-130809, SPL-140886, SPL-140887, SPL-140888, SPL-140889 | Backfill script may cause scheduled search to be re-run after restart. |
| 2015-11-15 | SPL-109471 | For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain |
| 2015-04-09 | SPL-99421 | Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2 Workaround: Reduce length of name of the app and report acceleration searches will run properly within the context of the app. |
| 2014-08-15 | SPL-89332 | Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated. |
| 2014-08-05 | SPL-88396 | After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI Workaround: Create a server class, where you can see the client name, and use that group when you add data. |
| 2014-05-01 | SPL-83686 | Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status. |
| 2014-03-24 | SPL-82262, SPL-82241 | Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User. |
| 2014-03-20 | SPL-82164 | Migrating invalid data models from 6.0 to 6.x fails. |
| 2014-03-19 | SPL-82133 | Data model allows users to upload a JSON file which has Field names with spaces but will not validate it. |
| 2014-03-10 | SPL-81645 | Data model exhibits sticky UI when "transaction group by object" name has a single (x) character. |
| 2013-11-26 | SPL-77054, SPL-77055 | Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. |
Charting, reporting, and visualization issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-07-24 | SPL-143311, SPL-78612 | Deleting a dashboard with a scheduled PDF does not also delete the scheduled view on stand alone SH |
| 2016-10-10 | SPL-129956 | Memory leak in Chrome/Firefox with realtime searches after 6.2 Workaround: Likely workaround would be to reduce the dashboard refresh interval. |
| 2016-09-15 | SPL-128819, SPL-130243, SPL-130245 | Editing panel in dashboard removes charting.legend.masterlegend option Workaround: Use <option name="charting.legend.masterLegend">null</option> |
| 2016-07-27 | SPL-125123 | The dashboard parser throws an error when non-integer value is used for the <sampleRatio> option |
| 2015-03-31 | SPL-98890 | Maps printed from Report page do not honor custom zoom and center. |
| 2015-02-23 | SPL-97193 | The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string. |
| 2014-10-15 | SPL-91996, SPL-91818 | No error if ref panel can't render because of ID collision. |
| 2014-09-24 | SPL-91211 | Cascading form inputs that uses an unset condition on a form input causes a continuous loop for the form input values. |
| 2014-09-19 | SPL-91074, SPL-91065 | Submit button does not get rendered when instantiating a form via the client-side parser/factory |
| 2014-01-27 | SPL-79562 | Cloned dashboard is not scheduled but "Schedule PDF Delivery" link indicates that the schedule was cloned. |
| 2013-11-20 | SPL-76824 | Dashboard returns 400 error and invalid message if "maxLines" and "count" is empty for Panel Type: Event. |
| 2013-09-06 | SPL-74151 | When using SimpleXML, an extra pipe in the search post process of a form runs fine on the dashboard but shows errors when linked to the search page. |
Data model and pivot issues
| Date filed | Issue number | Description |
|---|---|---|
| 2014-12-08 | SPL-94047, SPL-98628 | While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column. |
| 2014-05-01 | SPL-83686 | Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status. |
| 2014-03-24 | SPL-82262, SPL-82241 | Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User. |
| 2014-03-20 | SPL-82164 | Migrating invalid data models from 6.0 to 6.x fails. |
| 2014-03-19 | SPL-82133 | Data model allows users to upload a JSON file which has Field names with spaces but will not validate it. |
| 2014-03-11 | SPL-81701 | Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once. |
| 2014-03-10 | SPL-81645 | Data model exhibits sticky UI when "transaction group by object" name has a single (x) character. |
| 2014-03-07 | SPL-81538 | When using Pivot, stack mode is lost when "Scatter Chart" is selected. |
| 2013-11-26 | SPL-77054, SPL-77055 | Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. |
Indexer and indexer clustering issues
| Date filed | Issue number | Description |
|---|---|---|
| 2018-04-10 | SPL-153221 | Added db path collision check for summaryHomePath |
| 2017-03-06 | SPL-138222 | ERROR DatabaseDirectoryManager - Getting size on disk: Path for bid=xxx cannot be located. |
| 2016-10-17 | SPL-130342 | Customer receives a 200 error on a successful bundle push |
| 2016-09-14 | SPL-128790, SPL-130648, SPL-130649 | Inconsistent buckets_to_summarize setting error when restarting cluster master after making changes to SF or RF |
| 2016-08-17 | SPL-126850, SPL-129596, SPL-129599, SPL-132781 | summary scans can result in peer taking a long time to re-join cluster after rolling restart |
| 2015-05-08 | SPL-101184 | Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer. |
| 2014-10-13 | SPL-91861 | On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>. |
| 2014-09-29 | SPL-91432 | On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers. |
| 2014-09-09 | SPL-90659 | Indexer clustering requires manual changes to service_interval at runtime Workaround: For clusters with a large number of buckets (>100k), Splunk recommends changing theservice_interval (under the [clustering] stanza in server.conf) to a value greater than the default of one second. Increase the length of the interval by one second for each additional 100k buckets, with a cap at 10 seconds. |
| 2014-09-08 | SPL-90630 | On a multisite cluster, no warning is given when search head names are the same. |
| 2014-08-29 | SPL-90331 | Multi-site indexer cluster doesn't meet replication factor/search head factor due to bucket issue. Workaround: From the endpoint, add the buckets missing RF/SF to the to_fix list. endpoint:
https://[host]:[port]/services/cluster/master/buckets/{bucket_id}/fix |
| 2014-07-29 | SPL-87816 | When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza. Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing. |
| 2014-07-14 | SPL-86799 | After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb. |
| 2014-04-29 | SPL-83636 | If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong. |
| 2014-04-17 | SPL-83169 | on Windows, if peers' Windows explorer not closed for long enough time, adding a new index still requres a peer restart, not reload |
| 2014-03-18 | SPL-82038 | Cluster-config does not work if a parameter value includes a space character. |
| 2014-03-17 | SPL-81955 | Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed. |
| 2014-01-06 | SPL-78688 | Peer is able to change to an invalid (empty) replication port |
| 2013-08-06 | SPL-72484 | You cannot use the CLI to delete an index with a capital letter in its name. |
| 2013-07-03 | SPL-70433 | Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. |
Distributed search and search head clustering issues
| Date filed | Issue number | Description |
|---|---|---|
| 2018-05-10 | SPL-154402, SPL-155043, SPL-155808, SPL-155820 | SHC: alert suppression may fail during restart due to timing issues |
| 2017-11-29 | SPL-146802 | Distributed environment requires index defined on search head for log event alerts |
| 2017-02-23 | SPL-137554, SPL-138105, SPL-138112, SPL-138167 | Search Head Clustering - mgmt_uri is showing "?" while checking with "splunk show shcluster-status" |
| 2017-02-03 | SPL-136245, SPL-135941 | Subsearch ignores default distributed search group in distsearch.conf |
| 2016-11-23 | SPL-132893, SPL-133354, SPL-133355, SPL-133356 | SHC - Large number of connections created when a peer is down |
| 2016-10-18 | SPL-130444, SPL-152625, SPL-152626, SPL-152627 | SHC: alert suppression may fail during restart if suppression information does not exist locally on member |
| 2016-10-08 | SPL-129943, SPL-132634, SPL-132780, SPL-132801, SPL-133920 | metrics.log Metrics reporting gaps due to contention with bundle replication |
| 2016-08-10 | SPL-126217, SPL-125817 | Splunk incorrectly reports that historical concurrent system-wide searches had been reached |
| 2016-07-17 | SPL-124443 | Incorrect user level concurrent search calculation causes user searches to be skipped |
| 2016-07-12 | SPL-124085 | On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled. |
| 2016-06-13 | SPL-122602, SPL-128604, SPL-128605 | Memory leak triggered by reloading splunkd SSL servers without restarting the process. Workaround: Two options: 1. Update db_connect app. 2. Add the following to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/server.conf: [shclustering]
conf_replication_include.inputs = false
|
| 2015-11-15 | SPL-109471 | For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain |
| 2015-09-23 | SPL-106978 | Failed SHC captain election causes unnecessary change in server.conf |
| 2015-02-26 | SPL-97385 | $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files. Workaround: The allowable size of the download can be increased by setting the following in server.conf. [httpServer] max_content_length = 1500MB The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is: [Endpoint - Local Processes Tracker - Lookup Gen]
|
| 2014-08-25 | SPL-90028 | Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact. |
| 2014-08-14 | SPL-89131 | In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save. |
| 2014-08-02 | SPL-88228 | When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however. |
Universal forwarder issues
| Date filed | Issue number | Description |
|---|---|---|
| 2016-10-24 | SPL-130802, SPL-129109 | After upgrading from UF 6.3.2 to either UF 6.3.6 or 6.4.3 or 6.5.0/1, monitored files with Structured header are read at the wrong offset by WTF resulting in duplicate, missed, broken events Workaround: downgrade back to UF 6.3.2 OR
Since issue occurs only when the monitored file is freshly opened to read the new update (not using existing FD), updating the time_before_close setting for the particular input with an appropriate value would be a workaround. For example,
[monitor://C:\inetpub\logs\IISW3CLogs]
disabled = 0
whitelist= .*\.log
followTail = 0
sourcetype = iis
ignoreOlderThan = 7d
time_before_close = 300 |
| 2015-04-14 | SPL-99687, SPL-129637 | Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0. |
| 2015-04-07 | SPL-99316 | Universal Forwarders stop sending data repeatedly throughout the day Workaround: In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value. |
| 2014-08-05 | SPL-88396 | After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI Workaround: Create a server class, where you can see the client name, and use that group when you add data. |
| 2013-09-18 | SPL-74427, SPL-74448 | The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. Workaround: To work around this issue, create a splunk user on your system before attempting to run the installer. |
Distributed deployment, forwarder, deployment server issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-01-23 | SPL-135502, SPL-135570, SPL-135571 | After disabling the deployment server component using CLI, a fatal error message is logged in splunkd.log |
| 2014-10-02 | SPL-91648, SPL-91358 | Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server. |
| 2014-08-15 | SPL-89333 | Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage. |
| 2014-06-20 | SPL-85739 | When running a high number of deployment clients for a server, memory growth may be excessive. Workaround: To mitigate this, set forceHttp10=always. |
Monitoring Console/DMC issues
| Date filed | Issue number | Description |
|---|---|---|
| 2016-02-08 | SPL-113844 | Splunk TCP Input Performance: Instance doesn't work with pipelinesets. |
| 2016-02-08 | SPL-113843 | Splunk TCP Input Performance: Deployment doesn't work with pipelinesets. |
| 2015-05-11 | SPL-101270 | In the DMC, the sort button overlaps with the column separator. |
Splunk Web and interface issues
| Date filed | Issue number | Description |
|---|---|---|
| 2015-11-09 | SPL-109165 | Interactive Field Extractor hangs when using "^" as delimiter. Workaround: Use props and transforms to specify the delimiter of your choice. |
| 2015-06-30 | SPL-103701 | Actions links should be removed for "Apps Browser" |
| 2014-09-26 | SPL-91346, SPL-91344 | A user with a non-admin role but edit_user capability can map to the Roles page. User receives a message that there is an error retrieving the configuration, and cannot process the page. |
| 2014-07-16 | SPL-87015 | chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns. |
| 2014-04-04 | SPL-82650 | A report created and scheduled by admin cannot be embedded by a power user. |
| 2014-02-26 | SPL-81103 | Username surrounded by dollar signs cannot create saved searches. |
| 2013-11-20 | SPL-76798 | Time range picker is not customizable via times.conf the same as version 5 or as suggested by docs. |
| 2013-08-19 | SPL-73386 | Users are not allowed to run historical scheduled search Workaround: 1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Windows-specific issues
| Date filed | Issue number | Description |
|---|---|---|
| 2016-08-18 | SPL-126979 | On Windows, if you specify both start_from = newest and current_only = 0 in inputs.conf, this triggers the indexing of duplicate events. |
| 2016-08-15 | SPL-126606, SPL-120078 | splunk-admon.exe fails to update internal 'admon://NearestDC' configuration when Domain Controller is changed. Workaround: Clean up contents of %SPLUNK_HOME%\var\lib\splunk\persistentstorage\ADMon\NearestDC.ini |
| 2015-11-13 | SPL-109430 | In Windows only, inheritance is broken for folders created by splunkd. Files created are accessible only to the user as whom splunkd is running. |
| 2015-04-14 | SPL-99687, SPL-129637 | Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0. |
| 2015-04-01 | SPL-98978 | On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time. Workaround: To fix the problem, restart Windows on the forwarder.
|
| 2014-09-25 | SPL-91279 | Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles. Workaround: See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download. |
| 2013-10-11 | SPL-75116 | The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza Workaround: Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk. |
Rest, Simple XML, and Advanced XML issues
| Date filed | Issue number | Description |
|---|---|---|
| 2016-08-26 | SPL-127448, SPL-119588 | Credential Manager /services/storage/passwords stops working when decrypted password is not utf8 |
| 2013-05-15 | SPL-67453 | When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard><foo></dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>. |
Authentication and Authorization issues
For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.
| Date filed | Issue number | Description |
|---|---|---|
| 2016-08-26 | SPL-127448, SPL-119588 | Credential Manager /services/storage/passwords stops working when decrypted password is not utf8 |
| 2016-07-26 | SPL-125052 | Sole Admin can demote his/herself to Power without path of recovery in GUI Workaround: Through the command line, you can open notepad and modify the password file to regain 'Admin' status. |
| 2015-11-13 | SPL-109427 | LDAP SSL no longer working in Splunk 6.3 (and later) for Windows 2003 Workaround: The workaround is to
1) obtain Ciphers configured on Windows AD 2003 server.
2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.
The following is a working TLS_CIPHER_SUITE for one of the customers:
{noformat}
TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5
{noformat}
|
| 2012-02-22 | SPL-48342 | LDAP strategy host field cannot work with ipv6 format address but computer name is okay |
Admin and CLI issues
| Date filed | Issue number | Description |
|---|---|---|
| 2016-08-01 | SPL-125461 | When creating a new index from an app context, the current app is not selected in the app dropdown on new index page |
| 2015-09-23 | SPL-106978 | Failed SHC captain election causes unnecessary change in server.conf |
| 2015-03-11 | SPL-97942 | Capability defined in an app does not take effect when assigned to a role Workaround: The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this: [search]
display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"]
display.events.type = table |
| 2014-04-07 | SPL-82699 | SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page. |
| 2013-05-25 | SPL-68010 | The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO. Workaround: Set server.conf [applicationsManager] allowInternetAccess = false |
| 2013-05-02 | SPL-66511 | If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view. |
Unsorted issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-06-13 | SPL-142402, SPL-123041 | Splunk crashes when deleting data from kvstore collection |
| 2016-11-28 | SPL-133012 | Debian installer leaves files owned by unknown user |
| 2016-10-26 | SPL-130887, SPL-130958, SPL-130957, SPL-133353 | Running "yum install splunk" on RHEL6 with FIPS kernel results in error - Splunk RPM uses MD5 for file digest Workaround: wget the RPM from Splunk directly and run "rpm -Uvh" on package locally; use a tarball to install; potentially use yum with "--nogpgcheck" flag. |
| 2016-10-10 | SPL-130023, SPL-132013, SPL-132329 | High HTTP Response times due to contention for lock in logUserActionInfo |
| 2016-08-24 | SPL-127301, SPL-122994 | Crash in TcpChannelThread, MongoStorageProvider, BSONObjFiller, parse, gotNull. |
| 2016-08-22 | SPL-127095, SPL-123187, SPL-127079 | Duplicate events with indexerDiscovery following outages on indexer cluster. |
| 2015-06-18 | SPL-103302 | Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink Workaround: Run a recursive chown from the command line on $SPLUNK_HOME manually, post install. |
| 2015-06-10 | SPL-103010 | Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets. |
| 2015-03-25 | SPL-98594 | Routing events to two different groups not working as expected. Workaround: 1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups. 2 Setup a proxy UF which takes input from the original UF and send input out syslog server.
This solution only requires config change and no patch release is required. |
| 2014-11-10 | SPL-92831 | A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ." Workaround: The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).
|
| 2014-10-17 | SPL-92162 | Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine. |
| 2014-08-20 | SPL-89640 | When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts Workaround: Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise. |
| 2014-04-22 | SPL-83365 | Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI. |
| 2014-03-12 | SPL-81810 | Licensing - license pool warning at license master keeps coming back after deleting it. Workaround: Delete the warnings on the peers first, then the License Manager. |
| 2013-11-27 | SPL-77139 | Licenser pool usage gets reflected only after restarting splunkd. |
| 2013-09-18 | SPL-74427, SPL-74448 | The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. Workaround: To work around this issue, create a splunk user on your system before attempting to run the installer. |
| 2013-09-13 | SPL-74337, BETA-496 | You cannot specify a destination folder when installing on OSX. |
| 2013-06-13 | SPL-69304 | If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN. |
Uncategorized issues
| Date filed | Issue number | Description |
|---|---|---|
| 2017-02-27 | SPL-137646 | CSV export is not working for some built-in reports |
| 2016-12-11 | SPL-133876, SPL-137650, SPL-137651, SPL-137652 | Rt windowed search displays incorrect results with EXTRACT- in props.conf Workaround: Use: index="ussd" sourcetype="svccmn:tx" | service_name="CommonIRWelcomeWs" | stats count by service_name" Instead of: index="ussd" sourcetype="svccmn:tx" service_name="CommonIRWelcomeWs" | stats count by service_name" |
| 2016-11-08 | SPL-131707, SPL-135270, SPL-135272, SPL-135466 | Indexer doesn't immediately sync the ingested events to disk (in a specific scenario) |
| 2016-10-04 | SPL-129597, SPL-127297, SPL-129598, SPL-131783 | Export pdf for a dashboard the locale for time chart |
| 2016-08-24 | SPL-127297, SPL-129597, SPL-129598 | Export pdf for a dashboard ignores the locale for time chart |
| 2016-06-21 | SPL-123174 | JSON indexed_extractions doesn't work for TCP inputs |
| 2015-10-07 | SPL-107606 | Inconsistency between summary and datamodel_summary files. |
| 2015-05-24 | SPL-102008 | On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference. |
| 2015-05-11 | SPL-101289 | When the number of indexing pipeline sets is greater than four, indexing throughput decreases. |
| 2015-05-06 | SPL-100980 | Single indexer does not scale when receiving parsed data from multiple PipelineSets. |
| 2015-05-04 | SPL-100792 | There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals. Workaround: Searches that key off these lines need to select their desired name=x category in order to see a single thruput value. |
| 2015-04-24 | SPL-100322 | A view gets stuck with "loading" due to problematic navigation (default.xml) Workaround: Workaround is to use label attribute for collection element. <collection label="Others"> <view source="unclassified" match="Dashboard"/>
</collection>
|
| 2015-03-26 | SPL-98700 | splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id. Workaround: The workaround is to remove the duplicated bucket. |
| 2015-02-26 | SPL-97389 | When using timechart command, the embedded report shows different time format than the original report. |
| 2015-01-30 | SPL-96091 | SimpleXML: cannot use token in <option name="count">$token$</option> |
| 2015-01-08 | SPL-95144, SPL-107317, SPL-101986, SPL-101987, SPL-106884, SPL-142789 | Indexed message for Windows security event logs shows "FormatMessage error" Workaround: Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service. |
| 2014-11-10 | SPL-92870 | Token not visible in Visualizations Editor if the token contains "$" character. |
| 2014-10-31 | SPL-92596 | After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion." Workaround: This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html |
| 2014-10-24 | SPL-92432, SPL-99583 | Chart in dashboard panel does not honor interval settings. Workaround: In the panel XML, specify a larger height to use the correct interval settings. |
| 2014-09-11 | SPL-90738 | Monitoring a directory with an unknown sourcetype produces indexing errors. |
| 2014-08-26 | SPL-90139 | <timestamp> does not display in the Patterns tab when searches are run in fast mode. |
| 2014-06-30 | SPL-86226 | User should have ability to navigate to Panel in case of error |
| 2014-06-16 | SPL-85497 | Unable to save generated PDFs using Chrome internal PDF viewer. Workaround: Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.
|
| 2014-04-14 | SPL-83068 | Default index can be set to random index. |
| 2014-04-01 | SPL-82517 | Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings. |
| 2014-03-23 | SPL-82238 | Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected. |
| 2014-03-13 | SPL-81856 | Show all lines does not work in data model editor preview. |
| 2014-03-12 | SPL-81781 | In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update". |
| 2014-02-13 | SPL-80568 | Highcharts determines Y-axis values based on first point outside visible range. |
| 2014-02-07 | SPL-80285 | In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. Workaround: For more information, see Add lookup files to Splunk. |
| 2014-02-06 | SPL-80187 | In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. Workaround: Share the definition. For more information, see Add lookup files to Splunk. |
| 2014-01-31 | SPL-79842 | On Windows, Indexer doesn't accept new connections on splunktcpin port after queue blockage is resolved |
| 2013-08-28 | SPL-73826 | Windows: hostname override not working properly |
| 2013-08-22 | SPL-73569 | Pie maps do not have legend labels. |
| 2013-07-25 | SPL-71645 | Report acceleration Summary folders (summaryHomePath) cannot be created if thehomePath of the index is at the root of the filesystem, (homePath=D:\myindex orhomePath=/myindex). Workaround: Create the folder manually. |
| 2013-05-16 | SPL-67491 | PDF report: Events format settings like List, Table, MaxLines, and Wrapping don't apply to PDF report |
| 2013-04-30 | SPL-66213 | PDF server app is not working with latest Xvfb |
| 2012-11-26 | SPL-58744 | Area chart is not filled if the points are unconnected |
| 2010-10-08 | SPL-34347 | wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue |
|
PREVIOUS Welcome to Splunk Enterprise 6.4 |
NEXT Splunk Enterprise and anti-virus products |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.3
Feedback submitted, thanks!