Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features in this manual.

Highlighted issues

Date filed Issue number Description
2018-02-23 SPL-151110, SPL-146088, SPL-151808 Clustering creates extra copies of buckets erroneously.
2017-10-30 SPL-146088, SPL-151973, SPL-151110, SPL-151111 Clustering creates extra copies of buckets erroneously.

Workaround:
Use the excess bucket removal functionality at regular intervals.

Upgrade issues

This section lists issues that customers have reported when upgrading from an earlier version of Splunk Enterprise. If you are considering an upgrade, please read "How to upgrade Splunk Enterprise" in the Installation Manual.

Date filed Issue number Description
2017-05-23 SPL-141964 Older 6.0 and 6.1 maintenance release forwarders unable to forward events to 6.6.x and later indexers via splunktcp-ssl.

Workaround:
This affects communication between Splunk 6.6.x and later indexers and:
  • 6.0.0 to 6.0.6 forwarders
  • 6.1.0 to 6.1.4 forwarders

Upgrade your older forwarders to the latest maintenance releases or on your 6.6.x Indexer, add to inputs.conf:

[SSL]
sslVersions = *,-ssl2
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


2017-05-23 SPL-141961 Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port

Workaround:
This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
  • 6.0.0 to 6.0.6
  • 6.1.0 to 6.1.4
  • 6.2.0 to 6.2.6
  • 6.3.0 to 6.3.1
  • 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites

Workaround:
Users can do either of the following:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

2017-03-13 SPL-138647 Possible compatibility issues between new 6.6 and later default sslVersions, cipherSuites and external services, e.g. e-mail, LDAP

Workaround:
If security is not a significant concern, simply revert back to the 6.5.x SSL/TLS defaults, e.g. for e-mail, add to $SPLUNK_HOME/etc/system/local/alert_actions.conf

[email]
sslVersions = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To configure LDAP with the same settings used by e-mail alerts: $SPLUNK_HOME/etc/openldap/ldap.conf

TLS_PROTOCOL_MIN 3.1
TLS_CIPHER_SUITE TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To completely revert the LDAP configuration to the 6.5.x SSL/TLS defaults, comment out TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE


If you would like to retain the more secure 6.6.x defaults, but prefer to add an exception for your less secure external services, follow the procedure below:

1. To determine what sslVersions and cipherSuites are supported by a server, run splunk cmd openssl s_client -connect hostname:port | awk '/Protocol/ || /Cipher/ || /Verify/'.

The example below is for a Postfix SMTP server:

eserv@indexer01:~$ splunk cmd openssl s_client -connect smtp-server01:465 | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=1 C = US, O = Example Customer, OU = IT, CN = Example Customer IT CA, emailAddress = customer@example.org verify error:num=19:self signed certificate in certificate chain New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

   Protocol : TLSv1 
   Cipher : DHE-RSA-AES256-SHA 
   Verify return code: 19 (self signed certificate in certificate chain)

2. Check the OpenSSL output for Protocol and Cipher. In the example above, Protocol = TLSv1 and Cipher = DHE-RSA-AES256-SHA

3. Update Splunk's relevant sslVersions and/or cipherSuite. In the example above, sslVersions should be set to tls (allows TLSv1, TLSv1.1, TLSv1.2) and DHE-RSA-AES256-SHA should be appended to the end of the default cipherSuites definition, e.g. add $SPLUNK_HOME/etc/system/local/alert_actions.conf:

[email]
sslVersions = tls

cipherSuites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA

Data input issues

Date filed Issue number Description
2018-04-19 SPL-153591, SPL-155066, SPL-155067, SPL-155069 high delay on events from UF after upgrade to (6.6.x)
2017-06-09 SPL-142334, SPL-143553, SPL-145370, SPL-145978 logs are delayed in reading after rotation
2015-11-12 SPL-109362 When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage
2015-05-22 SPL-101981 Field extractions do not work when sourcetypes use quotes in the Getting Data In interface.
2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL

Workaround:
Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

Search issues

Date filed Issue number Description
2018-07-23 SPL-157725, SPL-144000 Can't search for indexed fields included in summary index since fields.conf "INDEXED = true" since 6.6

Workaround:
You could rename the field before summary indexing to use a different field name in the summary indexes (and then alias it back?).
2018-07-23 SPL-157727, SPL-144000 Can't search for indexed fields included in summary index since fields.conf "INDEXED = true" since 6.6

Workaround:
You could rename the field before summary indexing to use a different field name in the summary indexes (and then alias it back?).
2018-04-20 SPL-153621, SPL-158945, SPL-161869, SPL-161870, SPL-161871 Search shows "No results found" intermittently due to difference in minutes part between timezones of splunk instance and user preference
2018-04-17 SPL-153464, SPL-157516, SPL-158568, SPL-158570 Job Progress Status goes from 0 to 100 back to 0
2017-10-30 SPL-146082, SPL-148873, SPL-148874 Edit Summary Indexing Dialog not working with searches containing subsearches
2017-10-09 SPL-145560, SPL-153521, SPL-153646, SPL-155091 Splunkd DispatchManager logging is inconsistent
2017-08-23 SPL-144312, SPL-154875, SPL-158680, SPL-158681 Owner of Macros can not be reassigned in Web UI in version 6.6.x
2017-08-21 SPL-144217, SPL-145398, SPL-145400, SPL-145321, SPL-145332, SPL-145333, SPL-145395, SPL-145396, SPL-145399, SPL-145306 searchmatch() without arguments causes crash in search process or main splunkd

Workaround:
Provide actual arguments to searchmatch function
2017-08-03 SPL-143607 Searches ordered like this returns false results: search ... | eventstats ... | streamstats ..., because it's being run in batch mode when it shouldn't

Workaround:
Place the delta command before eventstats in the search pipeline:

| delta _time as d | eventstats count

2017-07-25 SPL-143331, SPL-144063, SPL-144366, SPL-144369, SPL-145963 default_match is not honoured when lookup matches is 0 (using a kvstore collection)
2017-07-19 SPL-143204, SPL-143949, SPL-145964 CIDR searches providing different results than a wildcard search (host=172.29.100.0/24 vs host=172.29.100.*)

Workaround:
Change srchFilter entries to wildcard searches, but the customer defined many roles with custom srchFilters, and would require many corrections to workaround.
2017-06-19 SPL-142497, SPL-143374 Consecutive calls to random() return repeating values in a predictable pattern.
2017-06-06 SPL-142263, SPL-164845, SPL-172819, SPL-172820, SPL-144706, SPL-144707, SPL-144708 TAB character in Search string causes splunk to throw error - ERROR bucket - Error in 'bucket' command: Invalid argument: ' '

Workaround:
Use spaces instead of tabs for indentation.
2017-06-05 SPL-142239 After upgrading to 6.5.x, significant increase in search dispatch times (Job Inspector: startup.handoff) and count of "skipped" and "continued" searches due to delays in search process reuse

Workaround:
Disable search process reuse on the SHs and indexers using this workaround:

limits.conf [search] max_searches_per_process = 1

2017-04-04 SPL-140765 Splunk having problems extracting json file consisting of 68k plus key-value pairs
2017-03-21 SPL-140175 Aborted delete searches may result in stale lock files being left behind

Workaround:
Delete stale lock files.


2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.
2016-10-13 SPL-130257 Dataset doesn't work if user has name with non-ascii characters
2016-09-15 SPL-128845, SPL-131106, SPL-131108, SPL-145346 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-17 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted.
2015-04-23 SPL-100170 Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search.
2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in them.

Workaround:
Rename the fields before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2018-10-19 SPL-161715, SPL-144102 Custom Alert Action Parameters fails when Search has | (pipe) in its name

Workaround:
Do not use pipes in the saved search/alert name
2018-10-19 SPL-161717, SPL-144102 Custom Alert Action Parameters fails when Search has | (pipe) in its name

Workaround:
Do not use pipes in the saved search/alert name
2018-04-21 SPL-153649, SPL-156991, SPL-157792, SPL-157793 Search scheduler shifts earliest_time and latest_time based on the skew, when using allow_skew

Workaround:
Don't use allow_skew for searches where this behaviour is a problem.
2018-02-14 SPL-149184 Stale summaryInProgress entries result in exhausting maxConcurrent quota causing Captain block executing subsequent DMA searches.
2018-02-09 SPL-149014, SPL-140413, SPL-146356 SHC captain stops delegating searches to itself after a while when using scheduler_load_based
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-07-25 SPL-143337, SPL-143925, SPL-146104 Possible false logging? -- reason="The maximum number of concurrent real-time scheduled searches on this cluster has been reached" concurrency_limit=1
2016-09-23 SPL-129285 The search scheduler (SavedSplunker) has scaling problems with high disabled user count and external auth systems (SAML & LDAP)
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2

Workaround:
Reduce length of name of the app and report acceleration searches will run properly within the context of the app.

Charting, reporting, and visualization issues

Date filed Issue number Description
2017-07-24 SPL-143311, SPL-78612 Deleting a dashboard with a scheduled PDF does not also delete the scheduled view on stand alone SH
2016-09-15 SPL-128819, SPL-130243, SPL-130245 Editing panel in dashboard removes charting.legend.masterlegend option

Workaround:
Use <option name="charting.legend.masterLegend">null</option>
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2015-03-31 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2015-02-23 SPL-97193 The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string.

Data model and pivot issues

Date filed Issue number Description
2018-02-14 SPL-149184 Stale summaryInProgress entries result in exhausting maxConcurrent quota causing Captain block executing subsequent DMA searches.
2017-02-22 SPL-137274, SPL-138967, SPL-138968 Pivot: area/line/bar/column charts showing multiple column values when clicking browser back button

Indexer and indexer clustering issues

Date filed Issue number Description
2018-10-23 SPL-161815 Thawed buckets in a indexer cluster are sporadically unsearchable upon restart
2018-03-22 SPL-152465, SPL-153596, SPL-153597, SPL-154595, SPL-154647, SPL-154648 Clustering - when a peer is in detention, we will make excess copies

Workaround:
If any indexers are in detention run `splunk remove excess-buckets` periodically.
2018-02-23 SPL-151110, SPL-146088, SPL-151808 Clustering creates extra copies of buckets erroneously.
2017-11-06 SPL-146202, SPL-142643 Cluster peer crashed due to "Crashing thread: TcpListener" "Assertion `pProcessor != __null' failed."
2017-11-06 SPL-146217, SPL-142643 cluster peer crashed due to "Crashing thread: TcpListener" "Assertion `pProcessor != __null' failed."
2017-11-06 SPL-146201, SPL-142643 cluster peer crashed due ot "Crashing thread: TcpListener" "Assertion `pProcessor != __null' failed."
2017-10-30 SPL-146088, SPL-151973, SPL-151110, SPL-151111 Clustering creates extra copies of buckets erroneously.

Workaround:
Use the excess bucket removal functionality at regular intervals.
2017-09-06 SPL-144652, SPL-146479, SPL-146480 forwarder_site_failover not working with SSL

Workaround:
Don't use site failover.
2017-08-14 SPL-143967, SPL-145275, SPL-145276 event=commitGenerationFailure for non-existent bucket
2017-07-26 SPL-143402, SPL-143757, SPL-144482 Fsck processes are stuck leading to fixup tasks not completing .
2016-08-25 SPL-127353 Data rebalance finishes early when one peer is the source for all buckets

Workaround:
when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time
2015-05-08 SPL-101184 Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer.

Distributed search and search head clustering issues

Date filed Issue number Description
2018-05-01 SPL-154032, SPL-154067, SPL-154926, SPL-156192 SHC bundle rejected at push-time because of built-in apps warning is still created and picked up by SHC members

Workaround:
* Remove the bundle on SHC deployer, e.g. $SPLUNK_HOME/var/run/splunk/deploy/apps/search-0f00e250ca395564de84b53b3ae644617d2d3860.bundle
  • If the bad bundle was deployed to shcluster members, then apply shcluster-bundle on the deployer.
2018-03-21 SPL-152439 couple of members are no longer participating in SHC or KVStore cluster replication
2018-02-09 SPL-149014, SPL-140413, SPL-146356 SHC captain stops delegating searches to itself after a while when using scheduler_load_based
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-10-09 SPL-145554, SPL-152420, SPL-152421, SPL-152422 The savedsearch key/value field is not quoted in SHCMaster log message breaking extraction
2017-10-02 SPL-145346, SPL-128845 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value
2017-07-04 SPL-142888, SPL-140831 Splunk not cleaning up $SPLUNK_HOME/var/run/searchpeers of .delta files and matching directories whose only non-empty subdirectory has the .index extension

Workaround:
Increase max_memtable_bytes under [lookup] inside limits.conf so that the largest lookup won't get indexed.
2017-03-13 SPL-138654 Splunk searches fail when filepath gets too long on Windows
2016-07-12 SPL-124085 On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled.
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.

Workaround:
The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

Universal forwarder issues

Date filed Issue number Description
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

Workaround:
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2017-08-08 SPL-143764, SPL-147133, SPL-145273, SPL-145274 Deployment server doesn't always update client attributes without a reload, resulting in stale data on the Forwarder Management UI.

Workaround:
There are following possible workarounds:

- deleting the affected DC from the Forwarder Management splunkweb page by clicking on the "Delete Record" action button. - issuing the "./splunk reload deploy-server" command on the DS. - issuing the "./splunk restart" command on the DS.

Monitoring Console/DMC issues

Date filed Issue number Description
2017-08-31 SPL-144555, SPL-146585 App "Set up" links are missing on Splunk Cloud with DMC
2017-03-07 SPL-138351, SPL-172626 The role change of DMC via UI does not reflect to distsearch.conf

Workaround:
As a workaround can the customer manually modify the distsearch.conf.
2017-03-06 SPL-138223 Install log not showing operations until explicit refresh of page.
2016-11-14 SPL-132151 XML error when trying to download uninstalled app
2016-09-15 SPL-128845, SPL-131106, SPL-131108, SPL-145346 Distributed Search: Deployment -- inaccurate Average/Max Time to Reap Dispatch Directory value

Splunk Web and interface issues

Date filed Issue number Description
2017-11-21 SPL-146618, SPL-144821 Forwarder Management displays Clients label for both Apps and Server Classes
2017-11-02 SPL-146143, SPL-143923 Typo while passing around a permalink can cause splunk UI to hang.
2017-10-30 SPL-146082, SPL-148873, SPL-148874 Edit Summary Indexing Dialog not working with searches containing subsearches
2017-06-22 SPL-142605, SPL-144510, SPL-144511, SPL-144512 Page loads slowly when there are more global saved searches
2016-11-14 SPL-132133 App Browser filtering of the apps does not work
2015-11-09 SPL-109165 Interactive Field Extractor hangs when using "^" as delimiter.

Workaround:
Use props and transforms to specify the delimiter of your choice.
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-30 SPL-103701 Actions links should be removed for "Apps Browser"

Windows-specific issues

Date filed Issue number Description
2018-03-07 SPL-151800, SPL-153191, SPL-153192, SPL-153193 Windows Registry Monitoring Input is ignoring the _TCP_ROUTING setting
2017-10-23 SPL-145841, SPL-156894, SPL-162146, SPL-162147, SPL-162148 MonitorNoHandle do not respect _TCP_ROUTING in inputs.conf
2015-11-13 SPL-109430 In Windows only, inheritance is broken for folders created by splunkd. Files created are accessible only to the user as whom splunkd is running.
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-01 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time.

Workaround:
To fix the problem, restart Windows on the forwarder.


Rest, Simple XML, and Advanced XML issues

Date filed Issue number Description
2016-10-31 SPL-131072 Datamodel backend allows invalid time values

Authentication and Authorization issues

Date filed Issue number Description
2016-07-26 SPL-125052 Sole Admin can demote his/herself to Power without path of recovery in GUI

Workaround:
Through the command line, you can open notepad and modify the password file to regain 'Admin' status.
2015-11-13 SPL-109427 LDAP SSL no longer working in Splunk 6.3 (and later) for Windows 2003

Workaround:

The workaround is to 1) obtain Ciphers configured on Windows AD 2003 server. 2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it. The following is a working TLS_CIPHER_SUITE for one of the customers: {noformat} TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5 {noformat}

Admin and CLI issues

Date filed Issue number Description
2017-11-21 SPL-146618, SPL-144821 Forwarder Management displays Clients label for both Apps and Server Classes
2017-07-28 SPL-143462, SPL-145528, SPL-145529 Summary index menu not displaying indexes from search peer
2017-04-11 SPL-141051 When LINE_BREAKER is defined for a sourcetype, UI forces SHOULD_LINEMERGE to true

Workaround:
None in Splunk Cloud.

For on-prem, manually edit the props.conf file to set SHOULD_LINEMERGE to 'false'.

2017-04-03 SPL-140747 SSL connection in Python when using new ciphers may be slow.
2017-02-16 SPL-136970, SPL-156715, SPL-158503, SPL-158504 default and local meta files getting corrupted or being altered in such a way as to cause warnings
2017-01-12 SPL-135005 Datamodel Editor: Empties out non-visible internal field (i.e. comment)
2016-11-14 SPL-132078 Running jobs should not be marked as expired
2016-11-09 SPL-131880 Reports/Alerts owned by the deleted user can not be found in orphaned tab
2016-08-31 SPL-136475 cloud index manager page does not show accurate dates of latest events
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-03-11 SPL-97942 Capability defined in an app does not take effect when assigned to a role

Workaround:
The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

Uncategorized issues

Date filed Issue number Description
2018-04-10 SPL-153256, SPL-148648 Long (em) Dash inside Tokens in PDF Reports causes Removal of Formatting
2018-03-14 SPL-152095 Edit Summary Indexing - Index List empty/incomplete for User with Power role after upgrading to 6.6.0+

Workaround:
add indexes_edit and dispatch_rest_to_indexers capability to the Power role for all indexes to be listed
2018-02-14 SPL-149243 Edit Summary Indexing Dialog not working with searches containing subsearches
2017-12-12 SPL-147249 Inputlookup for lookup with space in the filename fails with "Invalid argument: ..." with search optimization enabled

Workaround:
Don't use spaces in your inputlookup filename
2017-12-04 SPL-146940, SPL-148483, SPL-147898, SPL-147899, SPL-154028, SPL-154029 TcpOutputProc randomly drops indexers from the server list
2017-10-03 SPL-145371, SPL-151896, SPL-154014, SPL-154015 Bulletin board message timestamp incorrect on SHC members
2017-09-15 SPL-144967, SPL-145328, SPL-145329 Error creating diag: in add_fake_file tinfo.size = 0 AttributeError: 'NoneType' object has no attribute 'size'
2017-07-26 SPL-143398, SPL-147086, SPL-147088, SPL-147089, SPL-147148 Slow license master response times after upgrade to 6.5 due to __tz_convert() bottleneck and extensive debug logging calls for lots of warnings

Workaround:
Maybe: http://stackoverflow.com/a/17697733
2017-07-24 SPL-143312, SPL-144581, SPL-144993, SPL-144994, SPL-144995, SPL-144996, SPL-144997 Universal Forwarder installer gives incorrect information about the Event Logs it monitors by default

Workaround:
Click advanced install and select monitors you want. or Copy in Windows TA from older install.
2017-07-21 SPL-143281, SPL-143431 Broken @go URL "The view you requested could not be found"
2017-06-27 SPL-142724, SPL-143409 Exact floating point calculations in eval may produce incorrect arithmetic groupings with search optimization enabled.

Workaround:
Workaround is to order the maths in the eval differently or disable search optimization with "| noop search_optimization=f"
2017-05-09 SPL-141693 DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-03-27 SPL-140442, SOLNESS-11786 In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.

Workaround:
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with the "edit_roles" capability.
2017-03-14 SPL-138731 New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled

Workaround:
Users can do any of the following:

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

2017-02-13 SPL-136709 Chart retains legend and title after enabling trellis layout in splunk.js
2017-02-13 SPL-136707, SPL-134891 The trellis.enabled option is not supported for single value visualizations in splunk.js
2017-01-18 SPL-135260 Search formatting keyboard shortcut does not work for French language
2017-01-06 SPL-134707 Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use Template:Bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.
2017-01-05 SPL-134638, SPL-143382, SPL-143400, SPL-144110 Slow license master response times after upgrade to 6.5

Workaround:
Maybe: http://stackoverflow.com/a/17697733
2016-11-23 SPL-132925 Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

2016-11-21 SPL-132670 Mac OS 10.11: disable boot-start doesn't remove the file /Library/LaunchAgents//com.splunk.plist by enabling boot-start in prior Splunk/UF
2016-08-31 SPL-127800 Opting in to data sharing on a monitoring console produces duplicate data.
2016-07-11 SPL-124026, SPL-122942 Relative paths should not be allowed under volume's path=file:// on remote storages
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
2015-10-07 SPL-107606 Inconsistency between summary and datamodel_summary files.
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink

Workaround:
Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-06-10 SPL-103010 Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets.
2015-05-24 SPL-102008 On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference.
2015-05-11 SPL-101289 When the number of indexing pipeline sets is greater than four, indexing throughput decreases.
2015-05-06 SPL-100980 Single indexer does not scale when receiving parsed data from multiple PipelineSets.
2015-05-04 SPL-100792 There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals.

Workaround:
Searches that key off these lines need to select their desired name=x category in order to see a single thruput value.
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml)

Workaround:
Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.

Workaround:
The workaround is to remove the duplicated bucket.
2015-03-25 SPL-98594 Routing events to two different groups not working as expected.

Workaround:
1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2015-02-26 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-01-08 SPL-95144, SPL-107317, SPL-101986, SPL-101987, SPL-106884, SPL-142789 Indexed message for Windows security event logs shows "FormatMessage error"

Workaround:
Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.

Splunk Analytics for Hadoop

Date filed Issue number Description
2017-04-04 ERP-2040 Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x

Workaround:
Upgrade Hadoop to 2.8.2 or higher.
2015-09-09 ERP-1650 timestamp data type not properly deserialized.
2015-08-05 ERP-1619 Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception.

Workaround:
Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search.
2015-07-07 ERP-1598 minsplit rampup - splits generation takes too long.

Workaround:
Set minsplits=maxsplits
2015-05-12 ERP-1502 Non-accelerated pivot search on Pivot UI page waits for a long time to return result.
2015-01-08 ERP-1343, SPL-95174 Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error.

Workaround:
Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....)
2014-10-27 ERP-1216 Data Explorer preview does not honor existing sourcetypes for big5/sjis files.
2014-10-03 ERP-1164 Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory.

Workaround:
To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads.
PREVIOUS
Welcome to Splunk Enterprise 6.6
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters