Fixed issues
Splunk Enterprise 7.2.4.2
This release addresses an issue that might impact data durability under certain rare cluster conditions. The issue is triggered when there is a confluence of data replication errors from index clustering as well as an upload to the Splunk object store medium (SmartStore) via secondary or tertiary replication nodes.
While the incidence of the condition is rare and the impact is negligible, we recommend that customers that are currently using SmartStore in a clustered production environment upgrade to version 7.2.4.2 and set max_replication_errors in server.conf to 20.
The upcoming Splunk Enterprise 7.2.5 release will also contain the fixes, but will not require you to set max_replication_errors to 20.
If you are an on-premises customer using both SmartStore and Indexer Clustering and have questions regarding this upgrade, please open a support case via the support portal with the subject 7.2.4.2 upgrade questions.
Splunk Cloud customers will be upgraded as part of Splunk Cloud standard operations.
Splunk Enterprise 7.2.4
Splunk Enterprise 7.2.4 was released on February 7, 2019. This release includes fixes for the following issues.
Issues are listed in all relevant sections. Some issues might appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.
Authentication and authorization issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-17 |
SPL-164999, SPL-163411 |
LookupAccountName No mapping between account names and security IDs was done
|
| 2019-01-17 |
SPL-165089, SPL-154655 |
On a search-head, the messaging framework does not filter BBM based on the roles & capabilities settings for messages emitted by search peers
|
| 2019-01-16 |
SPL-162604, SPL-160537 |
saml - "Did not find a saml session index for this session, maybe a local user" should be WARN
|
| 2019-01-16 |
SPL-164795, SPL-161438 |
Splunk Enterprise Windows 64 bit installer for 7.1.2 contains data in \etc\system\local\authentication.conf
|
| 2018-11-29 |
SPL-161628, SPL-145067 |
Exclude user "nobody" from LDAP searches to prevent skipped searches.
|
| 2018-11-09 |
SPL-162484, SPL-159552 |
SAML - "role" not parsing comma separated list
|
Data input issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-15 |
SPL-162868, SPL-153132 |
Creating every process as a Daemon by process-runner causing D state for process runner.
|
| 2018-12-04 |
SPL-163298, SPL-162714 |
HEC: Source is not logged when invalid token is used
|
Search issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-29 |
SPL-162846, SPL-164977 |
When Setting Language Via URL Some Fields Are Getting Renamed
|
| 2019-01-24 |
SPL-165363, SPL-164718 |
"phased_execution_mode = singlethreaded" causes issue with field ordering
|
| 2019-01-17 |
SPL-162567, SPL-162308 |
Severe performance degradation with batch mode searches over large numbers of buckets
|
| 2019-01-16 |
SPL-162166, SPL-162548 |
splunkd: /opt/splunk/src/search/processors/lookup/IndexedCsvDataProvider.cpp:165: virtual void IndexedCsvDataProvider::lookupBatch(UnpackedResults&, const SearchResultsInfo&, const LookupDefinition&): Assertion `!_parse_only' failed.
|
| 2019-01-16 |
SPL-163624, SPL-162341 |
Artifacts are not being reaped in a timely manner causing searches to be queued
|
| 2019-01-04 |
SPL-164146, SPL-163825 |
Search process management may fail on race conditions resulting in spurious status as in SPL-152541.
|
| 2019-01-03 |
SPL-164427, SPL-162377 |
220 crashes over 12 days Thread: searchOrchestrator
|
| 2018-12-19 |
SPL-163425, SPL-152541 |
/search/jobs/*/control endpoint is responding 404 Unknown sid for executing search jobs
|
| 2018-12-18 |
SPL-163888, SPL-162433 |
Precision may be truncated in accum, addtotals, addcoltotals commands based on event ordering
|
| 2018-12-14 |
SPL-163831 |
Duplicate field defined in |table or |fields command causes incorrect data to be assigned to a field in the Statistics tab
|
| 2018-12-06 |
SPL-163454, SPL-163319 |
forceCsvResults parameter is improperly added to summary indexed data
|
| 2018-12-04 |
SPL-161649, SPL-138177 |
Workflow action menu stops rendering when using invalid special parameter tokens
|
| 2018-12-03 |
SPL-163063, SPL-159979 |
Crashing Thread: TcpChannelThread - Post process search using stats fields with null crashes Splunk
|
| 2018-12-03 |
SPL-162448, SPL-154678, SPL-163564 |
|metadata search error - Failed to apply deletes to some metadata
|
| 2018-11-07 |
SPL-160506, SPL-158401 |
Search with a FullFilePath containing \\ produce less events than with * and less over a longer period
|
| 2018-11-07 |
SPL-162599, SPL-159002 |
Search process crashing - thread: phase_1 - Segmentation fault in LookupTable::applyLookup
|
Saved search, alerting, scheduling, and job management issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-15 |
SPL-164182, SPL-164480 |
per_result_alert mode and disable suppress cause missing results.srs.gz in 7.2+
|
| 2019-01-15 |
SPL-164489, SPL-157118 |
invisible datamodels /data/models/._*.json files are causing the manager to fail finding the datamodel definition
|
| 2019-01-09 |
SPL-163315, SPL-163882 |
Alert action not being fired with permission denied on reading search results after upgrade to 7.2.1
|
| 2018-12-06 |
SPL-163454, SPL-163319 |
forceCsvResults parameter is improperly added to summary indexed data
|
Charting, reporting, and visualization issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-17 |
SPL-162567, SPL-162308 |
Severe performance degradation with batch mode searches over large numbers of buckets
|
| 2019-01-15 |
SPL-164721, SPL-154054 |
Dashboard Editor in de-DE locale CSS error in Format visualization modal for Stats Table/Line/Bar Charts
|
| 2018-12-06 |
SPL-163622, SPL-157994 |
HTML content inside dashboard XML can't be localized
|
| 2018-12-04 |
SPL-161649, SPL-138177 |
Workflow action menu stops rendering when using invalid special parameter tokens
|
Data model and pivot issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-15 |
SPL-164489, SPL-157118 |
invisible datamodels /data/models/._*.json files are causing the manager to fail finding the datamodel definition
|
Indexer and indexer clustering issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-14 |
SPL-162802, SPL-161301 |
For a multisite cluster, splunk is not reaping prior search-buckets manifests after new generation
|
| 2019-01-07 |
SPL-164157, SPL-162733 |
Rolling-restart fails on some search heads or indexers
|
| 2018-12-19 |
SPL-162309, SPL-156164 |
Shutdown sequence does not begin after master has instructed peer to restart during rolling restart phase of a bundle push
|
Distributed search and search head clustering issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-17 |
SPL-164732, SPL-164011 |
SHC: when captain node is in AutomaticDetention status, all alerts (scheduled searches) appear to have stopped as well.
|
| 2019-01-10 |
SPL-164476, SPL-141869 |
App bundle push issued from SHC app deployer extremely slow
|
| 2019-01-07 |
SPL-164157, SPL-162733 |
Rolling-restart fails on some search heads or indexers
|
| 2019-01-04 |
SPL-163883, SPL-163216 |
Bundle replication from search head not using SNI with https connection
|
| 2019-01-03 |
SPL-164272, SPL-164134 |
Search performance degrading over time
|
| 2018-12-05 |
SPL-163487, SPL-162318 |
DispatchReaper fails to reap artifacts from fill_summary_index.py in SH Cluster
|
Universal forwarder issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-02 |
SPL-164282, SPL-156799 |
Forwarder fails to restart when disableDefaultPort=true but port is being used
|
| 2018-12-19 |
SPL-163080, SPL-161891 |
RPM dependencies (/bin/mv, uname, which, hostname)
|
Distributed deployment, forwarder, deployment server issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-17 |
SPL-163320, SPL-162350 |
Ingest-time log-to-metrics conversion of structured log data is broken for 7.2.x Universal Forwarders
|
| 2019-01-17 |
SPL-161045, SPL-141772 |
App deployment fails sporadically on Windows
|
Monitoring Console issues
| Date resolved
|
Issue number
|
Description
|
| 2018-12-11 |
SPL-163189, SPL-161714 |
Saving edit to server roles in DMC configure view results in 409 Conflict error response code
|
Splunk Web and interface issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-29 |
SPL-162846, SPL-164977 |
When Setting Language Via URL Some Fields Are Getting Renamed
|
Windows-specific issues
| Date resolved
|
Issue number
|
Description
|
| 2018-12-19 |
SPL-164104, SPL-155540 |
Windows Inputs events are not being created when certain inputs are enabled (perfmon://Process)
|
Admin and CLI issues
| Date resolved
|
Issue number
|
Description
|
| 2019-02-05 |
SPL-163669 |
In cloud indexes manager page, "Max size column" and "Max Size of Entire Index" input fields need to be removed
|
| 2019-01-17 |
SPL-163320, SPL-162350 |
Ingest-time log-to-metrics conversion of structured log data is broken for 7.2.x Universal Forwarders
|
| 2019-01-15 |
SPL-164561, SPL-160864 |
Excessive logging of external scheme definitions by SpecFiles
|
| 2018-11-21 |
SPL-163100, SPL-154372 |
Shared embedded report is not loading when admin is logged in
|
Uncategorized issues
| Date resolved
|
Issue number
|
Description
|
| 2019-01-28 |
SPL-162969, SPL-165614, SPL-164661 |
Splunk upgrade failures from pre 7.2 to 7.2.X due to kv store migration issues
|
| 2019-01-17 |
SPL-164976, SPL-164862 |
After migration, Splunk Cloud customer seeing unexpected large increase in outbound network bandwidth from forwarders
|
| 2019-01-17 |
SPL-165011, SPL-165008 |
MaxMind GeoIP DB needs to be updated for Jan 2019
|
| 2019-01-16 |
SPL-164531, SPL-160841 |
Received fatal signal 11 (SEGV) on TailWatcher on Heavy Forwarders RegexExtractionProcessor race condition
|
| 2019-01-15 |
SPL-164266, SPL-158199 |
when merging tsidx files, splunk optimize failed to open temporary manifest file due to file name collision cause by race condition
|
| 2019-01-14 |
SPL-164725, SPL-159813 |
Post 6.6 / 7.0 upgrade, power user role cannot edit alert.expires from UI
|
| 2019-01-14 |
SPL-164842, SPL-162335 |
IdataDO_Collector.cpp void collect__summaries(): Assertion `paths.size() == 2' failed.
|
| 2019-01-09 |
SPL-164524, SPL-163224 |
Duplicated license error (72 hour grace period) shutting down search before 72 hours has passed.
|
| 2019-01-08 |
SPL-164252, SPL-163808 |
CIM Setup page is showing single line because of syntax error in underlying search
|
| 2019-01-04 |
SPL-163272, SPL-159337 |
Splunk UF crashing due to invalid EVENT_BREAKER
|
| 2019-01-03 |
SPL-163032, SPL-157014 |
Search results on a dashboard are given with system timezone instead of user timezone
|
| 2018-12-20 |
SPL-163552, SPL-157146 |
Diag with SPLUNK_DB set to drive name and \ results in improper format on Windows
|
| 2018-12-18 |
SPL-163474, SPL-158779 |
Indexer crash with thread: BatchSearch
|
| 2018-12-17 |
SPL-163953, SPL-160833 |
Seeing 500 internal server error when opening many manager pages
|
| 2018-12-14 |
SPL-163530, SPL-162247 |
After adding Tags Whitelist for Data Models, the newly added tags disappears when there is a change in the acceleration setting for the respective datamodel from the UI.
|
| 2018-12-14 |
SPL-163974, SPL-157230 |
conf-mutator.pid cleanup error during GUI initiated restart
|
| 2018-12-10 |
SPL-162971, SPL-154925 |
KVstore restore failure sometimes when having >1000 rows in the collection
|
| 2018-12-06 |
SPL-163475, SPL-161299 |
ES Search Head Captain Crash: 'it != _summary_inprogress.end()'
|
| 2018-12-06 |
SPL-163621, SPL-158665 |
Token inside HTML element is not localized
|
| 2018-12-04 |
SPL-163279, SPL-159553 |
Despite no-enforcement license is in placed, the customer is still getting license violation errors for some of the indexers in a cluster
|
| 2018-12-03 |
SPL-162282, SPL-157891, SPL-163562 |
Unable to open bucket as bucket is stuck in stale state
|
| 2018-11-20 |
SPL-162980, SPL-152828 |
Splunk does not start as specified user on boot on MacOS
|
| 2018-11-13 |
SPL-162469, SPL-163577, SPL-162764 |
After upgrade to 7.2 Splunk is unable to start - KVStoreConfigurationThread crash
|
| 2018-11-08 |
SPL-159413, SPL-162105, SPL-162723, SPL-163566, SPL-162670, SPL-162676, SPL-162724 |
"Failed to localize" due to "ERROR CacheManagerHandler"..."not an owner"..."and the bucket is draining"
|
| 2018-11-02 |
SPL-159203, SPL-159254, SPL-163561 |
splunk_archiver app is included in the Splunk Cloud package in error, needs to be excluded at packaging time
|
Download manual
Feedback submitted, thanks!