Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Fixed issues

Splunk Enterprise 7.2.4.2

This release addresses an issue that might impact data durability under certain rare cluster conditions. The issue is triggered when there is a confluence of data replication errors from index clustering as well as an upload to the Splunk object store medium (SmartStore) via secondary or tertiary replication nodes.

While the incidence of the condition is rare and the impact is negligible, we recommend that customers that are currently using SmartStore in a clustered production environment upgrade to version 7.2.4.2 and set max_replication_errors in server.conf to 20.

The upcoming Splunk Enterprise 7.2.5 release will also contain the fixes, but will not require you to set max_replication_errors to 20.

If you are an on-premises customer using both SmartStore and Indexer Clustering and have questions regarding this upgrade, please open a support case via the support portal with the subject 7.2.4.2 upgrade questions.

Splunk Cloud customers will be upgraded as part of Splunk Cloud standard operations.

Splunk Enterprise 7.2.4

Splunk Enterprise 7.2.4 was released on February 7, 2019. This release includes fixes for the following issues.

Issues are listed in all relevant sections. Some issues might appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.

Data input issues

Date resolved Issue number Description
2019-01-15 SPL-162868, SPL-153132 Creating every process as a Daemon by process-runner causing D state for process runner.

Search issues

Date resolved Issue number Description
2019-01-29 SPL-162846, SPL-164977 When Setting Language Via URL Some Fields Are Getting Renamed
2019-01-24 SPL-165363, SPL-164718 "phased_execution_mode = singlethreaded" causes issue with field ordering
2019-01-17 SPL-162567, SPL-162308 Severe performance degradation with batch mode searches over large numbers of buckets
2019-01-16 SPL-162166, SPL-162548 splunkd: /opt/splunk/src/search/processors/lookup/IndexedCsvDataProvider.cpp:165: virtual void IndexedCsvDataProvider::lookupBatch(UnpackedResults&, const SearchResultsInfo&, const LookupDefinition&): Assertion `!_parse_only' failed.
2019-01-16 SPL-163624, SPL-162341 Artifacts are not being reaped in a timely manner causing searches to be queued
2019-01-04 SPL-164146, SPL-163825 Search process management may fail on race conditions resulting in spurious status as in SPL-152541.
2019-01-03 SPL-164427, SPL-162377 220 crashes over 12 days Thread: searchOrchestrator
2018-12-19 SPL-163425, SPL-152541 /search/jobs/*/control endpoint is responding 404 Unknown sid for executing search jobs
2018-12-18 SPL-163888, SPL-162433 Precision may be truncated in accum, addtotals, addcoltotals commands based on event ordering
2018-12-14 SPL-163831 Duplicate field defined in |table or |fields command causes incorrect data to be assigned to a field in the Statistics tab
2018-12-06 SPL-163454, SPL-163319 forceCsvResults parameter is improperly added to summary indexed data
2018-12-04 SPL-161649, SPL-138177 Workflow action menu stops rendering when using invalid special parameter tokens
2018-12-03 SPL-163063, SPL-159979 Crashing Thread: TcpChannelThread - Post process search using stats fields with null crashes Splunk
2018-12-03 SPL-162448, SPL-154678, SPL-163564 |metadata search error - Failed to apply deletes to some metadata
2018-11-07 SPL-160506, SPL-158401 Search with a FullFilePath containing \\ produce less events than with * and less over a longer period
2018-11-07 SPL-162599, SPL-159002 Search process crashing - thread: phase_1 - Segmentation fault in LookupTable::applyLookup

Saved search, alerting, scheduling, and job management issues

Date resolved Issue number Description
2019-01-15 SPL-164182, SPL-164480 per_result_alert mode and disable suppress cause missing results.srs.gz in 7.2+
2019-01-15 SPL-164489, SPL-157118 invisible datamodels /data/models/._*.json files are causing the manager to fail finding the datamodel definition
2019-01-09 SPL-163315, SPL-163882 Alert action not being fired with permission denied on reading search results after upgrade to 7.2.1
2018-12-06 SPL-163454, SPL-163319 forceCsvResults parameter is improperly added to summary indexed data

Charting, reporting, and visualization issues

Date resolved Issue number Description
2019-01-17 SPL-162567, SPL-162308 Severe performance degradation with batch mode searches over large numbers of buckets
2019-01-15 SPL-164721, SPL-154054 Dashboard Editor in de-DE locale CSS error in Format visualization modal for Stats Table/Line/Bar Charts
2018-12-06 SPL-163622, SPL-157994 HTML content inside dashboard XML can't be localized
2018-12-04 SPL-161649, SPL-138177 Workflow action menu stops rendering when using invalid special parameter tokens

Data model and pivot issues

Date resolved Issue number Description
2019-01-15 SPL-164489, SPL-157118 invisible datamodels /data/models/._*.json files are causing the manager to fail finding the datamodel definition

Indexer and indexer clustering issues

Date resolved Issue number Description
2019-01-14 SPL-162802, SPL-161301 For a multisite cluster, splunk is not reaping prior search-buckets manifests after new generation
2019-01-07 SPL-164157, SPL-162733 Rolling-restart fails on some search heads or indexers
2018-12-19 SPL-162309, SPL-156164 Shutdown sequence does not begin after master has instructed peer to restart during rolling restart phase of a bundle push

Distributed search and search head clustering issues

Date resolved Issue number Description
2019-01-17 SPL-164732, SPL-164011 SHC: when captain node is in AutomaticDetention status, all alerts (scheduled searches) appear to have stopped as well.
2019-01-10 SPL-164476, SPL-141869 App bundle push issued from SHC app deployer extremely slow
2019-01-07 SPL-164157, SPL-162733 Rolling-restart fails on some search heads or indexers
2019-01-04 SPL-163883, SPL-163216 Bundle replication from search head not using SNI with https connection
2019-01-03 SPL-164272, SPL-164134 Search performance degrading over time
2018-12-05 SPL-163487, SPL-162318 DispatchReaper fails to reap artifacts from fill_summary_index.py in SH Cluster

Universal forwarder issues

Date resolved Issue number Description
2019-01-02 SPL-164282, SPL-156799 Forwarder fails to restart when disableDefaultPort=true but port is being used
2018-12-19 SPL-163080, SPL-161891 RPM dependencies (/bin/mv, uname, which, hostname)

Distributed deployment, forwarder, deployment server issues

Date resolved Issue number Description
2019-01-17 SPL-163320, SPL-162350 Ingest-time log-to-metrics conversion of structured log data is broken for 7.2.x Universal Forwarders
2019-01-17 SPL-161045, SPL-141772 App deployment fails sporadically on Windows

Monitoring Console/DMC issues

Date resolved Issue number Description
2018-12-11 SPL-163189, SPL-161714 Saving edit to server roles in DMC configure view results in 409 Conflict error response code

Splunk Web and interface issues

Date resolved Issue number Description
2019-01-29 SPL-162846, SPL-164977 When Setting Language Via URL Some Fields Are Getting Renamed

Windows-specific issues

Date resolved Issue number Description
2018-12-19 SPL-164104, SPL-155540 Windows Inputs events are not being created when certain inputs are enabled (perfmon://Process)

Authentication and Authorization issues

For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.

Date resolved Issue number Description
2019-01-17 SPL-164999, SPL-163411 LookupAccountName No mapping between account names and security IDs was done
2019-01-17 SPL-165089, SPL-154655 On a search-head, the messaging framework does not respect the proper role settings for messages emitted by search peers
2019-01-16 SPL-162604, SPL-160537 saml - "Did not find a saml session index for this session, maybe a local user" should be WARN
2019-01-16 SPL-164795, SPL-161438 Splunk Enterprise Windows 64 bit installer for 7.1.2 contains data in \etc\system\local\authentication.conf
2018-11-29 SPL-161628, SPL-145067 Exclude user "nobody" from LDAP searches to prevent skipped searches.
2018-11-09 SPL-162484, SPL-159552 SAML - "role" not parsing comma separated list

Admin and CLI issues

Date resolved Issue number Description
2019-02-05 SPL-163669 In cloud indexes manager page, "Max size column" and "Max Size of Entire Index" input fields need to be removed
2019-01-17 SPL-163320, SPL-162350 Ingest-time log-to-metrics conversion of structured log data is broken for 7.2.x Universal Forwarders
2019-01-15 SPL-164561, SPL-160864 Excessive logging of external scheme definitions by SpecFiles
2018-11-21 SPL-163100, SPL-154372 Shared embedded report is not loading when admin is logged in

Uncategorized issues

Date resolved Issue number Description
2019-01-28 SPL-162969, SPL-165614, SPL-164661 Splunk upgrade failures from pre 7.2 to 7.2.X due to kv store migration issues
2019-01-17 SPL-164976, SPL-164862 After migration, Splunk Cloud customer seeing unexpected large increase in outbound network bandwidth from forwarders
2019-01-17 SPL-165011, SPL-165008 MaxMind GeoIP DB needs to be updated for Jan 2019
2019-01-16 SPL-164531, SPL-160841 Received fatal signal 11 (SEGV) on TailWatcher on Heavy Forwarders RegexExtractionProcessor race condition
2019-01-15 SPL-164266, SPL-158199 when merging tsidx files, splunk optimize failed to open temporary manifest file due to file name collision cause by race condition
2019-01-14 SPL-164725, SPL-159813 Post 6.6 / 7.0 upgrade, power user role cannot edit alert.expires from UI
2019-01-14 SPL-164842, SPL-162335 IdataDO_Collector.cpp void collect__summaries(): Assertion `paths.size() == 2' failed.
2019-01-09 SPL-164524, SPL-163224 Duplicated license error (72 hour grace period) shutting down search before 72 hours has passed.
2019-01-08 SPL-164252, SPL-163808 CIM Setup page is showing single line because of syntax error in underlying search
2019-01-04 SPL-163272, SPL-159337 Splunk UF crashing due to invalid EVENT_BREAKER
2019-01-03 SPL-163032, SPL-157014 Search results on a dashboard are given with system timezone instead of user timezone
2018-12-20 SPL-163552, SPL-157146 Diag with SPLUNK_DB set to drive name and \ results in improper format on Windows
2018-12-18 SPL-163474, SPL-158779 Indexer crash with thread: BatchSearch
2018-12-17 SPL-163953, SPL-160833 Seeing 500 internal server error when opening many manager pages
2018-12-14 SPL-163530, SPL-162247 After adding Tags Whitelist for Data Models, the newly added tags disappears when there is a change in the acceleration setting for the respective datamodel from the UI.
2018-12-14 SPL-163974, SPL-157230 conf-mutator.pid cleanup error during GUI initiated restart
2018-12-10 SPL-162971, SPL-154925 KVstore restore failure sometimes when having >1000 rows in the collection
2018-12-06 SPL-163475, SPL-161299 ES Search Head Captain Crash: 'it != _summary_inprogress.end()'
2018-12-06 SPL-163621, SPL-158665 Token inside HTML element is not localized
2018-12-04 SPL-163279, SPL-159553 Despite no-enforcement license is in placed, the customer is still getting license violation errors for some of the indexers in a cluster
2018-12-04 SPL-163298, SPL-162714 HEC: Source is not logged when invalid token is used
2018-12-03 SPL-162282, SPL-157891, SPL-163562 Unable to open bucket as bucket is stuck in stale state
2018-11-20 SPL-162980, SPL-152828 Splunk does not start as specified user on boot on MacOS
2018-11-13 SPL-162469, SPL-163577, SPL-162764 After upgrade to 7.2 Splunk is unable to start - KVStoreConfigurationThread crash
2018-11-08 SPL-159413, SPL-162105, SPL-163566, SPL-162723, SPL-162670, SPL-162676, SPL-162724 "Failed to localize" due to "ERROR CacheManagerHandler"..."not an owner"..."and the bucket is draining"
2018-11-02 SPL-159203, SPL-159254, SPL-163561 splunk_archiver app is included in the Splunk Cloud package in error, needs to be excluded at packaging time
PREVIOUS
Linux kernel memory overcommitting and Splunk crashes
  NEXT
Deprecated features

This documentation applies to the following versions of Splunk® Enterprise: 7.2.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters