Splunk® Enterprise

Release Notes

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features in this manual.

Highlighted issues

Date filed Issue number Description
2018-08-29 SPL-159442, SPL-156444 Searches may take considerably more memory than with 7.0.x or earlier. This applies particularly to searches that search and/or return a large result set. Due to search speed performance improvements some memory usage increase is expected with 7.1.x even after this issue is fixed.

Splunk recommends upgrading to version 7.1.4 or later.

2018-06-14 SPL-155560, SPL-155219 DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load

Workaround:
acceleration.backfill_time needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will attempt to accelerate for "all time".
2018-05-04 SPL-154138, SPL-154542, SPL-154544, FAST-9662 Searches with multikv extraction use too much memory: potentially orders of magnitude more than previous versions.

Highlighted issues

Date filed Issue number Description
2018-12-07 SPL-163753, SPL-162781 KV store is unavailable after upgrading a search head cluster with eight or more members from 7.0.x or lower to 7.1.x or 7.2.x.

Workaround:
To avoid this issue, perform the following steps 1, 2 and 3 before upgrading using steps 4 and 5.
  1. On the first seven search heads leave KV store enabled (no action needed).
  2. On each remaining search head (one at a time) disable KV store as follows:
    Stop Splunk on the search head: ./splunk stop
    Edit the <kvstore> stanza of server.conf to disable KV store:
    [kvstore]
    disabled=true
    
    Start Splunk on the search head: ./splunk start
  3. Wait until KV Store is back up and ready with only the 7 enabled members - using the below command to check the status
    ./splunk show kvstore-status
  4. Perform the upgrade as planned.
  5. Enable KV store (one at a time) on all search heads on which you disabled KV store in step 2.

If you have already upgraded without performing the previous procedures, you can identify this issue as follows:

  • All search heads show KV store status as starting (via ./splunk show kvstore-status).
  • On all search heads the mongod process is not running.
  • The following message is in mongod.log:
    Locally stored replica set configuration is invalid; See http://www.mongodb.org/dochub/core/recover-replica-set-from-invalid-config for information on how to recover from this. Got "BadValue: priority must be 0 when non-voting (votes:0)" while validating

If you encounter this issue, contact Splunk support for recovery steps.

2018-11-10 SPL-162781, SPL-163104, SPL-163753, SPL-162810, SPL-163103 KV store is unavailable after upgrading a search head cluster with eight or more members from 7.0.x or lower to 7.1.x or 7.2.x.

Workaround:
To avoid this issue, perform the following steps 1, 2 and 3 before upgrading using steps 4 and 5.
  1. On the first seven search heads leave KV store enabled (no action needed).
  2. On each remaining search head (one at a time) disable KV store as follows:
    Stop Splunk on the search head: ./splunk stop
    Edit the <kvstore> stanza of server.conf to disable KV store:
    [kvstore]
    disabled=true
    
    Start Splunk on the search head: ./splunk start
  3. Wait until KV Store is back up and ready with only the 7 enabled members - using the below command to check the status
    ./splunk show kvstore-status
  4. Perform the upgrade as planned.
  5. Enable KV store (one at a time) on all search heads on which you disabled KV store in step 2.

If you have already upgraded without performing the previous procedures, you can identify this issue as follows:

  • All search heads show KV store status as starting (via ./splunk show kvstore-status).
  • On all search heads the mongod process is not running.
  • The following message is in mongod.log:
    Locally stored replica set configuration is invalid; See http://www.mongodb.org/dochub/core/recover-replica-set-from-invalid-config for information on how to recover from this. Got "BadValue: priority must be 0 when non-voting (votes:0)" while validating

If you encounter this issue, contact Splunk support for recovery steps.

Upgrade issues

Date filed Issue number Description
2018-04-13 SPL-153403 After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2017-05-23 SPL-141961 Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port.

Workaround:
This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
  • 6.0.0 to 6.0.6
  • 6.1.0 to 6.1.4
  • 6.2.0 to 6.2.6
  • 6.3.0 to 6.3.1
  • 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites

Workaround:
Users can do either of the following:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

2017-03-13 SPL-138647 Possible compatibility issues between new 6.6 and later default sslVersions, cipherSuites and external services, e.g. e-mail, LDAP

Workaround:
If security is not a significant concern, simply revert back to the 6.5.x SSL/TLS defaults, e.g. for e-mail, add to $SPLUNK_HOME/etc/system/local/alert_actions.conf

[email]
sslVersions = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To configure LDAP with the same settings used by e-mail alerts: $SPLUNK_HOME/etc/openldap/ldap.conf

TLS_PROTOCOL_MIN 3.1
TLS_CIPHER_SUITE TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To completely revert the LDAP configuration to the 6.5.x SSL/TLS defaults, comment out TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE


If you would like to retain the more secure 6.6.x defaults, but prefer to add an exception for your less secure external services, follow the procedure below:

1. To determine what sslVersions and cipherSuites are supported by a server, run splunk cmd openssl s_client -connect hostname:port | awk '/Protocol/ || /Cipher/ || /Verify/'.

The example below is for a Postfix SMTP server:

eserv@indexer01:~$ splunk cmd openssl s_client -connect smtp-server01:465 | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=1 C = US, O = Example Customer, OU = IT, CN = Example Customer IT CA, emailAddress = customer@example.org verify error:num=19:self signed certificate in certificate chain New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

   Protocol : TLSv1 
   Cipher : DHE-RSA-AES256-SHA 
   Verify return code: 19 (self signed certificate in certificate chain)

2. Check the OpenSSL output for Protocol and Cipher. In the example above, Protocol = TLSv1 and Cipher = DHE-RSA-AES256-SHA

3. Update Splunk's relevant sslVersions and/or cipherSuite. In the example above, sslVersions should be set to tls (allows TLSv1, TLSv1.1, TLSv1.2) and DHE-RSA-AES256-SHA should be appended to the end of the default cipherSuites definition, e.g. add
$SPLUNK_HOME/etc/system/local/alert_actions.conf
:

[email]
sslVersions = tls

cipherSuites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA

2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts

Workaround:
Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Date filed Issue number Description
2019-11-04 SPL-178913, SPL-171961 The datetime.xml timestamp recognition file does not recognize two-year dates after 2019 or Unix epoch-time seconds higher than 1599999999 (12:26:39 UTC 13 Sep 2020)
2018-07-26 SPL-157923, SPL-147638 Splunkd crashes when HEC inputs configuration contains duplicated tokens
2018-07-05 SPL-156817 HEC json file give "Invalid data format" on 7.x versions with event sizes greater than 512kb
2018-04-19 SPL-153591, SPL-155066, SPL-155067, SPL-155069 high delay on events from UF after upgrade to (6.6.x)
2018-03-27 SPL-152628 PREAMBLE_REGEX doesn't work on 7.0.2 but OK with 7.0.0
2018-03-15 SPL-152197, SPL-147327 Error message for corrupted FSChangeMonitor database is not actionable.
2017-07-19 SPL-143236 Custom sourcetype is not displayed on sourcetype menu

Workaround:
Set a filter and the sourcetype will display.
2015-11-12 SPL-109362 When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage
2015-05-22 SPL-101981 Field extractions do not work when sourcetypes use quotes in the Getting Data In interface.
2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL

Workaround:
Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

Search issues

Date filed Issue number Description
2020-01-02 SPL-181330, SPL-181303 Rex mode sed - 7.1.0+ - Sed with caret (^) is giving an incorrect result/not functioning as expected

Workaround:
- To remove the global flag at the end of the sed command i.e.

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

2020-01-02 SPL-181332, SPL-181303 Rex mode sed - 7.1.0+ - Sed with caret (^) is giving an incorrect result/not functioning as expected

Workaround:
- To remove the global flag at the end of the sed command i.e.

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

2020-01-02 SPL-181331, SPL-181303 Rex mode sed - 7.1.0+ - Sed with caret (^) is giving an incorrect result/not functioning as expected

Workaround:
- To remove the global flag at the end of the sed command i.e.

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

2019-07-26 SPL-173898, SPL-173452 search time increases exponentially or factorially with number of subsearches
2019-07-08 SPL-172836, SPL-171270 dedup's sortby not working as expected when using head/transaction
2019-06-21 SPL-172299, SPL-168859 Any transformational commands will not include the base fields from transforms.conf when performing search in SMART mode resulting in required field not been included
2019-04-05 SPL-168797, SPL-166413 info_max/min_time provides incorrect values when search is real time.
2019-02-26 SPL-166969, SPL-158113, SPL-166657 Lookups elide empty string literals
2019-02-25 SPL-166897, UBA-11952 After splunk restart, the first threat or anomaly does not get sent to ES

Workaround:
The first threat send from UBA to Splunk after the latter is restarted, will be missed. Please manually export the missed threat to Splunk ES again.

Or Always restart OCS after Splunk gets restarted.

2019-01-16 SPL-165046, SPL-165326 Search crashes due to missing name in EVAL- in props.conf
2018-12-18 SPL-164112 Characters with accents not substituting properly with sed mode
2018-11-30 SPL-163361, SPL-164567, SPL-164879 mvexpand consumes more memory than expected, error: command.mvexpand: output will be truncated at <low number> results due to excessive memory usage.
2018-11-07 SPL-162658, SPL-168783, SPL-169607, SPL-170159 Editing Summary Indexing not working when Search contains a tstats
2018-11-01 SPL-162447, SPL-154678 |metadata search error - Failed to apply deletes to some metadata
2018-10-05 SPL-161000 CPU stalls occurs which results in splunkd core dumping

Workaround:
No workaround is found
2018-10-01 SPL-160881, SPL-161173, SPL-161174, SPL-170371, SPL-170372 eventstats on an event search can create duplicate events in some scenarios
2018-09-24 SPL-160449, SPL-149404 Search.log error message asks user to consider increasing match limit for a Regex without a reason
2018-09-12 SPL-159979, SPL-161169, SPL-163063 Crashing Thread: TcpChannelThread - Post process search using stats fields with null crashes Splunk

Workaround:
exclude the nulls
2018-08-28 SPL-159414, SPL-159182 Memory growth with transactions and keeporphans
2018-08-26 SPL-159318, SPL-159666, SPL-160523 search process crash in AST due to subsearch in a saved search

Workaround:
Two things needed:

1. in limits.conf - disable phased execution: [search] phased_execution_mode = singlethreaded 2. Disable search optimizations - add the below to the search (or via limits.conf)

| noop search_optimization=false
2018-08-16 SPL-158934, SPL-159726, SPL-159751 Post 7.1.1 upgrade issue: stats aggregating in additional empty records with mix of prestats and event data
2018-08-10 SPL-158581, SPL-157433 lookup OUTPUTNEW commands mistakenly cause optimizer to remove preceding search commands resulting in missing field values.

Workaround:
Following 4 workarounds are known:

0. configure following in limits.conf of all SHs affected:

[search_optimization::projection_elimination] cmds_black_list = lookup

This is the most accurate workaround to use.

1. | inputlookup bugtest_lookupstats.csv | rex field=threat_collection_key "\|(?<threat_value>.+)" | search threat_value="0.0.0.0" | table threat_value | lookup bugtest_lookup.csv IP as threat_value OUTPUTNEW time | lookup bugtest_lookup.csv DOMAIN as threat_value OUTPUTNEW time | table threat_value time | noop search_optimization=false

This explicitly disables the search optimisation.

2. | inputlookup bugtest_lookupstats.csv | rex field=threat_collection_key "\|(?<threat_value>.+)" | search threat_value="0.0.0.0" | table threat_value | lookup bugtest_lookup.csv DOMAIN as threat_value OUTPUTNEW time | lookup bugtest_lookup.csv IP as threat_value OUTPUTNEW time | table threat_value time

This variant simply inverts the 2 lookup commands.

3. | inputlookup bugtest_lookupstats.csv | rex field=threat_collection_key "\|(?<threat_value>.+)" | search threat_value="0.0.0.0" | table threat_value | lookup bugtest_lookup.csv IP as threat_value OUTPUTNEW time | lookup bugtest_lookup.csv DOMAIN as threat_value OUTPUTNEW time | table threat_value time*

This variant uses *time* * instead of *time*.

2018-07-31 SPL-158113, SPL-166657, SPL-166967, SPL-166969 Explicit empty strings in lookups being returned as null since 7.1.0, don't show as part of a multivalue field on repeated matches.
2018-07-09 SPL-160683, SPL-164645, SPL-164880 Error message on ES App's IR Dashboard when editing notable events due to inconsistent availableCount caused by Timeliner failure to write the events to disk
2018-06-22 SPL-156141, SPL-146147 Search crashes when using lookup tables that are frequently updated

Workaround:
On the crashing peer (could be SH, Indexer or both) set the below in limits.conf:

max_memtable_bytes = 2*<size of the largest lookup>

example search to find the biggest lookups:

index=_* sourcetype=audittrail path=*lookups* size=* | stats max(size) AS size BY host, path | append [| rest services/server/introspection/kvstore/collectionstats | mvexpand data | table splunk_server title data | spath input=data | fields splunk_server size ns ] | eval host=coalesce(host,splunk_server) | fields host path ns size | sort size | head 1

2018-06-15 SPL-155648, SPL-169611, SPL-169612, SPL-185656 New phased_execution_mode is spawning extra processes for custom search commands

Workaround:
If the custom search needs to run only once, disable the multithread for all searches.

$SPLUNK/etc/system/local stopped the issue from occurring. [search] phased_execution_mode = auto

Apply this workaround especially for deployment using ITSI, as the bug causes double backfill of the ITSI Episodes.

Beware, the workaround will cause a separate search issue SPL-165363, for splunk versions 7.0, 7.1 and 7.2 until the fix in 7.2.4

2018-06-04 SPL-155106, SPL-155412, SPL-155413 splunkd process consuming large amount of memory in 7
2018-05-30 SPL-154973, SPL-155773, SPL-158832 timeline preview shows random events, but not the ones based on the selected timeline segment

Workaround:
Appending following to the SPL seems to do the trick:
| sort - _time
2018-05-27 SPL-154920, SPL-156245, SPL-159249 Search Removal With Case Insensitive Capability

Workaround:
To use the same letter case as the search function.
2018-05-14 SPL-154459, SPL-153958 The mcollect and meventcollect commands fail to verify permissions for the indexes that they write to.
2018-05-14 SPL-154463, SPL-154931 When eventstats is the last command in a reporting search in Splunk 7.1.0 the stats tab truncates all results past a certain number of results.
2018-05-11 SPL-154420, SPL-153686 invalid regex range causing splunk to crash
2018-05-09 SPL-154314, SPL-156264, SPL-160168 Timechart time modifiers not respected by time picker

Workaround:
[search]

phased_execution_mode = singlethreaded

2018-05-04 SPL-154138, SPL-154542, SPL-154544, FAST-9662 Searches with multikv extraction use too much memory: potentially orders of magnitude more than previous versions.
2018-04-27 SPL-157120, SPL-158035 Customer upgrade to splunk 7.1 and this broke his HUNK Archive index.
2018-04-25 SPL-153745, SPL-153724 The mcollect and meventcollect commands erroneously count against licensing.
2017-08-23 SPL-144350 Archived Index is created without error when the splunk index is invalid
2017-08-03 SPL-143607 Searches ordered like this returns false results: "search ... | eventstats count | delta _time as d" , because it's being run in batch mode when it shouldn't

Workaround:
Place the delta command before eventstats in the search pipeline:

... | delta _time as d | eventstats count

2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2017-04-04 SPL-140765 Splunk having problems extracting json file consisting of 68k plus key-value pairs
2017-03-21 SPL-140175 Aborted delete searches may result in stale lock files being left behind

Workaround:
Delete stale lock files.
2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.
2016-06-17 SPL-122984 Searching renamed sourcetype is case-sensitive
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-17 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted.
2015-04-23 SPL-100170 Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search.
2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in them.

Workaround:
Rename the fields before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13 SPL-93039 The relevancy search command does not work, always returning 0 or -inf.
2014-10-02 SPL-91638, SPL-107375 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2014-09-15 SPL-90861, SPL-90396, SPL-90886 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-03-27 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
2014-03-15 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster.

Workaround:
Write to a temp file and rename to the target file.
2014-02-21 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
2013-12-18 SPL-78179 REST /saved/searches App names with special characters have invalid links.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2019-07-18 SPL-173414, SPL-179491, SPL-179612, SPL-179627 Splunk unable to load defined Saved Searches in a conf file if a bad/malformed cron_schedule value is present/set

Workaround:
If this behavior is noticed (savedsearches - alerts/searches/reports) not showing up in the GUI, verify cron jobs are valid, if they're not, then correct them.

A quick check would be to create a duplicate savedsearches.conf and removing all cron_schedule definitions and rebooting splunk with that config to identify if it is this issue.

2019-03-22 SPL-168110, SPL-164733 tstats searches do not run on datamodels that contain only a streamable BaseSearch object
2019-03-22 SPL-168124, SPL-161055 Internal Error: datamodel - invalid or unaccelerable root object
2018-11-20 SPL-163095, SPL-163054 Scheduler crashed due to divide by zero exception (FPE) when allow_skew is configured
2018-10-25 SPL-162249, SPL-170857, SPL-177527, SPL-177529, SPL-183262 The filter function of <splunk-search-dropdown> UI component is not working on on Splunk Enterprise 7.1 and later.
2018-09-04 SPL-159602, SPL-159053 Trigger Time format in alert emails without AM/PM designators and no Timezone information.
2018-09-04 SPL-159604, SPL-159053 Trigger Time format in alert emails without AM/PM designators and no Timezone information
2018-07-11 SPL-157118, SPL-161721, SPL-164488, SPL-164489 invisible datamodels /data/models/._*.json files are causing the manager to fail finding the datamodel definition

Workaround:
in the apps folders, data/models, find and delete all the ._*.json files
2018-06-06 SPL-155219, SPL-155560 DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load

Workaround:
acceleration.backfill_time needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will attempt to accelerate for "all time".
2018-05-04 SPL-154136, SPL-154836 Duplicate alerts are triggered for real time alert type on Splunk Enterprise 7.1.0
2018-04-21 SPL-153649, SPL-156991, SPL-157792, SPL-157793 Search scheduler shifts earliest_time and latest_time based on the skew, when using allow_skew

Workaround:
Don't use allow_skew for searches where this behaviour is a problem.
2017-12-13 SPL-147319, SPL-154403, SPL-154405 SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log

Workaround:
+ creating a local user called "system" would clear the INFO logging

+ or customer can turn off INFO logging by setting logging level to NOTICE or above: splunk set log-level AuthenticationManagerLDAP -level NOTICE

2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2

Workaround:
Reduce length of name of the app and report acceleration searches will run properly within the context of the app.
2014-08-15 SPL-89332 Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-10 SPL-81645 Creating data model with root transaction name starting with root event name fails
2014-03-10 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Charting, reporting, and visualization issues

Date filed Issue number Description
2020-01-23 SPL-182114, SPL-179348 autoLB not switching IDX when reaching frequency limit

Workaround:
Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

2020-01-23 SPL-182113, SPL-179348 autoLB not switching IDX when reaching frequency limit

Workaround:
Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

2019-12-19 SPL-181194, SPL-179348 autoLB not switching IDX when reaching frequency limit

Workaround:
Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

2019-01-15 SPL-164920, SPL-166952, SPL-167850, SPL-169010, SPL-169011 Dashboard issue: Multiselect URL retains single value after Hide Filters selected
2018-05-02 SPL-154054, SPL-163446, SPL-164721 Dashboard Editor in de-DE locale CSS error in Format visualization modal for Stats Table/Line/Bar Charts
2018-04-30 SPL-153976, SPL-157687 Splunkd Crashes When Opening A Simple Dashboard
2017-12-06 SPL-147115 Drilldown search fails when a timeformat is specified

Workaround:
Remove the timeformat specification from the drilldown search or manually remove the search from the URL and run it in a new window.
2016-09-15 SPL-128819, SPL-130243, SPL-130245 Editing panel in dashboard removes charting.legend.masterlegend option

Workaround:
Use <option name="charting.legend.masterLegend">null</option>
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2015-02-23 SPL-97193 The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string.

Distributed search and search head clustering issues

Date filed Issue number Description
2019-11-11 SPL-179351 loadjob fails when loading a job using savedsearch name - for specific regexes used in search string
2019-10-25 SPL-178412, SPL-155281 Indexer Clustering Search Performance - search manifest updates should be locked per site+genid
2018-12-14 SPL-164011, SPL-164677, SPL-164731, SPL-164732 SHC: when captain node is in AutomaticDetention status, all alerts (scheduled searches) appear to have stopped as well.
2018-10-26 SPL-162318, SPL-162906, SPL-163487, SPL-163488, SPL-163751 DispatchReaper fails to reap artifacts from fill_summary_index.py in SH Cluster

Workaround:
** Manual deletion **

To get sidlist.txt . splunk search '|REST /services/search/jobs label=searchname | table sid' --maxout 0 --preview

To delete dispatch dirs. for i in `cat sidlist.txt` do rm -rf $i done

2018-06-15 SPL-155639, SPL-154654 SHC captain stops delegating DMA searches after a delegated DMA search job fails (status=delegated_remote_completion, success=0).
2018-05-23 SPL-154830, SPL-141363 Indexers report "Unknown search command" for external search commands even though the indexers contain the search bundle with the external command

Workaround:
Use any of the following 3 workarounds:

1. Transform the "| command" part of the search into "| script command" 2. Transform the "| command" part of the search into "| localop | command" 3. Distribute the app to the indexers via the CM.

2018-05-03 SPL-154089, SPL-154739 Search heads may fail with "Skip search X during searchable rolling process" in invalid configurations where they communicate with cluster masters in an older version.
2018-05-01 SPL-154032, SPL-154067, SPL-154926, SPL-156192 SHC bundle rejected at push-time because of built-in apps warning is still created and picked up by SHC members

Workaround:
* Remove the bundle on SHC deployer, e.g. $SPLUNK_HOME/var/run/splunk/deploy/apps/search-0f00e250ca395564de84b53b3ae644617d2d3860.bundle
  • If the bad bundle was deployed to shcluster members, then apply shcluster-bundle on the deployer.
2018-04-03 SPL-152935, SPL-154616, SPL-154617, SPL-154618 KVStore Replication Error: replSetReconfig got BadValue _id field value of 256 is out of range
2018-03-14 SPL-152148 KV store replication fails on the upgrade search head during SHC member-by-member upgrade.

Workaround:
To ensure there is no kvstore activity during upgrade, perform an offline upgrade as follows:
  1. Shutdown all cluster members.
  2. Upgrade all members.
  3. Start the member


2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-03-13 SPL-138654 Splunk searches fail when filepath gets too long on Windows
2016-07-12 SPL-124085 On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled.
2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.

Workaround:
The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

2014-08-25 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-08-14 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-08-02 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.

Data model and pivot issues

Date filed Issue number Description
2019-03-22 SPL-168124, SPL-161055 Internal Error: datamodel - invalid or unaccelerable root object
2019-03-22 SPL-168110, SPL-164733 tstats searches do not run on datamodels that contain only a streamable BaseSearch object
2018-07-11 SPL-157118, SPL-161721, SPL-164488, SPL-164489 invisible datamodels /data/models/._*.json files are causing the manager to fail finding the datamodel definition

Workaround:
in the apps folders, data/models, find and delete all the ._*.json files
2018-06-06 SPL-155219, SPL-155560 DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load

Workaround:
acceleration.backfill_time needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will attempt to accelerate for "all time".
2017-12-13 SPL-147319, SPL-154403, SPL-154405 SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log

Workaround:
+ creating a local user called "system" would clear the INFO logging

+ or customer can turn off INFO logging by setting logging level to NOTICE or above: splunk set log-level AuthenticationManagerLDAP -level NOTICE

2014-12-08 SPL-94047, SPL-98628 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-11 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
2014-03-10 SPL-81645 Creating data model with root transaction name starting with root event name fails
2014-03-07 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Indexer and indexer clustering issues

Date filed Issue number Description
2019-10-25 SPL-178413, SPL-155281 Indexer Clustering Search Performance - search manifest updates should be locked per site+genid
2019-10-25 SPL-178414, SPL-155281, SPL-179523 Indexer Clustering Search Performance - search manifest updates should be locked per site+genid
2019-10-25 SPL-178412, SPL-155281 Indexer Clustering Search Performance - search manifest updates should be locked per site+genid
2019-05-29 SPL-171257, SPL-171303 Index Cluster Bundle Status stuck in "Bundle validation is in progress"

Workaround:
If the CM cluster-bundle-status gets stuck indefinitely in "Bundle validation is in progress"

1.) cancel the bundle push operation curl -k -u admin:pass https://host:mPort/services/cluster/master/control/default/cancel_bundle_push -X POST 2.) rollback to previous bundle or push a new bundle rollback: curl -k -u admin:pass https://host:mPort/services/cluster/master/control/default/rollback -X POST push bundle: curl -k -u admin:pass https://host:mPort/services/cluster/master/control/default/apply -X POST 3.) Restart the CM or peer if the above does not result in all peers on the same bundle


Also consider lowering the number of peers that download the bundle from the CM simultaneously: By default, the master pushes the bundle to all peers simultaneously. The max_peers_to_download_bundle setting in server.conf provides a means to limit the number of peers that receive the bundle simultaneously.

ie: on CM server.conf [clustering] max_peers_to_download_bundle = 3

2019-03-13 SPL-167708, SPL-170943, SPL-170937, SPL-170938 Apply cluster bundle does not apply bundle to any indexers which are in progress of adding to cluster

Workaround:
restart affected indexer(s)
2018-11-12 SPL-162801, SPL-161301 For a multisite cluster, splunk is not reaping prior search-buckets manifests after new generation
2018-11-12 SPL-162802, SPL-161301 For a multisite cluster, splunk is not reaping prior search-buckets manifests after new generation

Workaround:
Do manual cleanup of

$SPLUNK_HOME/var/run/splunk/cluster/search-buckets leaving the gen0 and 10 of the latest files per site as minimum

To automate this you can do something like this in cron once you're happy with the manual run, you just need to add the delete flag for find:

find $SPLUNK_HOME/var/run/splunk/cluster/search-buckets -regextype posix-extended -regex '.+_gen([0-9]{2,}|[1-9])\.csv\.gz' -mtime +2


2018-10-23 SPL-161815 Thawed buckets in a indexer cluster are sporadically unsearchable upon restart
2018-06-22 SPL-156164, SPL-162309, SPL-162310, SPL-162311 Shutdown sequence does not begin after master has instructed peer to restart during rolling restart phase of a bundle push

Workaround:
Setting restart_timeout to the minimum value possible (server.conf on the CM).
2018-06-06 SPL-155226, SPL-153036 CMBucketId has lock contention from std::map log(n) lookup time
2018-04-05 SPL-153051, SPL-152821 Contention on DatabaseManager::_mux and CMIndexId mutex impacting search performance and indexer cluster stability.
2018-03-22 SPL-152465, SPL-153596, SPL-153597, SPL-154595, SPL-154647, SPL-154648 Clustering - when a peer is in detention, we will make excess copies

Workaround:
If any indexers are in detention run `splunk remove excess-buckets` periodically.
2018-03-15 SPL-152168 Batch-mode retry can return more or less events than it should due to reordering from thread pool processing.

Workaround:
Before you initiate searchable rolling restart or rolling upgrade, make sure the search_retry attribute in the [search] stanza of limits.conf is set to false (the default).


If you have scheduled searches that must complete, either increase the value of decommission_search_jobs_wait_secs (default=180s) in server.conf, or do not run searchable rolling restart or rolling upgrade during the search's timeframe.

2017-03-16 SPL-138846 In multisite clustering, deletion of events in hot buckets is not pushed to other sites
2016-08-25 SPL-127353 Data rebalance finishes early when one peer is the source for all buckets

Workaround:
when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time
2015-05-08 SPL-101184 Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer.
2014-10-13 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-09-29 SPL-91432 On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers.
2014-09-08 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-07-29 SPL-87816 When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza.

Workaround:
Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.
2014-07-14 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-04-29 SPL-83636 When configuring a multi-site cluster using cluster-config, the error messages are incorrect if the SF/RF was previously set.
2014-03-18 SPL-82038 Cluster-config does not work if a parameter value includes a space character.
2014-03-17 SPL-81955 Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed.
2014-01-06 SPL-78688 Peer is able to change to an invalid (empty) replication port
2013-08-06 SPL-72484 You cannot use the CLI to delete an index with a capital letter in its name.

Universal forwarder issues

Date filed Issue number Description
2019-01-28 SPL-165635, SPL-191773, SPL-189789 splunk not reading file after log rotation
2018-11-28 SPL-163271, SPL-159337 Splunk UF crashing due to invalid EVENT_BREAKER
2018-09-25 SPL-160530, SPL-156698 splunk-netmon consumes additional 2GB memory every day on Universal Forwarder
2018-04-10 SPL-153251 Universal Forwarder txz package cannot be installed on FreeBSD 11.1

Workaround:
1. Use pkg install instead of pkg add

OR 2. Install package by untarring tgz file to /opt/splunkforwarder

2017-05-23 SPL-141961 Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port.

Workaround:
This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
  • 6.0.0 to 6.0.6
  • 6.1.0 to 6.1.4
  • 6.2.0 to 6.2.6
  • 6.3.0 to 6.3.1
  • 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites

Workaround:
Users can do either of the following:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

2017-03-14 SPL-138731 New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled

Workaround:
Users can do any of the following:

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

2015-06-10 SPL-103010 Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets.
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

Workaround:
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2015-03-25 SPL-98594 Routing events to two different groups not working as expected.

Workaround:
1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2013-09-18 SPL-74427, SPL-74448 The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.

Workaround:
To work around this issue, create a splunk user on your system before attempting to run the installer.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2018-10-08 SPL-161044, SPL-141772 App deployment fails sporadically on Windows
2018-06-29 SPL-156539, SPL-155035 Splunk Fowarders splunkd process stopping - Crashing thread: HttpClientPollingThread
2014-10-02 SPL-91648, SPL-91358 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-08-15 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-06-20 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive.

Workaround:
To mitigate this, set forceHttp10=always.

Monitoring Console issues

Date filed Issue number Description
2019-01-24 SPL-165397, SPL-160335 No custom checklist item examples in checklist.conf.spec
2019-01-23 SPL-165338, SPL-160335 No custom checklist item examples in checklist.conf.spec
2018-10-19 SPL-161714, SPL-163188, SPL-163189 Saving server roles in DMC "configure" view results in 409 Conflict error response code when there is more than 30 groups defined
2018-09-30 SPL-160867, SPL-158166 Monitoring Console does not allow user to select 'All Queues' in Queues to Measure dropdown
2018-09-20 SPL-160349, SPL-158166 Monitoring Console does not allow user to select 'All Queues' in Queues to Measure dropdown
2018-09-20 SPL-160348, SPL-158166 Monitoring Console does not allow user to select 'All Queues' in Queues to Measure dropdown
2017-08-18 SPL-144193 Bundle validation errors prevent future app deployment to indexer cluster
2017-08-14 SPL-143981 Uninstall app dialog does not show the app name correctly when the app doesn't have the label
2017-08-04 SPL-143664 Uploaded apps page makes two calls to packages endpoint
2017-05-24 SPL-141982 Upload modal should use size=large File element
2017-04-19 SPL-141274 Clicking Install multiple times in Install dialog causes error
2017-04-19 SPL-141273 Task endpoint fetch once even when there's no last deploy task id
2017-03-30 SPL-140654, SPL-178056 wrong integrity check alert for file etc/users/users.ini
2017-03-07 SPL-138351, SPL-172626 The role change of DMC via UI does not reflect to distsearch.conf

Workaround:
As a workaround can the customer manually modify the distsearch.conf.
2016-11-14 SPL-132151 XML error when trying to download uninstalled app

Splunk Web and interface issues

Date filed Issue number Description
2019-07-11 SPL-173061 UI exposes a nonfunctional option for modifying permissions on custom search commands
2019-01-22 SPL-165253, SPL-166047, SPL-166776, SPL-166777 Using "%" in dashboard XML can cause infinite 'Loading...' loop for dashboards with no error reported.

Workaround:
Do manual URI encoding. For example, this would load just fine:


<html>

This is the <a href="http://%25%25problem%25%25/index.html">problem.</a>

</html>


2018-10-25 SPL-162249, SPL-170857, SPL-177527, SPL-177529, SPL-183262 The filter function of <splunk-search-dropdown> UI component is not working on on Splunk Enterprise 7.1 and later.
2018-07-16 SPL-157354, SPL-152481 Setting "tools.sessions.forceSecure = True" in web.conf doesn't set the secure flag on session_id_* cookies
2018-06-26 SPL-156316, SPL-145546 When assigning indexes to roles, indexes defined on the indexer tier are not displayed

Workaround:
Replace the "$SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_roles.xml" file on the search head with a version from any Splunk Enterprise 6.6.x release. Refresh the configuration on the search head by calling a debug refresh (http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh) using a supported web browser.

2018-05-30 SPL-154973, SPL-155773, SPL-158832 timeline preview shows random events, but not the ones based on the selected timeline segment

Workaround:
Appending following to the SPL seems to do the trick:
| sort - _time
2018-05-27 SPL-154920, SPL-156245, SPL-159249 Search Removal With Case Insensitive Capability

Workaround:
To use the same letter case as the search function.
2017-08-23 SPL-144350 Archived Index is created without error when the splunk index is invalid
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2016-11-14 SPL-132133 App Browser filtering of the apps does not work
2015-11-09 SPL-109165 Interactive Field Extractor hangs when using "^" as delimiter.

Workaround:
Use props and transforms to specify the delimiter of your choice.
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-30 SPL-103701 Actions links should be removed for "Apps Browser"
2014-07-16 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-02-26 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Windows-specific issues

Date filed Issue number Description
2019-06-07 SPL-171658, SPL-166645 Splunk is filling the "C:/Windows/Temp" folder with .tmp files
2019-04-18 SPL-169287, SPL-155149 Registry changes under SYSTEM\CurrentControlSet are not being read by WinRegMon

Workaround:
Monitor SYSTEM\\ControlSet\d+ instead.
2018-11-07 SPL-162659, SPL-80589 On Windows Server 2012 and Server 2012 R2, an external bug causes the %_Processor_Time counter to display 100 for multiple processes, even when the number of available CPU cores precludes that possibility.
2018-10-29 SPL-162353, SPL-158197 splunk-regmon - failed to start the driver due to permission issue
2018-09-25 SPL-160530, SPL-156698 splunk-netmon consumes additional 2GB memory every day on Universal Forwarder
2018-08-31 SPL-159549, SPL-153030 PowerShell inputs fail after several runs
2018-06-15 SPL-155603, SPL-155149 Registry changes under SYSTEM\CurrentControlSet are not being read by WinRegMon

Workaround:
Monitor SYSTEM\\ControlSet\d+ instead.
2015-11-13 SPL-109430 In Windows only, inheritance is broken for folders created by splunkd. Files created are accessible only to the user as whom splunkd is running.
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-01 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time.

Workaround:
To fix the problem, restart Windows on the forwarder.


2014-10-31 SPL-92596 After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion."

Workaround:
This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html
2014-09-25 SPL-91279 Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles.

Workaround:
See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.

REST, Simple XML, and Advanced XML issues

Date filed Issue number Description
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2016-10-31 SPL-131072 Datamodel backend allows invalid time values
2013-05-15 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

PDF issues

Date filed Issue number Description
2016-11-23 SPL-132925 Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

2015-03-31 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2014-06-16 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround:
Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.


Admin and CLI issues

Date filed Issue number Description
2020-08-22 SPL-194053, SPL-193257 create_context=usr: notify mothership for newly created file

Workaround:
Change permissions after each lookup table creation

Upload a pre-created/pre-existing csv lookup, but it is often not possible.

2019-07-18 SPL-173414, SPL-179491, SPL-179612, SPL-179627 Splunk unable to load defined Saved Searches in a conf file if a bad/malformed cron_schedule value is present/set

Workaround:
If this behavior is noticed (savedsearches - alerts/searches/reports) not showing up in the GUI, verify cron jobs are valid, if they're not, then correct them.

A quick check would be to create a duplicate savedsearches.conf and removing all cron_schedule definitions and rebooting splunk with that config to identify if it is this issue.

2019-01-30 SPL-165767, SPL-145827 Capability rtsearch is enabling for power user after being remove when running CLI cmd and restarting splunk
2018-11-01 SPL-162465, SPL-142345 SHOULD_LINEMERGE always shows true on UI when there is a LINE_BREAKER setting in sourcetype
2018-10-11 SPL-161286, SPL-154594 system/default/props.conf for python.log just plain WRONG
2018-10-09 SPL-161134, SPL-142345 SHOULD_LINEMERGE always shows true on UI when there is a LINE_BREAKER setting in sourcetype
2018-07-23 SPL-157731, SPL-154594 system/default/props.conf for python.log just plain WRONG
2018-05-17 SPL-154589, SPL-154772, SPL-155190, SPL-155191, SPL-155194 Enabling splunk boot-start won't work with ubuntu-like distro

Workaround:
1. make a copy of /etc/os-release

2. remove /etc/os-release 3. run enable boot-start on splunk 4. restore /etc/os-release

2018-02-06 SPL-148877, SPL-145579 chkconfig directive missing for AWS with enable boot-start
2017-11-29 SPL-146820 Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app

Workaround:
Navigate to a visible app, such as the search and reporting app, and access the Splunk settings pages from that app context.
2017-04-11 SPL-141051 When LINE_BREAKER is defined for a sourcetype, UI forces SHOULD_LINEMERGE to true

Workaround:
None in Splunk Cloud.

For on-prem, manually edit the props.conf file to set SHOULD_LINEMERGE to 'false'.

2017-04-03 SPL-140747 SSL connection in Python when using new ciphers may be slow.
2016-11-09 SPL-131880 Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-03-11 SPL-97942 Capability defined in an app does not take effect when assigned to a role

Workaround:
The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

2014-04-07 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page.
2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.

Workaround:
Set server.conf [applicationsManager] allowInternetAccess = false
2013-05-02 SPL-66511 If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.

Uncategorized issues

Date filed Issue number Description
2019-11-08 SPL-179256, SPL-179703, SPL-180148, SPL-180149 kvstore inputlookup with large 'where' filter fails silently when hitting 300 second timeout

Workaround:
Change logic of your search,

do filtering later in | search

2019-07-16 SPL-173213, SPL-169562 EXTRACT with REGEX capture groups are not extracting fields without specifying FORMAT.
2019-07-11 SPL-173038 Deprecated Feature SH Pooling has several functional problems in versions 7.1.x and above

Workaround:
Customers are strongly advised to use Search Head Clustering instead.
2019-06-06 SPL-171600, SPL-167453 Replicated bucket in indexer cluster is timestamped with earliest time 0 (January 1970) if its last slice is empty.
2019-05-22 SPL-170880, SPL-169429 Do not evict bucket contents from target indexers after S3 upload
2019-04-03 SPL-168740, SPL-151627 Force user reset password is not replicated in SHC
2019-03-20 SPL-168023, SPL-167635 Failed to localize because of CacheManager inconsistent bucket state after a truncate

Workaround:
https://confluence.splunk.com/display/PROD/Fixing+Failed+to+localize+errors+due+to+a+truncate
2019-03-20 SPL-168025, SPL-167635 Failed to localize because of CacheManager inconsistent bucket state after a truncate

Workaround:
https://confluence.splunk.com/display/PROD/Fixing+Failed+to+localize+errors+due+to+a+truncate
2019-03-20 SPL-168026, SPL-167635 Failed to localize because of CacheManager inconsistent bucket state after a truncate

Workaround:
https://confluence.splunk.com/display/PROD/Fixing+Failed+to+localize+errors+due+to+a+truncate
2019-02-27 SPL-167014, SPL-143275 Bucket rebuild fails with reason: Failed to process delete journals
2019-02-08 SPL-166228, SPL-166798, SPL-167655 Splunk crashes in _mongoc_openssl_ctx_new on shutdown
2019-01-29 SPL-165718, SPL-162399 Relative, realtime, and date range tabs on time picker on a dashboard is not translated
2019-01-28 SPL-165614, SPL-162969 Splunk upgrade failures due to kv store migration issues
2019-01-25 SPL-165574 Splunk Search head cluster initial kvstore sync continues to fail with "OplogOperationUnsupported: error applying batch: Applying renameCollection not supported in initial sync" in mongod.log

Workaround:
For 7.1.4+:

add the following to $SPLUNK_HOME/etc/system/local/server.conf:

[kvstore] 
allowUnsafeRenamesDuringInitialSync = true

For 7.1.3 and below: Try and stop all kvstore (outputlookup) activity, the most common reason for the rename of a collection in mongo is when running | outputlookup without append=true

2019-01-15 SPL-164976, SPL-164862 After migration, Splunk Cloud customer seeing unexpected large increase in outbound network bandwidth from forwarders
2019-01-15 SPL-164979, SPL-166184, SPL-166510, SPL-166511 Search deadlock in StateStoreWorkerScheduler when executing kvstore lookup
2019-01-04 SPL-164557, SPL-175202 Add capability of skewing time validation for SAML assertions
2018-12-04 SPL-163475, SPL-161299 ES Search Head Captain Crash: 'it != _summary_inprogress.end()'
2018-11-19 SPL-163032, SPL-157014 Search results on a dashboard are given with system timezone instead of user timezone
2018-11-19 SPL-163030, SPL-157014 Search results on a dashboard are given with system timezone instead of user timezone
2018-11-12 SPL-162794 Internal logs not being sent after enabling SplunkForwarder app
2018-10-10 SPL-161224, SPL-153371 S2 - Search of a frozen bucket returns with a "failed to localize" error.
2018-09-28 SPL-160841, SPL-164523, SPL-164531 Received fatal signal 11 (SEGV) on TailWatcher on Heavy Forwarders RegexExtractionProcessor race condition

Workaround:
disable regex profiling in limits.conf:
regex_cpu_profiling = false

or upgrade to 7.1.7, 7.2.4, 7.3.0 or higher

2018-09-10 SPL-159813, SPL-163056, SPL-164724, SPL-164725 Post 6.6 / 7.0 upgrade, power user role cannot edit alert.expires from UI
2018-08-31 SPL-159552, SPL-163568, SPL-161659, SPL-161660, SPL-161688, SPL-162483, SPL-162484 SAML - "role" not parsing comma separated list
2018-08-22 SPL-159203, SPL-159254, SPL-163561 splunk_archiver app is included in the Splunk Cloud package in error, needs to be excluded at packaging time
2018-08-15 SPL-158875, SPL-159174, SPL-159613, SPL-159614, SPL-159644 splunk shipped python in *nix doesn't work with iso2022_jp
2018-07-13 SPL-157230, SPL-163803, SPL-163974, SPL-163975 conf-mutator.pid cleanup error during GUI initiated restart

Workaround:
The error message can be safely ignored.
2018-06-28 SPL-156504 CIM Setup page is showing single line because of Indexes.js collection not executing callbacks

Workaround:
Edit configuration files as needed and restart the search head.
2018-06-13 SPL-155513, SPL-159646, SPL-159848 Mstats not honoring time picker range for windowed real time search
2018-05-28 SPL-154925, SPL-161164, SPL-162971 KVstore restore failure sometimes when having >1000 rows in the collection

Workaround:
Change the limit in server.conf from 1000 to a big enough value before backup, and allow restoring the backup e.g.:

[kvstore] max_documents_per_batch_save = 50000

2018-05-21 SPL-155427, SPL-155716, SPL-155719 CIM Setup page is showing single line because of Indexes.js collection not executing callbacks
2018-05-18 SPL-154616, SPL-152935 KVStore Replication Error: replSetReconfig got BadValue _id field value of 256 is out of range
2018-05-17 SPL-154593 Chunks of summary index data are routed to the wrong index when queues are blocked
2018-05-10 SPL-154382, SPL-166025, SPL-167034, SPL-167035, SPL-167036 Role Capability To See Indexes for Summary Indexing Gives Role Index Edit Ability

Workaround:
Enable indexes_edit and dispatch_rest_to_indexers capabilities for the Power role for all indexes to be listed
2018-05-08 SPL-154263 Splunk diag fails on files with modification time before 1970, "error: integer out of range for 'l' format code".

Workaround:
Change the timestamps of any files under SPLUNK_HOME dated prior to 1970.
2018-05-04 SPL-154139, SPL-154567 embedded report uses oldest search artifact from the history endpoint

Workaround:
Same as Jira SPL-122982: cron job to delete the old artifacts
2018-04-27 SPL-153958, SPL-153724, SPL-154459 mcollect should check index permissions for the index that it is trying to write to.
2018-04-25 SPL-153758, SPL-153687 Dashboard time range picker selected state does not correctly display certain ranges
2018-04-18 SPL-153555, SPL-152283 mongod errors out on distros with older glibc (2.7 and below) with " Invalid access at address: 0x10"
2018-04-12 SPL-153352 Users are not notified about password expiration in Splunk Web

Workaround:
To mitigate this issue, the admin can create a saved search for password expiration alerts that appear in splunkd.log in order to find user passwords that are expiring.

The expiration warning messages are in the format: "Password for user '{user}' is set to expire in {num} days"

2018-04-02 SPL-152888, SPL-154243, SPL-155000, SPL-155019, SPL-155451 Chunks of summary index data are routed to the wrong index when queues are blocked
2018-03-29 SPL-152761, SPL-151501 Enabling/Disabling acceleration for a data model creates an unnecessary copy of the data model JSON in <appname>/local/data/models/<model>.json
2018-03-22 SPL-152457, SPL-177446, SPL-178720, SPL-178721, SPL-178722, SPL-178723 splunkd.log WARN TelemetryHandler - 1521648000.000000
2018-03-20 SPL-152330, SPL-151992 After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2018-03-14 SPL-152095 Edit Summary Indexing - Index List empty/incomplete for User with Power role after upgrading to 6.6.0+

Workaround:
add indexes_edit and dispatch_rest_to_indexers capability to the Power role for all indexes to be listed
2018-02-14 SPL-149190, SPL-141808 (Windows Only) Support sslRootCAPath on Windows
2018-01-25 SPL-148514 Splunk not starting on Linux kernel version 4.13.0-31

Workaround:
Do not upgrade kernel to version 4.13.0-31. Use either an older release or 4.13.0-32.35+
2017-11-06 SPL-146229 Clustering S2 - set indexing-ready does not recreate buckets
2017-10-17 SPL-145749 S2 bootstrapping doesnt respect multisite origin policies
2017-05-09 SPL-141693 DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-03-27 SPL-140442, SOLNESS-11786 In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.

Workaround:
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with the "edit_roles" capability.
2017-02-13 SPL-136709 Chart retains legend and title after enabling trellis layout in splunk.js
2017-01-18 SPL-135260 Documentation for Search formatting keyboard shortcut for non-English languages
2017-01-06 SPL-134707 Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.
2016-11-21 SPL-132670 Mac OS 10.11: disable boot-start doesn't remove the file /Library/LaunchAgents//com.splunk.plist by enabling boot-start in prior Splunk/UF
2016-08-31 SPL-127800 Opting in to data sharing on a monitoring console produces duplicate data
2016-07-26 SPL-125052 Sole Admin can demote themself to Power without path of recovery in GUI.

Workaround:
Through the command line, you can open notepad and modify the password file to regain 'Admin' status.
2016-06-22 SPL-123301, SPL-95164, SPL-167968 Aggressive calls to LDAP for non-existent/inactive users causes slow logins, performance issues/ skipped searches/ indexing pause
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
2015-10-07 SPL-107606 Inconsistency between summary and datamodel_summary files.
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink

Workaround:
Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-05-24 SPL-102008 On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference.
2015-05-11 SPL-101289 When the number of indexing pipeline sets is greater than four, indexing throughput decreases.
2015-05-06 SPL-100980 Single indexer does not scale when receiving parsed data from multiple PipelineSets.
2015-05-04 SPL-100792 There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals.

Workaround:
Searches that key off these lines need to select their desired name=x category in order to see a single thruput value.
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml)

Workaround:
Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.

Workaround:
The workaround is to remove the duplicated bucket.
2015-02-26 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-01-08 SPL-95144, SPL-101986, SPL-101987, SPL-106884, SPL-107317, SPL-142789 Indexed message for Windows security event logs shows "FormatMessage error"

Workaround:
Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.
2014-11-10 SPL-92831 A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ."

Workaround:
The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).


2014-10-24 SPL-92432, SPL-99583 Chart in dashboard panel does not honor interval settings.

Workaround:
In the panel XML, specify a larger height to use the correct interval settings.
2014-10-17 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-09-11 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
2014-08-26 SPL-90139 <timestamp> does not display in the Patterns tab when searches are run in fast mode.
2014-04-22 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
2014-04-14 SPL-83068 Default index can be set to random index.
2014-04-01 SPL-82517, SPL-208875 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
2014-03-23 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
2014-03-13 SPL-81856 Show all lines does not work in data model editor preview.
2014-03-12 SPL-81810 Licensing - license pool warning at license master keeps coming back after deleting it.

Workaround:
Delete the warnings on the peers first, then the License Manager.
2014-03-12 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range.
2014-02-07 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions.

Workaround:
For more information, see Add lookup files to Splunk.
2014-02-06 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared.

Workaround:
Share the definition. For more information, see Add lookup files to Splunk.
2014-01-31 SPL-79842 On Windows, Indexer doesnt accept new connections on splunktcpin port after queue blockage is resolved
2013-11-27 SPL-77139 Licenser pool usage gets reflected only after restarting splunkd.
2013-10-29 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
2013-09-13 SPL-74337, BETA-496 You cannot specify a destination folder when installing on OSX.
2013-09-10 SPL-74209, SPL-74167 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).

Workaround:
Specify the persistentQueue explicitly in the input definition.
2013-08-28 SPL-73826 Windows: hostname override not working properly
2013-06-13 SPL-69304 If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN.
2013-04-30 SPL-66213 PDF server app is not working with latest Xvfb
2012-02-22 SPL-48342 LDAP strategy host field cannot work with ipv6 format address but computer name is okay
2010-10-08 SPL-34347 wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue

Splunk Analytics for Hadoop

Date filed Issue number Description
2017-04-04 ERP-2040 Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x

Workaround:
Upgrade Hadoop to 2.8.2 or higher.
2015-09-09 ERP-1650 timestamp data type not properly deserialized.
2015-08-05 ERP-1619 Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception.

Workaround:
Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search.
2015-07-07 ERP-1598 minsplit rampup - splits generation takes too long.

Workaround:
Set minsplits=maxsplits
2015-05-12 ERP-1502 Non-accelerated pivot search on Pivot UI page waits for a long time to return result.
2015-01-08 ERP-1343, SPL-95174 Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error.

Workaround:
Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....)
2014-10-27 ERP-1216 Data Explorer preview does not honor existing sourcetypes for big5/sjis files.
2014-10-03 ERP-1164 Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory.

Workaround:
To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads.
Last modified on 10 December, 2024
Welcome to Splunk Enterprise 7.1   Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters