Splunk® Enterprise

Release Notes

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features and removed features in this manual.

Upgrade issues

Date filed Issue number Description
2024-04-04 SPL-253690, SPL-247255 Issue with Splunk Enterprise versions 9.1.x through 9.4.x when http proxy is used

Workaround:
An enhancement was introduced to the search process in Splunk Enterprise version 9.1.1 that optimizes searches by using the peer's IP address instead of querying DNS for the target peers. If an http_proxy is specified in the server.conf file, the enhancement causes the originating peer's IP address to fail to resolve. As a result, the IP address of the proxy, instead of the originating peer, is logged and utilized in the peers.csv file during search operations, causing the following error message to display in Splunk Web: "Received error from proxy server".


To disable the new DNS query optimization and eliminate the error, add the following setting to the distsearch.conf file: 


[distributedSearch]
useIPAddrAsHost=false

2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-07-10 SPL-191850 The .deb installation package will fail if dpkg version doesn't support an .xz compressed control file.

Workaround:
Update dpkg to version 1.17.6 or later.
2018-04-13 SPL-153403 After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


Data input issues

Date filed Issue number Description
2024-02-09 SPL-250849 Compression method for Filesystem destination is immutable once created since changing it leads to a corrupt file.
2022-08-17 SPL-228646, SPL-228645 Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-08-09 SPL-228117, SPL-257140 "file" is incorrectly listed as a supported scheme for ingest actions in outputs.conf.spec

Search issues

Date filed Issue number Description
2025-05-19 SPL-277301 The default sourcetype has 'NO_BINARY_CHECK' as 'true' on Web UI while it's not set in props.conf

Workaround:
Either one of the below.

1. Modify 'props.conf'

2. Open the default sourcetype on Web UI, and click 'Save' (This action will add the setting to 'props.conf'.)

2024-05-09 SPL-255514 "| timechart count" search is causing Splunk to crash with "Crashing thread: searchOrchestrator"

Workaround:
When using a search with only the timechart command in a search:

| timechart count

Splunk instance will crash with "Crashing thread: searchOrchestrator". Currently there is no workaround other than not using this search string

2024-04-12 SPL-254077, SPL-241370 CIDR match for tstats with ipv6 addresses isn't supported

Workaround:
The tstats command currently doesn't filter events with CIDR match on fields that contain IPv6 addresses. Running tstats searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries: 
Error in 'TsidxStats': WHERE clause is not an exact query

2024-04-04 SPL-253690, SPL-247255 Issue with Splunk Enterprise versions 9.1.x through 9.4.x when http proxy is used

Workaround:
An enhancement was introduced to the search process in Splunk Enterprise version 9.1.1 that optimizes searches by using the peer's IP address instead of querying DNS for the target peers. If an http_proxy is specified in the server.conf file, the enhancement causes the originating peer's IP address to fail to resolve. As a result, the IP address of the proxy, instead of the originating peer, is logged and utilized in the peers.csv file during search operations, causing the following error message to display in Splunk Web: "Received error from proxy server".


To disable the new DNS query optimization and eliminate the error, add the following setting to the distsearch.conf file: 


[distributedSearch]
useIPAddrAsHost=false

2023-06-09 SPL-240774 The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value

Workaround:
Perform field extractions by modifying your searches using other commands, such as the rex command or eval command.
2023-04-14 SPL-238738, SPL-273098 Federated Search for Splunk does not support the "Show Source" Field Action
2023-03-28 SPL-237902 Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy

Workaround:
Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include 'latest=now' in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected.

index=main earliest=-10s latest=now

Running the same search without including 'latest=now' might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches. See Specify earliest relative time offset and latest time in ad hoc searches in the Splunk platform Search Manual.

2022-09-26 SPL-230673 Searches might not return all lookup values during search result enrichment. Affected searches include lookups with more duplicate entries than specified in the max_matches setting, and lookups larger than the value in the max_memtable_bytes setting.

Workaround:
Change the max_matches and max_memtable_bytes settings to values greater than the KV store size or the CSV lookup file size.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-05-31 SPL-225037 Remote dataset dropdown menu resets to "Index" after selecting federated provider
2021-12-21 SPL-216787 Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
Change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

2021-09-22 SPL-212495, SPL-196040, SPL-219811 Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none
2020-12-04 SPL-198284, SPL-231587 Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default

Workaround:
Set limits.conf back to default, by removing any override of max_searches_per_process.

For example: 

[search]
max_searches_per_process=1

to 

[search]
2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-02-12 SPL-183259 When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios

Workaround:
Dedup values in search before, for example:

instead of 

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch: 

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example: 

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]
2020-01-10 SPL-181573 geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit.

Workaround:
- Increase globallimit to the value of "unique values" number mentioned in the warning message:

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2017-04-04 SPL-140765 Splunk having problems extracting json file consisting of 68k plus key-value pairs
2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.

Federated search issues

Date filed Issue number Description
2025-05-30 SPL-278363 We should add loadjob to the blocked command in transparent mode
2024-12-11 SPL-267899, SPL-276684 rsh does not return the error string to the fsh
2024-10-15 SPL-264529, SPL-261801 Search with mcatalog command returns missing metrics when used with append=t and last index is not valid
2024-09-05 SPL-262259 Splunk to Splunk federated searches do not utilize the dispatch.index_earliest and dispatch.index_latest parameters in the saved search configuration when the search is dispatched to the remote search head, leading to incorrect results

Workaround:
These parameters can be added as a part of the search string, using the _index_earliest and _index_latest time modifiers. This will send the parameters correctly to the remote search head. See

List of time modifiers in the Search Reference.

2024-04-05 SPL-253755, SPL-253757 transparent-mode federated search should alert ( and block the search ) when it is run in real time
2024-01-18 SPL-249666, SPL-244551 FS-StandardMode : Standalone sub-search with HEAD doesn't return any results
2023-09-05 SPL-244248, SPL-239298 Federated Search, Enterprise --> Cloud configuration: Performance degradation increases when the number of indexers increases in the RSH

Workaround:
One possible workaround is to use a more efficient query. For example, use "| tstats count where index=main by splunk_server" instead of "index=main | stats count by splunk_server".


Another workaround is to change the max_workers_searchparser setting to a value lower than its default.

Use this workaround if you are using your Splunk Enterprise federated search head (FSH) instance only for running federated searches. This workaround might affect non-federated searches.

On the Splunk Enterprise FSH, follow these steps:

  1. Create limits.conf in a local/ folder.
  2. Set the max_workers_searchparser setting to a number lower than its default (1 or 2). For more information about this setting see the Admin Manual.
  3. Test which setting value provides a better performance.

2023-05-02 SPL-239436 In standard mode federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-14 SPL-238738, SPL-273098 Federated Search for Splunk does not support the "Show Source" Field Action
2023-04-10 SPL-238501 Federated search "outputlookup" command cannot add data to local lookup table

Workaround:
Define the same lookup on the remote search head too, so the remote search head will not error out early and return 0 results.
2022-10-19 SPL-231712 Create/Edit Role - In the UI, the "Wildcards" tool cannot be used to specify allowed federated indexes for standard mode federated search
2022-07-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround:
Use REST API to create the federated saved search instead:

curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1

See Federated search endpoint descriptions in the REST API Reference Manual.

2022-05-31 SPL-225037 Remote dataset dropdown menu resets to "Index" after selecting federated provider
2022-02-08 SPL-218841 Reporting command in verbose mode returns 0 events despite correct event_count
2021-10-14 SPL-213745, SPL-251131 Standard mode federated search: Unable to set federated index as default index

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2023-07-21 SPL-242301, SPL-231558 The UI trigger for summary rebuild doesn't work for some accelerated data models that have no root-event dataset and have a reporting command in first root search dataset

Workaround:
The workaround is to change the Data Model definition to reorder the root search objects such that the root search object that can be accelerated is the very first one in the list.

For instance, for the provided `test_internal_audit_logs.json`, edit the JSON file on disk and move `failed_searches` dataset before `fully_completed_searches`.

2023-04-06 SPL-238421 scheduler performance issues with high skipped search (user-prefs.conf contention for timezone)
2019-09-20 SPL-176812 Multiple SH Clustering with single deployer can't use datamodel summary sharing
2018-09-19 SPL-160286 The data preview for the Add Data workflow does not display for Log to Metrics source types
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-08-14 SPL-143947 Report acceleration is broken for users with a configured role-based access filter

Charting, reporting, and visualization issues

Date filed Issue number Description
2025-02-04 SPL-270271 Scheduled email exports of large dashboards compress images to approximately 1440 x 960 pixels, leading to blurry PDFs.

Workaround:
Reduce the dimensions of the dashboard, or split up large dashboards into separate smaller dashboards. Scheduled export compresses the studio dashboard to a resolution of approximately 1440 x 960 pixels before it is screenshotted for the PDF. Reducing the dimensions of the dashboard closer to this resolution should improve the visibility and quality of the export. If you split the dashboard into smaller dashboards, and schedule them to export separately, this effectively reduces the dimensions of each dashboard and improves the quality of each exported PDF.
2024-08-12 SPL-260620 Revert does not revert versions associated to permission changes
2023-06-08 SPL-240750 Inconsistency in displayed timezone in Dashboard Studio when using time range tokens
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


Distributed search and search head clustering issues

Date filed Issue number Description
2021-09-22 SPL-212495, SPL-196040, SPL-219811 Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none
2021-03-26 SPL-203060 The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:
  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.


2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-03-13 SPL-138654 Splunk searches fail when filepath gets too long on Windows

Data model and pivot issues

Date filed Issue number Description
2023-07-21 SPL-242301, SPL-231558 The UI trigger for summary rebuild doesn't work for some accelerated data models that have no root-event dataset and have a reporting command in first root search dataset

Workaround:
The workaround is to change the Data Model definition to reorder the root search objects such that the root search object that can be accelerated is the very first one in the list.

For instance, for the provided `test_internal_audit_logs.json`, edit the JSON file on disk and move `failed_searches` dataset before `fully_completed_searches`.

2019-09-20 SPL-176812 Multiple SH Clustering with single deployer can't use datamodel summary sharing

Universal forwarder issues

Date filed Issue number Description
2025-06-04 SPL-278604 Release notes content unavailable in docs for some versions of universal forwarder

Workaround:
Consult the Universal forwarder issues sections of the Splunk Enterprise known and fixed issues lists for the corresponding version.
2024-09-27 SPL-263518 Upgrade removes thruput processor and group=per_(source|sourcetype|index|host)_thruput in metrics.log for universalforwarders.

Workaround:
------ON UF ONLY-------

in default-mode.conf add following line

#Turn off a processor
[pipeline:indexerPipe]
disabled_processors= index_thruput, indexer, indexandforward, latencytracker, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor, s2soverhttpoutput, destination-key-processor



2022-08-17 SPL-228646, SPL-228645 Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-03-23 SPL-221239 System Introspect App fails when universal forwarder is installed at non-admin user

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2025-06-23 SPL-279750, SPL-275509 After upgrade to 9.3.0+, UFs are reporting 'Failed to download app', while DS reports 'app does not exist on the server'. This issue does not appear if you configure the environment in such a way that each app is assigned to a maximum of one server class
2025-02-05 SPL-270345, SPL-280184, SPL-280185, SPL-280186, SPL-280187 MachineTypeFilter doesn't work when DS works in clustered mode - applications are getting wrongfully updated into clients when performing OS filtering in serverclass

Monitoring Console issues

Date filed Issue number Description
2024-06-28 SPL-258394 Health Report for destination output issues show Last 50 detailed logs in Indexer Cluster nodes but not in Search Head or Cluster Manager
2021-03-29 SPL-203100 Summary page on monitoring console doesn't show correct RF/SF when not running on the CM.
2019-11-13 SPL-179528 The splunktcp and splunktcp-ssl stanzas are not reloadable in inputs.conf
2017-08-14 SPL-143981 Uninstall app dialog does not show the app name correctly when the app doesn't have the label
2017-05-24 SPL-141982 Upload modal should use size=large File element
2017-04-19 SPL-141274 Clicking Install multiple times in Install dialog causes error
2016-11-14 SPL-132151 XML error when trying to download uninstalled app

Splunk Web and interface issues

Date filed Issue number Description
2025-05-19 SPL-277301 The default sourcetype has 'NO_BINARY_CHECK' as 'true' on Web UI while it's not set in props.conf

Workaround:
Either one of the below.

1. Modify 'props.conf'

2. Open the default sourcetype on Web UI, and click 'Save' (This action will add the setting to 'props.conf'.)

2024-05-09 SPL-255514 "| timechart count" search is causing Splunk to crash with "Crashing thread: searchOrchestrator"

Workaround:
When using a search with only the timechart command in a search:

| timechart count

Splunk instance will crash with "Crashing thread: searchOrchestrator". Currently there is no workaround other than not using this search string

2024-04-12 SPL-254077, SPL-241370 CIDR match for tstats with ipv6 addresses isn't supported

Workaround:
The tstats command currently doesn't filter events with CIDR match on fields that contain IPv6 addresses. Running tstats searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries: 
Error in 'TsidxStats': WHERE clause is not an exact query

2024-04-04 SPL-253690, SPL-247255 Issue with Splunk Enterprise versions 9.1.x through 9.4.x when http proxy is used

Workaround:
An enhancement was introduced to the search process in Splunk Enterprise version 9.1.1 that optimizes searches by using the peer's IP address instead of querying DNS for the target peers. If an http_proxy is specified in the server.conf file, the enhancement causes the originating peer's IP address to fail to resolve. As a result, the IP address of the proxy, instead of the originating peer, is logged and utilized in the peers.csv file during search operations, causing the following error message to display in Splunk Web: "Received error from proxy server".


To disable the new DNS query optimization and eliminate the error, add the following setting to the distsearch.conf file: 


[distributedSearch]
useIPAddrAsHost=false

2023-06-09 SPL-240774 The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value

Workaround:
Perform field extractions by modifying your searches using other commands, such as the rex command or eval command.
2023-04-14 SPL-238738, SPL-273098 Federated Search for Splunk does not support the "Show Source" Field Action
2023-03-28 SPL-237902 Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy

Workaround:
Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include 'latest=now' in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected.

index=main earliest=-10s latest=now

Running the same search without including 'latest=now' might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches. See Specify earliest relative time offset and latest time in ad hoc searches in the Splunk platform Search Manual.

2022-09-26 SPL-230673 Searches might not return all lookup values during search result enrichment. Affected searches include lookups with more duplicate entries than specified in the max_matches setting, and lookups larger than the value in the max_memtable_bytes setting.

Workaround:
Change the max_matches and max_memtable_bytes settings to values greater than the KV store size or the CSV lookup file size.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-05-31 SPL-225037 Remote dataset dropdown menu resets to "Index" after selecting federated provider
2021-12-21 SPL-216787 Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
Change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

2021-09-22 SPL-212495, SPL-196040, SPL-219811 Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none
2020-12-04 SPL-198284, SPL-231587 Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default

Workaround:
Set limits.conf back to default, by removing any override of max_searches_per_process.

For example: 

[search]
max_searches_per_process=1

to 

[search]
2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-02-12 SPL-183259 When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios

Workaround:
Dedup values in search before, for example:

instead of 

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch: 

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example: 

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]
2020-01-10 SPL-181573 geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit.

Workaround:
- Increase globallimit to the value of "unique values" number mentioned in the warning message:

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2017-04-04 SPL-140765 Splunk having problems extracting json file consisting of 68k plus key-value pairs
2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.

REST, Simple XML, and Advanced XML issues

Date filed Issue number Description
2020-07-28 SPL-192792 tsidxWritingLevel and other fields are set empty after updating index in UI
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection

PDF issues

Date filed Issue number Description
2016-11-23 SPL-132925 Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

Admin and CLI issues

Date filed Issue number Description
2024-04-01 SPL-253367, SPL-251833 You might receive a Bulletin message in Splunk Web from indexers and indexer cluster members that indicates a security risk warning for the allowed e-mail domains list for alert actions.

Workaround:
The following error appears: 
Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.

You might receive this message multiple times, once for every indexer or indexer cluster member that is in your environment. It can happen any time that an indexer or indexer cluster member restarts.

If you receive this Bulletin message from an indexer or indexer cluster member, you can safely dismiss it without further action. If you receive the message from or while logged into a search head or search head cluster member, then the potential security risk that it indicates is valid. To address the problem, configure the list of internet domains to which the search head can send emails as part of alert actions, as described in Configure email notification for your Splunk instance in the Alerting Manual.

2021-03-26 SPL-203060 The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:
  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.


2020-07-28 SPL-192792 tsidxWritingLevel and other fields are set empty after updating index in UI
2020-04-14 SPL-186365 Users are able to create/clone knowledge objects into apps where they lack permissions
2019-08-05 SPL-174406, SPL-109254 Root unable to run splunk cli if SPLUNK_OS_USER is set
2018-08-13 SPL-158658 A timeout or slow response when accessing Splunk Web Licensing page

Workaround:
A timeout or slow performance of the license management page is caused by a build-up of historical license warning messages, which are processed every time the page is accessed. Can be verified by running this search on the License Manager:

| rest splunk_server=local /services/licenser/messages

If a high value is returned for that end point, you are likely affected. Log a support ticket with Splunk to obtain a license reset key, and apply the key to clear out any historical license warning messages. After the reset license is applied, the license management pages should load normally.

2017-11-29 SPL-146820 Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app

Workaround:
Navigate to a visible app, such as the search and reporting app, and access the Splunk settings pages from that app context.
2016-11-09 SPL-131880 Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page

Uncategorized issues

Date filed Issue number Description
2025-06-19 SPL-279657, SPL-280226, SPL-280227, SPL-280228, SPL-280229, SPL-280230, SPL-280231, SPL-280232 Distributed search may lose information about bundles from cluster peers on new search generations, removes peers when best-effort mode is enabled.
2025-01-30 SPL-269946, SPL-272632, SPL-272633, SPL-272634, SPL-272740 Cascading bundle replication stuck: indexer peer going down during replication can block future replications if it comes back up

Workaround:
If cascading bundle replication is stuck, restart the captain or switch captaincy
2024-12-16 SPL-268110 Workload Management monitoring console dashboard shows memory usage exceeds the configured memory limit and the "CPU used (# of cores)" shows "0"

Workaround:
Set the Memory Limit % value to 100% for each workload pool.
2024-12-05 SPL-267487 Dashboard drilldown validation for non-http schemes is broken

Workaround:
If possible, create a new dashboard that contains the same content and manually remove the invalid URLs.

Otherwise, edit a dashboard with the invalid URL on the server.
Next, reload the in-memory cache for this dashboard by sending the following request: 

curl -X GET -k -u username:password "https://localhost:8089/services/data/ui/views/<dashboard-name>?refresh=true"


Where:
<dashboard-name> indicates a name of the edited dashboard.

2024-09-11 SPL-262543, SPL-261455 telemetry-metric local endpoint getting 401 errors
2022-04-06 SPL-222105 When all inherited roles are taken out from admin role, it will cause admin user failed to show other users even though all capabilities is set natively.

Workaround:
Two possible approaches:

1. Remove the option grantableRoles = admin from authorize.conf - this is not permanent workaround and will need to be done every time admin role is modified.

2. Add any capabilities that the other user roles have to the "admin" role.

2021-04-24 SPL-204740, SPL-204735 Deletion of a workload pool is allowed if there is a 'disabled' rule that is related to that workload pool and this can cause errors if the rule is re-enabled later

Workaround:
To prevent this issue: When you delete a workload pool, please make sure that you delete any disabled workload rules that are associated with that workload pool.

To resolve the issue if you encounter this: Disable or delete the workload rule that is associated with a workload pool that does not exist anymore.

2021-03-19 SPL-202682 The license usage report tab name is Previous 60 days, but the reports run over the last 30 days
2020-08-10 SPL-193389 Parallel upload is not supported in gcp-sse-kms encryption mode

Workaround:
In the volumes using gcp-sse-kms encryption mode, specify "remote.gs.upload_chunk_size = 0" to disable parallel upload.
2020-07-30 SPL-192936 Subsecond search - When you update metric.timestampResolution via the UI, it is not updated on the search head index.conf file. This does not affect search functionality.
2019-10-03 SPL-177447 Bundle replication takes longer than expected time for indexers that have bundleEnforcerBlacklist configured
2019-09-26 SPL-177144, SPL-177326 Under heavy search workload, the search memory usage estimation may be higher than actual usage
2019-09-25 SPL-177008, SPL-176710, SPL-177009 Workload management fails to enable for addition of a pool with 1% cpu and 1% memory
2019-09-16 SPL-176514 Offline rebuild of unsearchable bucket may lead to stale information in dbinspect searches
2019-09-13 SPL-176447 SmartStore: Migration uploads of auto_high_volume buckets can fail indefinitely due to an XFS bug

Workaround:
Before migration, lower the max_concurrent_uploads setting in server.conf to 2.

After migration, revert the setting to the default of 8.

2019-07-19 SPL-173449, SPL-173259 timezone isn't stored for start_time/end_time of rule schedule every_day/every_week/every_month
2019-03-26 SPL-168314 SmartStore standalone instance + Monitoring Console: Bootstrapping panel needs to reflect the standalone bootstrapping process
2018-03-20 SPL-152330, SPL-151992 After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2017-05-09 SPL-141693 DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-01-06 SPL-134707 Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
Last modified on 09 July, 2025
Welcome to Splunk Enterprise 9.4   Increased skipped search rate after upgrade to 9.0

This documentation applies to the following versions of Splunk® Enterprise: 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters