Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features in this manual.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Date filed Issue number Description
2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts

Workaround:
Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Date filed Issue number Description
2018-08-16 SPL-158931, SPL-160031, SPL-156983, SPL-158938, SPL-160030 Suppress introspection errors from bulletin board on Cloud instances

Workaround:
To correct the issue, support removes both the inputs.conf and the inputs.conf.spec file so that introspection does not try to run the script.
2018-02-08 SPL-148976, SPL-114085 When a *.tgz file was read, the result was "finished reading" but the percent still showing 0%.
2017-12-11 SPL-147222, SPL-127642 Powershell log file "splunk-powershell.ps1.log" never rolls
2017-09-11 SPL-144794, SPL-133461 Compressed files are deleted from sinkhole even if decompression fails
2016-11-26 SPL-132974, SPL-130819 CHECK_METHOD = modtime not working as expected

Workaround:
Within inputs.conf, for the CHECK_METHOD = modtime stanza, set initCrcLength to be larger than the largest file picked up by this stanza.
2016-10-27 SPL-130962, SPL-137275, SPL-143682, SPL-147663 Files are not getting ingested if there is missing eol
2016-09-14 SPL-129166, SPL-130569, SPL-130811 AWS TA s3 data collection performance degradation in Splunk 6.5.0

Workaround:
Upgrade Splunk to 6.5.1 or higher.
2015-11-12 SPL-109362 When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage
2015-05-22 SPL-101981 Field extractions do not work when sourcetypes use quotes in the Getting Data In interface.
2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL

Workaround:
Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

2014-03-10 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
2013-10-29 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.
2013-09-10 SPL-74209, SPL-74167 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).

Workaround:
Specify the persistentQueue explicitly in the input definition.

Search issues

Date filed Issue number Description
2019-05-22 SPL-170977, SPL-130503 CEXC: Field order not preserved in generating reporting custom commands

Workaround:
Use a {{|table}} command following the custom search command to reorder the fields.
2018-06-22 SPL-156141, SPL-146147 Search crashes when using lookup tables that are frequently updated

Workaround:
On the crashing peer (could be SH, Indexer or both) set the below in limits.conf:

max_memtable_bytes = 2*<size of the largest lookup>

example search to find the biggest lookups:

index=_* sourcetype=audittrail path=*lookups* size=* | stats max(size) AS size BY host, path | append [| rest services/server/introspection/kvstore/collectionstats | mvexpand data | table splunk_server title data | spath input=data | fields splunk_server size ns ] | eval host=coalesce(host,splunk_server) | fields host path ns size | sort size | head 1

2018-01-10 SPL-148042, SPL-148047, SPL-148048, SPL-148049 datamodel command flat search does not work properly
2017-06-05 SPL-142239 After upgrading to 6.5.x, significant increase in search dispatch times (Job Inspector: startup.handoff) and count of "skipped" and "continued" searches due to delays in search process reuse

Workaround:
Disable search process reuse on the SHs and indexers using this workaround:

limits.conf [search] max_searches_per_process = 1

2017-05-25 SPL-142008, SPL-131720 Search message reporting slow configuration initialization should not be shown to cloud customers (users & admins)
2017-04-26 SPL-141444, SPL-135787 Periodic Crash On Enterprise Security Search Head
2017-04-20 SPL-141299, SPL-126101 The median function is incorrect if the number of values is even. Documentation implied "perc_method=interpolated" was default, but actually defaults to nearest-rank
2017-04-19 SPL-141255, SPL-141118 Fix Memory leak in OptimizationDoc
2017-03-28 SPL-140481, SPL-144789 Error of the form "in 'SearchParser': The name 'shell_filter_guest_wireless ' is invalid" received when searching.
2017-03-10 SPL-138521, SPL-141459, SPL-141005, SPL-141409, SPL-141460 Search failing with: 'Streamed search execute failed because: JournalSliceDirectory: Cannot seek to rawdata offset 0' causing alert to be fired
2017-02-15 SPL-136892, SPL-112368 Search process memory tracker not performing as expected, allows the memory usage of search processes to grow well over the configured limit
2017-02-07 SPL-136386, SPL-137263, SPL-137264, SPL-137265, SPL-137266 stats table with reltime breaks the Sparkline

Workaround:
Set the following in $SPLUNK_HOME/etc/apps/search/local/commands.conf

[reltime] supports_multivalues = true

2017-01-06 SPL-134715 Long-running searches using Safari browser terminate with "Unknown sid" error

Workaround:
1. Use a browser other than Safari

2. If using Safari browser, keep the tab where the search is running in focus at all times, until the search has completed.

2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.
2016-11-21 SPL-132687, SPL-132331 Search Optimization - Predicate push of Search Cmds via Renames containing space and special characters should be quoted

Workaround:
use where command instead of search.

Example :

| inputlookup fault.csv | rename "F 2" AS X | where X=1


2016-11-14 SPL-132181, SPL-131778 Optimization is incorrectly pushing operations across stats that have different semantics for multivalued and single valued fields
2016-11-07 SPL-131699, SPL-134631, SPL-134632 lookup command doesn't match CIDR event fields to all matching fields in the lookup table

Workaround:

sort the lookup table to have the most specific CIDR first (i.e. move the /32 at the top)

2016-10-27 SPL-131015, SPL-129846 backslash \ character in search terms outside of quote pairs is not working correctly in search strings in 6.5

Workaround:
For a search like: index=_audit \[*\]

1. Add quotes: index=_audit "\[*\]" 2. Turn off search optimization for that search: append | noop search_optimization=f 3. Turn off search optimization for all searches: limits..conf [search_optmization] enabled=false

2016-10-26 SPL-130888, SPL-130025 Order of Apps in dropdown menu not consistent from Launcher Home
2016-10-24 SPL-130706 Incorrect search results when search terms include a calculated field and search optimization is turned on

Workaround:
Use the "search" command instead of "where" command.

Use " | noop search_optimization=f " at the end of the search.

Use " | where "admin" = user "


2016-10-18 SPL-130470 Merging of a Calculated field with base search gives inconsistent results
2016-10-17 SPL-130393, SPL-136348, SPL-136347, SPL-136349 When searching over multiple indexes using disjoint time ranges in fast mode, commands which trigger batch search mode, such as stats and table, return 0 results
2016-10-13 SPL-130257 Dataset doesn't work if user has name with non-ascii characters
2016-10-10 SPL-129956 Memory leak in Chrome/Firefox with realtime searches after 6.2

Workaround:
Likely workaround would be to reduce the dashboard refresh interval.
2016-10-07 SPL-129907, SPL-131250 Tabs within a dashboard post-process search query cause the search to return no results

Workaround:
Replace all tab characters with spaces in dashboard Simple XML source code.
2016-10-06 SPL-129846, SPL-131015, SPL-131454 The backslash \ character in search terms outside of quote pairs is not working correctly in search strings

Workaround:
For a search like: index=_audit \[*\]


Add quotes: index=_audit "\[*\]"

OR) Turn off search optimization for that search: append | noop search_optimization=f

2016-09-15 SPL-128845, SPL-131106, SPL-131108, SPL-145346 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value
2016-06-23 SPL-123344 Bolt image fails to render when splunk is running behind the reverse proxy with a root_endpoint
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2016-03-31 SPL-116930, SPL-111939 The report "save as report" and "edit search" dialogs allow to accelerate a search that uses macros, eventtypes or tags even though we do not fully support that
2016-03-17 SPL-116082 Custom search commands that are defined for only a specific user will no longer run.
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-17 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted.
2015-04-23 SPL-100170 Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search.
2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in them.

Workaround:
Rename the fields before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13 SPL-93039 The relevancy search command does not work, always returning 0 or -inf.
2014-10-02 SPL-91638, SPL-107375 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2014-09-15 SPL-90861, SPL-90396, SPL-90886 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-03-27 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
2014-03-15 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster.

Workaround:
Write to a temp file and rename to the target file.
2014-02-21 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
2013-12-18 SPL-78179 REST /saved/searches App names with special characters have invalid links.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-07-24 SPL-143307, SPL-130818 When viewing custom time alert from email, custom time of alert triggered changes to the current time when clicking View Events from results table.
2017-04-21 SPL-141332, SPL-141138 acceleration.manual_rebuilds in datamodels.conf.spec lists lookup updates as a reason for rebuilding
2017-04-06 SPL-140886, SPL-130809 Backfill script may cause scheduled search to be re-ran after restart.
2017-02-28 SPL-137740, SPL-138471, SPL-138698 request.ui_dispatch_app parameter is ignored when constructing view link for the report and alert emails
2017-02-01 SPL-136101, SPL-134527 (Ivory) - Customer is missing email alerts - only message is "ERROR sendemail:1199 - expected string or buffer"
2016-12-21 SPL-134392 datamodels with a baseSearch that references the same datamodel leads to unstable Splunk instance
2016-11-01 SPL-131173, SPL-138169 Alert emails fail when custom SSL cert uses $SPLUNK_HOME

Workaround:
Changing server.conf paths to absolute worked around the issue.
2016-10-31 SPL-131111, SPL-134375 Sporadically, scheduled searches delayed or skipped on search-head cluster
2016-10-20 SPL-130574, SPL-131933 Crashing thread: TcpChannelThread
2016-10-07 SPL-129870, SPL-130165 PDF and CSV attachments don't show up when viewing email on iPhone's default mail application

Workaround:
Use plain text email instead of HTML.
2016-09-23 SPL-129285 The search scheduler (SavedSplunker) has scaling problems with high disabled user count and external auth systems (SAML & LDAP)
2016-09-16 SPL-128919, SPL-148007, SPL-148008, SPL-148009, SPL-148010, CIM-428, CIM-426 The returning of sendalert command doesn't honor owner options
2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2

Workaround:
Reduce length of name of the app and report acceleration searches will run properly within the context of the app.
2014-08-15 SPL-89332 Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-10 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Charting, reporting, and visualization issues

Date filed Issue number Description
2018-07-23 SPL-157750, SPL-157747 Remote Code Execution through /pdfgen/render endpoint
2017-07-24 SPL-143311, SPL-78612 Deleting a dashboard with a scheduled PDF does not also delete the scheduled view on stand alone SH
2017-02-10 SPL-136610, SPL-140678, SPL-140679 Dashboard *Convert to HTML* loses refresh attributes from base search.
2016-12-13 SPL-133981, SPL-136640 Drilldown search is not displaying results upon initial page load
2016-11-11 SPL-132001, SPL-126774, SPL-134448, SPL-134457 Regression: Cannot launch UI Tour from dashboard
2016-11-04 SPL-131452 Dashboard editor raises a validation warning when "depends" or "rejects" attributes are added to a time input
2016-10-21 SPL-130646, SPL-131934 token value does not reflect a label name in 6.5.0

Workaround:
Converting the dashboard to HTML will solve this issue.
2016-10-10 SPL-129956 Memory leak in Chrome/Firefox with realtime searches after 6.2

Workaround:
Likely workaround would be to reduce the dashboard refresh interval.
2016-10-07 SPL-129871, SPL-133321 Changing the timerange value from the edit input dropdown, does not update the timerange value of the time input element on the dashboard
2016-10-07 SPL-129907, SPL-131250 Tabs within a dashboard post-process search query cause the search to return no results

Workaround:
Replace all tab characters with spaces in dashboard Simple XML source code.
2016-09-15 SPL-128819, SPL-130243, SPL-130245 Editing panel in dashboard removes charting.legend.masterlegend option

Workaround:
Use <option name="charting.legend.masterLegend">null</option>
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2015-03-31 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2015-02-23 SPL-97193 The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string.

Data model and pivot issues

Date filed Issue number Description
2017-04-21 SPL-141332, SPL-141138 acceleration.manual_rebuilds in datamodels.conf.spec lists lookup updates as a reason for rebuilding
2016-12-21 SPL-134392 datamodels with a baseSearch that references the same datamodel leads to unstable Splunk instance
2016-11-01 SPL-131204, SPL-131334 Set action to 'Open in Search' for reports containing 'pivot' followed by other commands (multiple pipes)
2016-10-20 SPL-130574, SPL-131933 Crashing thread: TcpChannelThread
2014-12-08 SPL-94047, SPL-98628 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-11 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
2014-03-10 SPL-81645 Data model exhibits sticky UI when "transaction group by object" name has a single (x) character.
2014-03-07 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Indexer and indexer clustering issues

Date filed Issue number Description
2018-03-15 SPL-152168 Batch-mode retry can return more or less events than it should due to reordering from thread pool processing.

Workaround:
Before you initiate searchable rolling restart or rolling upgrade, make sure the search_retry attribute in the [search] stanza of limits.conf is set to false (the default).


If you have scheduled searches that must complete, either increase the value of decommission_search_jobs_wait_secs (default=180s) in server.conf, or do not run searchable rolling restart or rolling upgrade during the search's timeframe.

2017-02-14 SPL-136737, SPL-100516 Events deleted in an index cluster via the delete search operator may be inconsistently deleted on secondaries
2017-02-13 SPL-136735, SPL-100516 Events deleted in an index cluster via the delete search operator may be inconsistently deleted on secondaries
2016-08-25 SPL-127353 Data rebalance finishes early when one peer is the source for all buckets

Workaround:
when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time
2016-07-14 SPL-124243 indexer cluster data rebalance does not balance primary copies by index
2015-05-08 SPL-101184 Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer.
2014-10-13 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-09-29 SPL-91432 On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers.
2014-09-08 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-08-29 SPL-90331 Multi-site indexer cluster doesn't meet replication factor/search head factor due to bucket issue.

Workaround:
From the endpoint, add the buckets missing RF/SF to the to_fix list.

endpoint: https://[host]:[port]/services/cluster/master/buckets/{bucket_id}/fix

2014-07-29 SPL-87816 When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza.

Workaround:
Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.
2014-07-14 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-04-29 SPL-83636 If you first configure a master with default RF/SF and then give the misconfiguration command, you get an error message that is wrong.
2014-04-17 SPL-83169 on Windows, if peers' Windows explorer not closed for long enough time, adding a new index still requres a peer restart, not reload
2014-03-18 SPL-82038 Cluster-config does not work if a parameter value includes a space character.
2014-03-17 SPL-81955 Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed.
2014-01-06 SPL-78688 Peer is able to change to an invalid (empty) replication port
2013-08-06 SPL-72484 You cannot use the CLI to delete an index with a capital letter in its name.
2013-07-03 SPL-70433 Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps.

Distributed search and search head clustering issues

Date filed Issue number Description
2018-05-10 SPL-154402, SPL-155043, SPL-155808, SPL-155820 SHC: alert suppression may fail during restart due to timing issues
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-10-02 SPL-145346, SPL-128845 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value
2017-06-20 SPL-142528, SPL-132443 Search bundle synchronous replication delayed by pro-active bundle lookup indexing.
2017-04-04 SPL-140831, SPL-142888, SPL-142889 Splunk not cleaning up $SPLUNK_HOME/var/run/searchpeers of .delta files and matching directories whose only non-empty subdirectory has the .index extension

Workaround:
Increase max_memtable_bytes under [lookup] inside limits.conf so that the largest lookup won't get indexed.
2017-03-31 SPL-140662, SPL-137319 Search head cluster member can't recover from REMOTE_CHKSUM_UNMATCHED error during bundle replication after SHC captaincy.

Workaround:
Restart the search-head which is issuing failed checksum warnings during searches. Saved jobs (ie. results from searches stored for further usage) that showed those warnings will not be repaired, they need to be re-ran.
2017-03-03 SPL-138048, SPL-132295 Excessive "Inconsistent bundles" Logging
2017-02-21 SPL-137168, SPL-135037 loadjob artifact offset not honored in SHC
2017-02-16 SPL-137016, SPL-130771 Improvement for "Rejecting expired token" Warning Message
2017-02-16 SPL-137017, SPL-130771 Improvement for "Rejecting expired token" Warning Message
2017-01-30 SPL-135941, SPL-136243, SPL-136245, SPL-136246 Subsearch ignores default distributed search group in distsearch.conf
2017-01-20 SPL-135367, SPL-135743, SPL-135744 Total concurrency deals with only scheduler-enabled peers in an SHC, leading to lower concurrency limits cluster-wide.
2017-01-09 SPL-134836, SPL-133482, SPL-135741, SPL-135742 SHC captain with captain_is_adhoc_searchhead=1 delegates skipping of searches after cluster-wide concurrency limit reached.
2016-12-21 SPL-134395, SPL-135069 Callout member names in the error message logged on detecting version mismatch
2016-12-03 SPL-133450, SPL-134083, SPL-134084, SPL-134427 6.5+ splunk does full bundle replication everytime - slowing down the system
2016-11-22 SPL-132801, SPL-129943 metrics.log Metrics reporting gaps due to contention with bundle replication
2016-11-10 SPL-131908, SPL-131030 Clarify fetch_remote_search_log in limits.conf.spec
2016-11-10 SPL-131909, SPL-131030 Clarify fetch_remote_search_log in limits.conf.spec
2016-11-03 SPL-131398, SPL-132804, SPL-132805, SPL-132807, SPL-132890 Search head cluster contention on Linux due to poor hashing inside OpenSSL's error container.
2016-10-31 SPL-131108, SPL-128845 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value
2016-10-31 SPL-131111, SPL-134375 Sporadically, scheduled searches delayed or skipped on search-head cluster
2016-10-24 SPL-130745, SPL-125447 SHC nodes overloaded with jobs waiting at 100% or 0%
2016-10-18 SPL-130444, SPL-152625, SPL-152626, SPL-152627 SHC: alert suppression may fail during restart if suppression information does not exist locally on member
2016-09-21 SPL-129098, SPL-129043 applying rolling restart to SHC destroys forward-server configuration

Workaround:
Append the following in server.conf "outputs:indexer_discovery:pass4SymmKey"

example: encrypt_fields = "server: :sslKeysfilePassword", "server: :sslPassword", "server: :pass4SymmKey", "server: :password", "outputs:tcpout:sslPassword", "inputs:SSL:password", "inputs:SSL:sslPassword", "alert_actions:email:auth_password", "app:credential:password", "app:credential:sslPassword", "passwords:credential:password", "passwords:credential:sslPassword", "authentication: :bindDNpassword", "authentication: :sslKeysfilePassword", "authentication: :attributeQuerySoapPassword", "authentication: :sslPassword", "web:settings:privKeyPassword", "web:settings:sslPassword", "server:indexer_discovery:pass4SymmKey", "server:clustermaster:pass4SymmKey", "server:dmc:pass4SymmKey", "outputs:indexer_discovery:pass4SymmKey"

2016-09-19 SPL-129014, SPL-129012 The spec file for election_timeout_ms need to be updated as the information about HB is wrong
2016-07-17 SPL-124443 Incorrect user level concurrent search calculation causes user searches to be skipped
2016-07-12 SPL-124085 On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled.
2016-06-13 SPL-122602, SPL-128604, SPL-128605 Memory leak triggered by reloading splunkd SSL servers without restarting the process.

Workaround:
Two options:

1. Update db_connect app. 2. Add the following to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/server.conf:

[shclustering] conf_replication_include.inputs = false

2016-05-23 SPL-121147 Long file path (>255 characters) can break the tarball creation and lead to snapshot creation failure

Workaround:
Remove the files with long names. Or rename them to shorter names.

Verify that the snapshots can be created successfully in Template:Var/run/splunk/snapshot folder. Also no more "Error creating snapshot" message is logged in splunkd.log.

2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.

Workaround:
The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

2014-08-25 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-08-14 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-08-02 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.

Universal forwarder issues

Date filed Issue number Description
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

Workaround:
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

Workaround:
To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2017-05-12 SPL-141772, SPL-161042, SPL-161043, SPL-161044, SPL-161045, SPL-161046 App deployment fails sporadically on Windows
2014-10-02 SPL-91648, SPL-91358 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-08-15 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-06-20 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive.

Workaround:
To mitigate this, set forceHttp10=always.

Monitoring Console/DMC issues

Date filed Issue number Description
2019-01-24 SPL-165397, SPL-160335 No custom checklist item examples in checklist.conf.spec
2019-01-23 SPL-165338, SPL-160335 No custom checklist item examples in checklist.conf.spec
2017-11-07 SPL-146244, SPL-146097 Typo in split by dropdown of Monitoring Console's License usage dashboard
2017-04-12 SPL-141091 Health Check - "Local indexing on non-indexer instance" check triggered on stand-alone instance
2017-03-16 SPL-138918, SPL-153498, SPL-153766, SPL-153767, SPL-153768 Mount points are not listed correctly in "Average I/O Usage and Performance" panel of Monitoring Console
2016-10-12 SPL-130183 Drilldown search for the "Search scheduler skip ratio" Monitoring Console health-check runs against all time instead of last 60 minutes

Workaround:
You can edit this particular check and add "earliest=-60m" as a search term.
2016-09-15 SPL-128845, SPL-131106, SPL-131108, SPL-145346 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value

Splunk Web and interface issues

Date filed Issue number Description
2018-07-23 SPL-157750, SPL-157747 Remote Code Execution through /pdfgen/render endpoint
2018-02-06 SPL-148893, SPL-138306, SPL-155438, SPL-158929 Cross Site Request Forgery in Splunk Enterprise REST APIs
2017-09-18 SPL-145017, SPL-146558 Multibyte Chinese, Japanese characters in search bar is broken during typing in IE-11
2017-06-22 SPL-142605, SPL-144510, SPL-144511, SPL-144512 Page loads slowly when there are more global saved searches
2017-03-10 SPL-138546, SPL-141498, SPL-141499 Incorrect "Cron schedule description" for Powershell v3 Modular Input
2017-03-07 SPL-138306, SPL-138309, SPL-138310, SPL-138311, SPL-138312, SPL-138313, SPL-138314, SPL-138315, SPL-138316, SPL-138645, SPL-148893, SPL-158969, SPL-167693 Cross Site Request Forgery in Splunk Enterprise REST APIs
2017-01-31 SPL-135977, SPL-138886, SPL-138887 Improve error message on SSL errors on "browse more apps" page
2017-01-09 SPL-134802, SPL-135226, SPL-135227 POST to parser endpoint fails on loading search app
2016-12-21 SPL-134397 Multibyte Korean characters in search bar is broken during typing in IE-11
2016-11-23 SPL-132920, SPL-133902 Multibyte characters in search bar is broken during typing in Chrome
2016-11-14 SPL-132133 App Browser filtering of the apps does not work
2016-11-02 SPL-131300, SPL-134160, SPL-132537, SPL-132538 Mssing time change for the -6:00 Time Zone. Guadalajara Mexico City Monterrey
2016-10-26 SPL-130888, SPL-130025 Order of Apps in dropdown menu not consistent from Launcher Home
2016-10-21 SPL-130664, SPL-133074 Events table and list render badly in Safari 10
2016-10-12 SPL-130165, SPL-129870 PDF and CSV attachments don't show up when viewing email on iPhone's default mail application

Workaround:
Use plain text email instead of HTML.
2016-10-12 SPL-130119, SPL-132568 azerty keyboard (French) cannot type a number using DATASET
2016-09-29 SPL-129476 search is always "parsing job...." after upgrading to 6.5

Workaround:
Clear browser cache and run the search again.
2016-06-23 SPL-123344 Bolt image fails to render when splunk is running behind the reverse proxy with a root_endpoint
2016-04-06 SPL-117217, SPL-117137 When using appServerPorts = 0 and SSL Splunkweb will not start in 6.4.0

Workaround:
Set appServerPorts to its default value of 8065 (or to any other non-zero value).
2016-03-31 SPL-116930, SPL-111939 The report "save as report" and "edit search" dialogs allow to accelerate a search that uses macros, eventtypes or tags even though we do not fully support that
2016-03-22 SPL-116263, SPL-116110 German dropdowns for Alert Expiration have incorrect wording

Workaround:
1. Take backup of messages.mo and messages.po in:

/Applications/Splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/de_DE/LC_MESSAGES/

2. In file "messages.po" search for :

Nach 2 Stunden Nach 7 Stunden

And replace with:

Nach 2 Tagen Nach 7 Tagen

3. Recompile messages.po file into a new messages.mo (can use http://po2mo.net/. NOTE this is just a test, do not know what else this site adds to the .mo file).

4. Copy the new messages.mo into :

/Applications/Splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/de_DE/LC_MESSAGES/

6. restart splunk.

Now dropdown appears with correct translation

2015-11-09 SPL-109165 Interactive Field Extractor hangs when using "^" as delimiter.

Workaround:
Use props and transforms to specify the delimiter of your choice.
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-30 SPL-103701 Actions links should be removed for "Apps Browser"
2014-07-16 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-02-26 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
2013-11-20 SPL-76798 Time range picker is not customizable via times.conf the same as version 5 or as suggested by docs.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Windows-specific issues

Date filed Issue number Description
2018-03-02 SPL-151500 "splunk btool server list" give misleading information for queue queue=exec and queue=execProcessorInternalQ.
2016-11-28 SPL-133009, SPL-122692 Continuous splunk-winprintmon failures reported
2016-11-02 SPL-131265, SPL-126708 splunk-perfmon.exe locked a file unexpectedly
2016-08-18 SPL-126979 On Windows, if you specify both start_from = newest and current_only = 0 in inputs.conf, this triggers the indexing of duplicate events.
2015-11-13 SPL-109430 In Windows only, inheritance is broken for folders created by splunkd. Files created are accessible only to the user as whom splunkd is running.
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-01 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time.

Workaround:
To fix the problem, restart Windows on the forwarder.


2014-09-25 SPL-91279 Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles.

Workaround:
See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.

Rest, Simple XML, and Advanced XML issues

Date filed Issue number Description
2016-10-31 SPL-131072 Datamodel backend allows invalid time values
2013-05-15 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

Authentication and Authorization issues

For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.

Date filed Issue number Description
2018-07-23 SPL-157750, SPL-157747 Remote Code Execution through /pdfgen/render endpoint
2018-06-08 SPL-155380 SavedSearchHistory::prune_history() does not prune if search owner doesn't exist
2018-02-06 SPL-148893, SPL-138306, SPL-155438, SPL-158929 Cross Site Request Forgery in Splunk Enterprise REST APIs
2017-04-06 SPL-140901, SPL-142018, SPL-142019 user-seed.conf.spec "how to" steps do not work

Workaround:
## Work-Around 1 ##
  • Place the user-seed.conf into the $SPLUNK_HOME/etc/system/local/ directory.
  • Delete the "passwd" file from $SPLUNK_HOME/etc/.
  • Restart Splunk
    1. Work-Around 2 ##
  • Prior to installation, create the folder path $SPLUNK_HOME/etc/system/local/.
  • Place the user-seed.conf into that path.
  • Install Splunk.
2017-03-24 SPL-140370, SPL-137028 SHC captain crashes after deploying changes in authentication.conf
2017-03-07 SPL-138306, SPL-138309, SPL-138310, SPL-138311, SPL-138312, SPL-138313, SPL-138314, SPL-138315, SPL-138316, SPL-138645, SPL-148893, SPL-158969, SPL-167693 Cross Site Request Forgery in Splunk Enterprise REST APIs
2016-12-22 SPL-134444, SPL-119588 Credential Manager /services/storage/passwords stops working when decrypted password is not utf8
2016-11-24 SPL-132949, SPL-137123 indexer complains "Failed to get LDAP user" for search head local user on 6.5.x
2016-10-24 SPL-130771, SPL-137016, SPL-137017, SPL-137018 Improvement for "Rejecting expired token" Warning Message
2016-10-11 SPL-130062, SPL-125654 Splunk authentication audit logs do not contain the source address of the attempt
2016-07-26 SPL-125052 Sole Admin can demote his/herself to Power without path of recovery in GUI

Workaround:
Through the command line, you can open notepad and modify the password file to regain 'Admin' status.
2016-06-22 SPL-123301, SPL-95164, SPL-167968 Aggressive calls to LDAP for non-existent/inactive users causes slow logins, performance issues/ skipped searches/ indexing pause
2016-05-02 SPL-119333 SSO setup should not let the user to configure Duo2FA
2016-04-25 SPL-118713 SAML and SSO should be mutually exclusive
2015-11-13 SPL-109427 LDAP SSL no longer working in Splunk 6.3 (and later) for Windows 2003

Workaround:

The workaround is to 1) obtain Ciphers configured on Windows AD 2003 server. 2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it. The following is a working TLS_CIPHER_SUITE for one of the customers: {noformat} TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5 {noformat}

2012-02-22 SPL-48342 LDAP strategy host field cannot work with ipv6 format address but computer name is okay

Admin and CLI issues

Date filed Issue number Description
2018-11-01 SPL-162465, SPL-142345 SHOULD_LINEMERGE always shows true on UI when there is a LINE_BREAKER setting in sourcetype
2018-10-09 SPL-161134, SPL-142345 SHOULD_LINEMERGE always shows true on UI when there is a LINE_BREAKER setting in sourcetype
2017-10-10 SPL-145579, SPL-148877, SPL-152205, SPL-152206, SPL-152207, SPL-152208, SPL-152209 chkconfig directive missing for AWS with enable boot-start
2017-05-12 SPL-141771, SPL-146926, SPL-146927, SPL-146928, SPL-149185, SPL-149186 Starting Splunk via the CLI may fail or cause problems if service runs as a domain user and some storage is on a remote share

Workaround:
Use SCM (e.g., sc.exe) rather than CLI.


2017-04-11 SPL-141051 When LINE_BREAKER is defined for a sourcetype, UI forces SHOULD_LINEMERGE to true

Workaround:
None in Splunk Cloud.

For on-prem, manually edit the props.conf file to set SHOULD_LINEMERGE to 'false'.

2017-02-16 SPL-136970, SPL-156715, SPL-158503, SPL-158504 default and local meta files getting corrupted or being altered in such a way as to cause warnings
2017-01-12 SPL-135005 Datamodel Editor: Empties out non-visible internal field (i.e. comment)
2016-12-02 SPL-133442, SPL-138163 If app name is over 30 characters, there will be no space between fields of "display app" cli command

Workaround:
A workaround to rename the app.
2016-11-29 SPL-133192 Edit Acceleration window is empty if you create report with an incorrect search
2016-11-27 SPL-132996 The shcluster-bundle command ignores mis-spelled or unknown parameters silently, which might produce unintended consequences
2016-11-14 SPL-132078 Running jobs should not be marked as expired
2016-11-10 SPL-131908, SPL-131030 Clarify fetch_remote_search_log in limits.conf.spec
2016-11-10 SPL-131909, SPL-131030 Clarify fetch_remote_search_log in limits.conf.spec
2016-10-17 SPL-130356, SPL-124349 Update display.page.search.mode=verbose description in spec file
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-03-11 SPL-97942 Capability defined in an app does not take effect when assigned to a role

Workaround:
The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

2014-04-07 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page.
2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.

Workaround:
Set server.conf [applicationsManager] allowInternetAccess = false
2013-05-02 SPL-66511 If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.

Unsorted issues

Date filed Issue number Description
2019-02-08 SPL-166228, SPL-166798, SPL-167655 Splunk crashes in _mongoc_openssl_ctx_new on shutdown
2019-01-15 SPL-164976, SPL-164862 After migration, Splunk Cloud customer seeing unexpected large increase in outbound network bandwidth from forwarders
2018-08-16 SPL-158904 Add some clarification regarding internal logs after enabling SplunkForwarder app.
2018-08-15 SPL-158875, SPL-159174, SPL-159613, SPL-159614, SPL-159644 splunk shipped python in *nix doesn't work with iso2022_jp
2018-05-08 SPL-154263 Splunk diag fails on files with modification time before 1970, "error: integer out of range for 'l' format code".

Workaround:
Change the timestamps of any files under SPLUNK_HOME dated prior to 1970.
2018-03-15 SPL-152196, SPL-144080 Splunk Forwarder crashes if EVENT_BREAKER_ENABLE is specified for a WMI input
2017-08-21 SPL-144215 LM has no enforcement license. still being locked out on violation
2017-07-26 SPL-143376 Unable to export results to CSV: ERR_INVALID_RESPONSE
2017-07-26 SPL-143398, SPL-147086, SPL-147088, SPL-147089, SPL-147148 Slow license master response times after upgrade to 6.5 due to __tz_convert() bottleneck and extensive debug logging calls for lots of warnings

Workaround:
Maybe: http://stackoverflow.com/a/17697733
2017-05-12 SPL-141770 Windows Installer fails to upgrade and breaks Splunk if service runs as a domain user and some storage is on a remote share
2017-05-04 SPL-141621, SPL-142821, SPL-142819, SPL-142820, SPL-142822 When "Use Deployment Server" option is selected on Deployment Server, "userDeploymentServer=1" config gets wrong propagated to the Deployment Clients, because of which "HTTP Event Collector" on the clients stop accepting valid tokens
2017-01-05 SPL-134638, SPL-143382, SPL-143400, SPL-144110 Slow license master response times after upgrade to 6.5

Workaround:
Maybe: http://stackoverflow.com/a/17697733
2016-12-05 SPL-133509, SPL-118161 Windows Installer fails if wrong version of difxapi.dll
2016-11-28 SPL-133012 Debian installer leaves files owned by unknown user
2016-11-03 SPL-131328, SPL-128480 Splunk fails to validate file system on macOS sierra (10.12) with HFS

Workaround:
Manually verify that OSX has supported file system and set Template:OPTIMISTIC ABOUT FILE LOCKING = 1 in environment variables or in Template:$SPLUNK HOME/etc/splunk-launch.conf
2016-11-03 SPL-131329, SPL-128480 Splunk fails to validate file system on macOS sierra (10.12) with HFS

Workaround:
Manually verify that OSX has supported file system and set Template:OPTIMISTIC ABOUT FILE LOCKING = 1 in environment variables or in Template:$SPLUNK HOME/etc/splunk-launch.conf
2016-09-07 SPL-128260 Instrumentation: Opt-in modal not appear when login through proxy/sso

Workaround:
Users can opt-in by visiting Settings->Instrumentation page
2016-08-31 SPL-127800 Opting in to data sharing on a monitoring console produces duplicate data.
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink

Workaround:
Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-06-10 SPL-103010 Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets.
2015-06-01 SPL-102362 Dynamic indexer discovery only supports one input.
2015-03-25 SPL-98594 Routing events to two different groups not working as expected.

Workaround:
1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2015-01-14 SPL-95384, SPL-92068 Mac OS 10.9.5 does not support the splunk enable boot-start command
2014-11-10 SPL-92831 A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ."

Workaround:
The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).


2014-10-17 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts

Workaround:
Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
2014-04-22 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
2014-03-12 SPL-81810 Licensing - license pool warning at license master keeps coming back after deleting it.

Workaround:
Delete the warnings on the peers first, then the License Manager.
2013-11-27 SPL-77139 Licenser pool usage gets reflected only after restarting splunkd.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

Workaround:
To work around this issue, create a splunk user on your system before attempting to run the installer.
2013-09-13 SPL-74337, BETA-496 You cannot specify a destination folder when installing on OSX.
2013-06-13 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN.

Uncategorized issues

Date filed Issue number Description
2018-02-28 SPL-151328, SPL-141808 (Windows Only) Support sslRootCAPath on Windows
2017-12-12 SPL-147249 Inputlookup for lookup with space in the filename fails with "Invalid argument: ..." with search optimization enabled

Workaround:
Don't use spaces in your inputlookup filename
2017-11-16 SPL-146514 MessagesManager functionality needs to be available before and during UserManager initialization.
2017-10-03 SPL-145365, SPL-145599, SPL-145600 Crash in IdataDO_Collector on shutdown
2017-09-26 SPL-145190, SPL-141645 buckets keeps failing integrity check
2017-09-26 SPL-145191, SPL-141645 buckets keeps failing integrity check
2017-09-20 SPL-145053, SPL-148029, SPL-148030, SPL-148031 When a field name contains extra whitespace in the begining or end, pdf export fails for that column

Workaround:
The user can export the PDF as another format, or print to pdf, but this is preventing his automated reports, from going out with the correct data in the PDF.
2017-09-06 SPL-144653, SPL-140755 Missing events in RT search results (or any search if tsidx reduction is enabled) when using negation (NOT or !=)

Workaround:
1. In case of RT searches:

Since the issue here is pre-filtering - we can disable it in limits.conf: [realtime] indexfilter = 0

2. In case of tsidx reduction - the only workaround is to disable it i think :(

2017-09-06 SPL-144654, SPL-140755 Missing events in RT search results (or any search if tsidx reduction is enabled) when using negation (NOT or !=)

Workaround:
1. In case of RT searches:

Since the issue here is pre-filtering - we can disable it in limits.conf: [realtime] indexfilter = 0

2. In case of tsidx reduction - the only workaround is to disable it i think :(

2017-05-09 SPL-141693 DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-04-18 SPL-141235, SPL-141522 Heavy forwarder is crashing with typing thread
2017-03-22 SPL-140275, SPL-140214 Checking a column in initial data with a stats command gives the wrong columns
2017-03-20 SPL-139016, SPL-138897 Initial data is not using the correct columns
2017-03-16 SPL-138873, SPL-138805 Adding columns in initial data after adding a stats command results in the incorrect columns in stats
2017-03-15 SPL-138803, SPL-138758 Removing a command before a stats command results in too many columns in stats
2017-01-31 SPL-136052, SPL-134977 sendemail.py does not respect action.email.include.view_link for views (scheduled PDF delivery)
2017-01-19 SPL-135274, SPL-151304, SPL-151306, SPL-151307, SPL-152244 search assistant incorrectly wrapping kv pairs in quotes
2017-01-06 SPL-134707 Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use Template:Bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.
2016-12-21 SPL-134422, SPL-134443 Timechart does not render properly or display if function field is "constructor"

Workaround:
Customer is using the following query to workaround it at the moment:

eventtype="analytics_events" name="addon.bridge.invokemethod" addonBridgeInvokemethod.fn=* | eval invoke_method = if('addonBridgeInvokemethod.fn' = "constructor","const", 'addonBridgeInvokemethod.fn') | timechart useother=f count by invoke_method

2016-12-12 SPL-133918, SPL-132355 "Edit Job Settings" doesn't work in splunkjs searchbar view
2016-12-02 SPL-133405, SPL-140769, SPL-140814, SPL-140820, SPL-142014 Working real-time searches are listed as skipped in scheduler implying there is a problem
2016-11-23 SPL-132888, SPL-135327, SPL-135329 Unable to select a radio button with one click when the value of it contains a rex command with quotes
2016-11-23 SPL-132925 Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

2016-11-21 SPL-132666, SPL-143965, SPL-143966, SPL-144174 Exported pdf shows token string for the dashboard element's title property instead of its value
2016-11-10 SPL-131934, SPL-130646 token value does not reflect a label name in 6.5.0
2016-11-01 SPL-131164 Upgrade Causing Indexing Queue to Block 6.4 to 6.5 due to ldap authentication on indexers.
2016-10-31 SPL-131070, SPL-131424 After changing login page background, additional unrelated settings will be added to the local/web.conf
2016-10-25 SPL-130818, SPL-143307, SPL-143308 When viewing custom time alert from email, custom time of alert triggered changes to the current time when clicking View Events from results table.
2016-10-20 SPL-130614, SPL-135384, SPL-135385, SPL-135387 Eventypes w/macros does not work
2016-10-18 SPL-130405, SPL-132600, SPL-135330 Shortcut for search string formatting does not work for some of the non-english keyboards
2016-10-14 SPL-130310, SPL-130966, SPL-130967 When a user has write permission to an app, the same user can delete a dashboard created by other user within the same app from the views manager page but not from the dashboards listing page
2016-10-12 SPL-130131 Metadata search command stops reporting results when more than 5 index=... specifiers are used
2016-10-10 SPL-130025, SPL-130888 Order of Apps in dropdown menu not consistent from Launcher Home
2016-09-27 SPL-129362, SPL-129561 Syntax highlighting and other search IDE features fail to work with free license
2016-07-14 SPL-124256, SPL-138498, SPL-138497, SPL-138500, SPL-138501 load job command rearranges the fields/axis of the original search results
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
2016-04-26 SPL-118856, SPL-115970 Number of values returned to a sparkline for a 7-day range search does not have enough granularity
2015-10-07 SPL-107606 Inconsistency between summary and datamodel_summary files.
2015-07-21 SPL-104387 Label is truncated while exporting dashboard as pdf
2015-05-24 SPL-102008 On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference.
2015-05-11 SPL-101289 When the number of indexing pipeline sets is greater than four, indexing throughput decreases.
2015-05-06 SPL-100980 Single indexer does not scale when receiving parsed data from multiple PipelineSets.
2015-05-04 SPL-100792 There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals.

Workaround:
Searches that key off these lines need to select their desired name=x category in order to see a single thruput value.
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml)

Workaround:
Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.

Workaround:
The workaround is to remove the duplicated bucket.
2015-02-26 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-01-08 SPL-95144, SPL-107317, SPL-101986, SPL-101987, SPL-106884, SPL-142789 Indexed message for Windows security event logs shows "FormatMessage error"

Workaround:
Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.
2014-10-31 SPL-92596 After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion."

Workaround:
This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html
2014-10-24 SPL-92432, SPL-99583 Chart in dashboard panel does not honor interval settings.

Workaround:
In the panel XML, specify a larger height to use the correct interval settings.
2014-09-11 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
2014-08-26 SPL-90139 <timestamp> does not display in the Patterns tab when searches are run in fast mode.
2014-06-16 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround:
Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.


2014-04-14 SPL-83068 Default index can be set to random index.
2014-04-01 SPL-82517 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
2014-03-23 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
2014-03-13 SPL-81856 Show all lines does not work in data model editor preview.
2014-03-12 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range.
2014-02-07 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions.

Workaround:
For more information, see Add lookup files to Splunk.
2014-02-06 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared.

Workaround:
Share the definition. For more information, see Add lookup files to Splunk.
2014-01-31 SPL-79842 On Windows, Indexer doesn't accept new connections on splunktcpin port after queue blockage is resolved
2013-08-28 SPL-73826 Windows: hostname override not working properly
2013-08-22 SPL-73569 Pie maps do not have legend labels.
2013-07-25 SPL-71645 Report acceleration Summary folders (summaryHomePath) cannot be created if thehomePath of the index is at the root of the filesystem, (homePath=D:\myindex orhomePath=/myindex).

Workaround:
Create the folder manually.
2013-05-16 SPL-67491 PDF report: Events format settings like List, Table, MaxLines, and Wrapping don't apply to PDF report
2013-04-30 SPL-66213 PDF server app is not working with latest Xvfb
2012-11-26 SPL-58744 Area chart is not filled if the points are unconnected
2010-10-08 SPL-34347 wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue

Splunk Analytics for Hadoop

Date filed Issue number Description
2017-04-04 ERP-2040 Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x

Workaround:
Upgrade Hadoop to 2.8.2 or higher.
2015-09-09 ERP-1650 timestamp data type not properly deserialized.
2015-08-05 ERP-1619 Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception.

Workaround:
Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search.
2015-07-07 ERP-1598 minsplit rampup - splits generation takes too long.

Workaround:
Set minsplits=maxsplits
2015-06-16 ERP-1576 Report acceleration does not work with smart search index.
2015-05-12 ERP-1502 Non-accelerated pivot search on Pivot UI page waits for a long time to return result.
2015-01-08 ERP-1343, SPL-95174 Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error.

Workaround:
Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....)
2014-10-27 ERP-1216 Data Explorer preview does not honor existing sourcetypes for big5/sjis files.
2014-10-03 ERP-1164 Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory.

Workaround:
To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads.
PREVIOUS
Welcome to Splunk Enterprise 6.5
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters