Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Fixed issues

Splunk Enterprise 7.2.0 was released on October 2, 2018. This release includes fixes for the following issues.

Issues are listed in all relevant sections. Some issues might appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.

Highlighted issues

Date filed Issue number Description
2018-08-29 SPL-159442, SPL-156444 Searches in 7.1.x may take considerably more memory than with 7.0.x or earlier. This applies particularly to searches that search and/or return a large result set. Due to search speed performance improvements some memory usage increase is expected with 7.1.x and later even after this issue is fixed.

Highlighted issues

Date resolved Issue number Description
2018-07-12 SPL-146352, SPL-156438, SPL-156439, SPL-156440, SPL-156441 LDAP reload can severely delay remote app deployment, need app reload metrics to improve diagnosability.

Data input issues

Date resolved Issue number Description
2018-08-21 SPL-158931, SPL-160031, SPL-156983, SPL-158938, SPL-160030 Suppress introspection errors from bulletin board on Cloud instances
2018-07-24 SPL-142942 splunk-powershell.ps1 gets stuck in EndInvoke call when an exception is encountered
2018-06-01 SPL-153591, SPL-155066, SPL-155067, SPL-155069 high delay on events from UF after upgrade to (6.6.x)
2018-04-12 SPL-152628 PREAMBLE_REGEX doesn't work on 7.0.2 but OK with 7.0.0
2018-03-14 SPL-137275, SPL-130962 Files are not getting ingested if there is missing eol

Search issues

Date resolved Issue number Description
2018-09-05 SPL-159414, SPL-159182 Memory growth with transactions and keeporphans
2018-08-15 SPL-154875, SPL-144312 Owner of Macros can not be reassigned in Web UI in version 6.6.x
2018-08-09 SPL-155348, SPL-148606 Inconsistent Search Results Against _audit Index
2018-08-09 SPL-158332, SPL-157433 lookup OUTPUTNEW commands mistakenly cause optimizer to remove preceding search commands resulting in missing field values
2018-08-08 SPL-157120, SPL-158035 Customer upgrade to splunk 7.1 and this broke his HUNK Archive index.
2018-08-08 SPL-157516, SPL-153464 Job Progress Status goes from 0 to 100 back to 0
2018-08-01 SPL-156448, SPL-152245 Scheduled search job terminated unexpectedly
2018-07-26 SPL-157687, SPL-153976 Splunkd Crashes When Opening A Simple Dashboard
2018-07-26 SPL-149132, SPL-142710 Splunk ignores "is_risky=false" setting for any command that is not an actual custom script like sendemail. For example the setting is ignored for outputlookup and outputcsv.
2018-07-16 SPL-155773, SPL-154973 timeline preview shows random events, but not the ones based on the selected timeline segment
2018-07-12 SPL-152434, SPL-154534, SPL-154531, SPL-154532, SPL-154533 xml export bloats in size due to repeated <fieldOrder> section
2018-06-14 SPL-155106, SPL-155412, SPL-155413 splunkd process consuming large amount of memory in 7
2018-06-12 SPL-152598, SPL-154005, SPL-154876, SPL-157818, SPL-157913, SPL-158186 The "srtemp" directory can grow to hundreds of GB in size and fill up the disk due to orphaned temporary files left behind by abnormally terminated searches and never reaped
2018-06-07 SPL-154931, SPL-154463 When eventstats is the last command in a reporting search in Splunk 7.1.0 the stats tab truncates all results past a certain number of results.
2018-06-07 SPL-145831 In search.log, IndexScopedSearch message with lispy string is missing a space between index name and "is". It's "index=indexNameis" instead of "index=indexName is"
2018-06-07 SPL-154026, SPL-155293, SPL-155294 gentimes command shows incorrect starthuman time with daylight savings
2018-06-03 SPL-154542, SPL-154138 Searches with multikv extraction use too much memory: potentially orders of magnitude more than previous versions.
2018-05-30 SPL-154737, SPL-153432 The bins option returns inconsistent count values in distributed environment
2018-05-10 SPL-152490, SPL-148796 ui_inactivity_timeout not working even after search completes
2018-05-08 SPL-153349, SPL-154301, SPL-154302, SPL-154303 Scheduling Alerts - Apply Time Range Of Initial Search Not Reflecting when Saving as Alert
2018-05-01 SPL-153732, SPL-145602 REGEX flag (?J) "duplicate group names" causes splunk to crash
2018-04-30 SPL-152806, SPL-141639 6.5.2 Error in chart command: The value for option span is invalid: log10
2018-04-19 SPL-153521, SPL-145560 Splunkd DispatchManager logging is inconsistent
2018-03-28 SPL-135296, SPL-105039, SPL-152728, SPL-152729, SPL-152735, SPL-152815, SPL-152817 SearchResults complains in splunkd.log about a corrupt CSV file header without naming the problematic file or lookup table
2018-03-27 SPL-151719, SPL-152232, SPL-152236 Windows Events Logs: Hidden Character Added To Field Name Breaks Search

Saved search, alerting, scheduling, and job management issues

Date resolved Issue number Description
2018-08-09 SPL-155699, SPL-153792 Datamodel works both accelerated and non-accelerated in standalone, but fails on indexer instance when accelerated in an indexer clustered environment
2018-07-24 SPL-156991, SPL-153649 Search scheduler shifts earliest_time and latest_time based on the skew, when using allow_skew
2018-07-16 SPL-155352, SPL-157325, SPL-157326, SPL-157327 Search scheduler can be blocked by slow kvstore responses during saved search history pruning.
2018-07-11 SPL-153576 scheduler sourcetype create a field with the same name as in the event - message field auto extraction does not work
2018-06-18 SPL-155219, SPL-155560 DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load
2018-05-23 SPL-154136, SPL-154836 Duplicate alerts are triggered for real time alert type on Splunk Enterprise 7.1.0
2018-05-07 SPL-147319, SPL-154403, SPL-154405 SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
2018-04-09 SPL-148958, SPL-153147, SPL-153148, SPL-153149, SPL-153150 tstats will not return any results from an Accelerated Datamodel/Namespace/tscollect job if the raw event has 2-byte characters

Charting, reporting, and visualization issues

Date resolved Issue number Description
2018-07-26 SPL-157687, SPL-153976 Splunkd Crashes When Opening A Simple Dashboard

Data model and pivot issues

Date resolved Issue number Description
2018-08-13 SPL-156254, SPL-152600 Save the pivot table as a Report or Dashboard: Pivot Table Error - Error in PivotRowCol
2018-08-09 SPL-155699, SPL-153792 Datamodel works both accelerated and non-accelerated in standalone, but fails on indexer instance when accelerated in an indexer clustered environment
2018-06-18 SPL-155219, SPL-155560 DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load
2018-05-07 SPL-147319, SPL-154403, SPL-154405 SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
2018-04-09 SPL-148958, SPL-153147, SPL-153148, SPL-153149, SPL-153150 tstats will not return any results from an Accelerated Datamodel/Namespace/tscollect job if the raw event has 2-byte characters

Indexer and indexer clustering issues

Date resolved Issue number Description
2018-08-02 SPL-151331, SPL-148413 Bucket fix-up stack stuck with reason "potential dup primaries" prevents cluster from advertising all data searchable
2018-07-17 SPL-153221 Added db path collision check for summaryHomePath
2018-07-04 SPL-154580, SPL-146688 Race condition in Indexer Cluster bundles dry run causing "Unable to create/replace target file: No such file or directory".
2018-06-22 SPL-155220, SPL-154986 single-copy bucket stuck with status "no possible primaries", causes entire cluster to be tagged as "not fully searchable"
2018-06-17 SPL-154997, SPL-153569 Data rebalance blocked by stuck bucket discard
2018-06-04 SPL-153036, SPL-155224, SPL-155225, SPL-155226 SHC CMBucketId has lock contention from std::map log(n) lookup time
2018-05-18 SPL-152465, SPL-153596, SPL-153597, SPL-154595, SPL-154647, SPL-154648 Clustering - when a peer is in detention, we will make excess copies
2018-05-09 SPL-147996, SPL-146575 RF and SF not being met on CM after adding new Indexes and rolling restart
2018-04-18 SPL-153121, SPL-153520 CMSlave Should output errors when failing to enqueue the bundle validate job
2018-04-03 SPL-146335, SPL-151811, SPL-151813 DispatchReaper not cleaning up remote-bundle files on CM

Distributed search and search head clustering issues

Date resolved Issue number Description
2018-08-09 SPL-157926, SPL-157978 Scheduler blocked during pruning savedsearch history due to slow LDAP server
2018-07-26 SPL-155778, SPL-155536 prolonged gaps in SHC captain metrics.log group=searchscheduler
2018-07-18 SPL-156528, SPL-154592 Incorrect Version Mismatch Message
2018-07-12 SPL-146352, SPL-156438, SPL-156439, SPL-156440, SPL-156441 LDAP reload can severely delay remote app deployment, need app reload metrics to improve diagnosability.
2018-06-27 SPL-154747, SPL-154419 SHC captain does not clean up local bundles after failed replication attempts
2018-06-26 SPL-154934, SPL-154870 BundleDeltaHandler failing on indexing_tokens directory
2018-06-24 SPL-154926, SPL-154032 SHC bundle rejected at push-time because of built-in apps warning is still created and picked up by SHC members
2018-06-22 SPL-151900, SPL-156177, SPL-156178, SPL-156179 Distsearch.conf: value specified in disabled_server property will get ignored, if same value exists in servers property
2018-06-15 SPL-155043, SPL-154402 SHC: alert suppression may fail during restart due to timing issues
2018-06-15 SPL-154841, SPL-154654 SHC captain stops delegating DMA searches after a delegated DMA search job fails (status=delegated_remote_completion, success=0).
2018-06-04 SPL-154739, SPL-154089 Search heads may fail with "Skip search X during searchable rolling process" in invalid configurations where they communicate with cluster masters in an older version.
2018-06-01 SPL-152935, SPL-154616, SPL-154617, SPL-154618 KVStore Replication Error: replSetReconfig got BadValue _id field value of 256 is out of range
2018-05-23 SPL-149009, SPL-141363 Indexers report "Unknown search command" for external search commands even though the indexers contain the search bundle with the external command
2018-04-25 SPL-153831, SPL-148106 Crashing thread: TcpChannelThread, Assertion `_slave != __null ClusteringMgr::_slave_writeBucketsToSearch.
2018-04-12 SPL-152280, SPL-153218, SPL-153219, SPL-153220, SPL-153314 Deployer app staging area may miss bundles if preparation takes more than 10 minutes.
2018-04-10 SPL-130444, SPL-152625, SPL-152626, SPL-152627 SHC: alert suppression may fail during restart if suppression information does not exist locally on member
2018-04-05 SPL-147403, SPL-132295 Excessive "Inconsistent bundles" Logging
2018-03-21 SPL-145554, SPL-152420, SPL-152421, SPL-152422 The savedsearch key/value field is not quoted in SHCMaster log message breaking extraction

Universal forwarder issues

Date resolved Issue number Description
2018-04-20 SPL-151229, SPL-153636, SPL-153631, SPL-153632, SPL-153633, SPL-153634, SPL-153635 AIX 7.1 Deployment Server Restarting UF give splunkd; SRC did not 'chssys splunkd' on our behalf: exit code=-1

Distributed deployment, forwarder, deployment server issues

Date resolved Issue number Description
2018-05-31 SPL-153261, SPL-155010, SPL-155009 Slow Performance in the Deployment Server UI and sometime crash the browser
2018-05-04 SPL-149328, SPL-156354, SPL-156355 Deployment Clients unable to connect to Deployment Server with phoneHomeIntervalInSecs = 600
2018-04-30 SPL-151413, SPL-148851 Application bundle cache (by default under $SPLUNK_HOME/var/run/tmp/) *never* gets cleaned up on Deployment server even server class no longer exists

Monitoring Console/DMC issues

Date resolved Issue number Description
2018-07-31 SPL-158060, SPL-156694 "Failed to fetch DMC settings to verify status" error in web_service.log when clicking "Settings> Data Inputs" from Splunk Web
2018-04-27 SPL-153396, SPL-149486 "HTTP Event Collector: Deployment" dashboard is not rendering at all and incorrectly reports "You currently have no tokens configured"
2018-04-25 SPL-153498, SPL-138918 Mount points are not listed correctly in "Average I/O Usage and Performance" panel of Monitoring Console

Splunk Web and interface issues

Date resolved Issue number Description
2018-08-09 SPL-157828, SPL-157139 Can not display more than 30 alerts in Alert's trigger actions
2018-07-25 SPL-157705, SPL-157317 In Forwarder Management Web GUI screen, 'more server classes' pop-up has titile: Apps
2018-07-19 SPL-153408, SPL-153034 Formatting of an event is not kept when piped to table
2018-07-16 SPL-155773, SPL-154973 timeline preview shows random events, but not the ones based on the selected timeline segment
2018-07-12 SPL-157204, SPL-156282 Wrong description in lookup definition in UI
2018-07-09 SPL-155723, SPL-154541 No filter by owner in views when owner contains a back slash "\"
2018-06-07 SPL-154026, SPL-155293, SPL-155294 gentimes command shows incorrect starthuman time with daylight savings
2018-05-31 SPL-154823, SPL-153658 UI Visualizations of wide lists are not rendered correctly.
2018-05-10 SPL-152490, SPL-148796 ui_inactivity_timeout not working even after search completes
2018-05-08 SPL-153349, SPL-154301, SPL-154302, SPL-154303 Scheduling Alerts - Apply Time Range Of Initial Search Not Reflecting when Saving as Alert
2018-04-30 SPL-147061, SPL-153995, SPL-153996 debug/refresh reports errors on vanilla install.

Windows-specific issues

Date resolved Issue number Description
2018-08-09 SPL-156538, SPL-153030 PowerShell inputs fail after several runs
2018-06-06 SPL-143484, SPL-148223 splunk-perfmon.exe using high memory
2018-04-17 SPL-151800, SPL-153191, SPL-153192, SPL-153193 Windows Registry Monitoring Input is ignoring the _TCP_ROUTING setting

Rest, Simple XML, and Advanced XML issues

Date resolved Issue number Description
2018-06-04 SPL-153959, SPL-152556 fill_summary_index.py fails in SHC environment
2018-05-23 SPL-153655, SPL-154837, SPL-154839, SPL-154840 /services/search/jobs/*/results is responding with duplicate JSON field 'init_offset' when output_mode is 'json_cols' and search has no result

Authentication and Authorization issues

For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.

Date resolved Issue number Description
2018-08-10 SPL-158140, SPL-156361 Splunk is crashing with DUO authentication after reload is issued
2018-08-09 SPL-155548, SPL-167662 Unable to see all local users in search head UI
2018-06-28 SPL-146728 Exported SAML SP Metadata not respecting "nameIdFormat" configuration.
2018-06-07 SPL-155316, SPL-149332 SAML - Upon Login Failure all current roles being sent is displayed to user in error message
2018-05-23 SPL-153877 SAML IdP configured for Centrify throwing: AdminHandler:AuthenticationHandler Errors
2018-04-09 SPL-151937, SPL-153123, SPL-153124, SPL-153125 Scripted authentication fails to parse getSearchFilter output, hitting PCRE_ERROR_MATCHLIMIT.

Admin and CLI issues

Date resolved Issue number Description
2018-08-09 SPL-156715, SPL-136970 default and local meta files getting corrupt or being altered in such a way as to cause warnings.
2018-07-24 SPL-157731, SPL-154594 system/default/props.conf for python.log just plain WRONG
2018-06-14 SPL-155132, SPL-146439 Saving roles manager page when no indexes are listed remove previous indexes
2018-06-11 SPL-154857, SPL-153624 savedsearches.conf configuration is_visible needs clarification
2018-06-01 SPL-154772, SPL-154589 Enabling splunk boot-start won't work with ubuntu-like distro
2018-05-16 SPL-154022, SPL-153625 leading and trailing comma validation should be robust for http proxy configuration
2018-05-14 SPL-153105, SPL-154478 New splunkd_stop_timeout parameter in server.conf displays validation warning when pushed from cluster master
2018-05-02 SPL-132996 The shcluster-bundle command ignores mis-spelled or unknown parameters silently, which might produce unintended consequences
2018-03-29 SPL-147286, SPL-152846, SPL-152848, SPL-152849 Setting DATETIME_CONFIG as filename does not update props.conf
2018-03-12 SPL-148877, SPL-145579 chkconfig directive missing for AWS with enable boot-start

Unsorted issues

Date resolved Issue number Description
2019-01-23 SPL-160037, FAST-11458, SPL-160858, SPL-160859, SPL-160860, INFRA-5076 Windows 2016 Standard blocked Splunk Enterprise 7.1.3 installation on a VM with BIOS UEFI mode enabled + Secure Boot enabled due to "A digitally signed driver is required"
2018-10-25 SPL-156817 HEC json file give "Invalid data format" on 7.x versions with event sizes greater than 512kb
2018-08-16 SPL-156996, SPL-154144 CPU Cores Not Calculated Properly or Correctly
2018-08-01 SPL-156205, SPL-154378 Splunk Introspection mem_used misreporting very high values "17592186044029.098"
2018-07-31 SPL-154660, SPL-156690 KVStore can't start correctly because of MongoDB multikey index limits, no splunk doc mention this, doc update only
2018-07-31 SPL-156690, SPL-154660 KVStore can't start correctly because of MongoDB multikey index limits, no splunk doc mention this, doc change only
2018-07-26 SPL-147638, SPL-157922, SPL-157923 Splunkd crashes when HEC inputs configuration contains duplicated tokens
2018-07-19 SPL-157319, SPL-156315 After upgrade to 7.x, HEC events greater than 512KB are dropped with parsing errors, resulting in degrade of indexing throughput
2018-07-15 SPL-156193, SPL-153174 Request for better messaging for "Duplicated License situation happen on peer ..."
2018-06-29 SPL-155351, SPL-155035 Splunk Fowarders splunkd process stopping - Crashing thread: HttpClientPollingThread
2018-06-29 SPL-154752, SPL-147803 License master incorrectly calculate the daily license usage and that impact new data input.
2018-06-01 SPL-152935, SPL-154616, SPL-154617, SPL-154618 KVStore Replication Error: replSetReconfig got BadValue _id field value of 256 is out of range
2018-05-23 SPL-153958, SPL-153724, SPL-154459 mcollect should check index permissions for the index that it is trying to write to.
2018-04-27 SPL-151228, SPL-153934, SPL-153935, SPL-153937 Add suppression state file listing to splunk diag.
2018-03-29 SPL-147956, SPL-152814, SPL-153081 mstats not returning results if tmp folder does not exist.
2018-03-28 SPL-145094, SPL-153078, SPL-153079, SPL-153080, SPL-153082 introspection: IOStats read incorrect if more than one partition created on one physical drive

Uncategorized issues

Date resolved Issue number Description
2018-08-21 SPL-151328, SPL-141808 (Windows Only) Support sslRootCAPath on Windows
2018-08-21 SPL-159051, SPL-146261 Search Assistant executes subsearches incurring subsearch side effects and increased CPU and memory usage
2018-08-14 SPL-155772, SPL-157897, SPL-157899 SEDCMD not working for long characters
2018-08-10 SPL-157243, SPL-158583, SPL-158584 Inability to disable UI warnings in messages.conf renders disabling the scheduler impractical.
2018-08-09 SPL-147249 Inputlookup for lookup with space in the filename fails with "Invalid argument: ..." with search optimization enabled
2018-08-08 SPL-154879, SPL-148553 Geostats generates blank map using fieldColors when emailed PDF dashboard
2018-08-01 SPL-157745, SPL-158142 Lengthy login_content messages run off login window
2018-07-31 SPL-153699, SPL-158098, SPL-158118, SPL-158120, SPL-155646 Indexer message/slowness after splunk 7 upgrade and possibly reducing indexer capacity to half.
2018-07-31 SPL-157530, SPL-157436 404 Error: quality_of_incoming_data
2018-07-31 SPL-155646, SPL-153699 Indexer Processor thread should attempt to free up the slots to run splunk-optimize
2018-07-31 SPL-157795, SPL-157342 Prebuilt panels text in an app are not extracted for localization when using "splunk extract i18n -app <appname>" command
2018-07-26 SPL-155000, SPL-152888 Chunks of summary index data are routed to the wrong index when queues are blocked
2018-06-28 SPL-155716, SPL-155427 CIM Setup page is showing single line because of Indexes.js collection not executing callbacks
2018-05-31 SPL-154018, SPL-154062, SPL-155385, SPL-157142 Splunkd looks for default openssl cert file under build path
2018-05-21 SPL-152084, SPL-153333, SPL-153334, SPL-159597 S2S: clientCert required in outputs.conf on SSL client although requireClientCent=false set on SSL server
2018-05-16 SPL-154139, SPL-154567 embedded report uses oldest search artifact from the history endpoint
2018-05-09 SPL-152887, SPL-154366, SPL-154367 Color Range Feature coupled with real-time search causes the colors to flicker when updating
2018-05-09 SPL-151896, SPL-145371 Bulletin board message timestamp incorrect on SHC members
2018-05-09 SPL-153916, SPL-153668 When exporting to PDF one particular IP Address generates an error while others work
2018-05-03 SPL-153011, SPL-154129, SPL-154130 HTML entity name appears in Tour dialog if username contains &,<,>,",'
2018-04-13 SPL-153047, SPL-145043 Too long of a dashboard title throws nondescript error message,
2018-04-02 SPL-135274, SPL-151304, SPL-151306, SPL-151307, SPL-152244 search assistant incorrectly wrapping kv pairs in quotes
2018-03-27 SPL-151132, SPL-152435, SPL-152437, SPL-152438 PDF export broken with SimpleXML <init> TAG
2018-03-13 SPL-148815, SPL-151755, SPL-155093 Mistranslation of "Product Tour" > "Add Data Tour" in Japanese
PREVIOUS
Field alias behavior change
  NEXT
Deprecated features

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters