Known issues
The following are issues and workarounds for this version of Splunk Enterprise.
Issues are listed in all relevant sections. Some issues appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.
Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.
For a list of deprecated features and platforms, refer to Deprecated features in this manual.
Upgrade issues
Date filed | Issue number | Description |
---|---|---|
2018-04-13 | SPL-153403 | After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user." Workaround: Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk [user_info] |
2017-05-23 | SPL-141961 | Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port. Workaround: This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf: [sslConfig]
|
2017-03-20 | SPL-139019 | Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites Workaround: Users can do either of the following: 1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX: [sslConfig] 2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully. 3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites. |
2017-03-13 | SPL-138647 | Possible compatibility issues between new 6.6 and later default sslVersions, cipherSuites and external services, e.g. e-mail, LDAP Workaround: If security is not a significant concern, simply revert back to the 6.5.x SSL/TLS defaults, e.g. for e-mail, add to $SPLUNK_HOME/etc/system/local/alert_actions.conf
[email]
TLS_PROTOCOL_MIN 3.1
The example below is for a Postfix SMTP server: eserv@indexer01:~$ splunk cmd openssl s_client -connect smtp-server01:465 | awk '/Protocol/ || /Cipher/ || /Verify/' Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Verify return code: 19 (self signed certificate in certificate chain) 2. Check the OpenSSL output for Protocol and Cipher. In the example above, Protocol = TLSv1 and Cipher = DHE-RSA-AES256-SHA 3. Update Splunk's relevant sslVersions and/or cipherSuite. In the example above, sslVersions should be set to tls (allows TLSv1, TLSv1.1, TLSv1.2) and DHE-RSA-AES256-SHA should be appended to the end of the defaultcipherSuites definition, e.g. add $SPLUNK_HOME/etc/system/local/alert_actions.conf :
[email] |
2014-08-20 | SPL-89640 | When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts Workaround: Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise. |
2013-08-19 | SPL-73386 | Users are not allowed to run historical scheduled search Workaround: 1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Data input issues
Date filed | Issue number | Description |
---|---|---|
2021-03-21 | SPL-202725 | sslServerHandshakeTimeout only applies to port 8089 where it should apply to all http server ports |
2019-11-04 | SPL-178915, SPL-171961 | The datetime.xml timestamp recognition file does not recognize two-year dates after 2019 or Unix epoch-time seconds higher than 1599999999 (12:26:39 UTC 13 Sep 2020) |
2015-11-12 | SPL-109362 | When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage |
2015-05-22 | SPL-101981 | Field extractions do not work when sourcetypes use quotes in the Getting Data In interface. |
2015-03-17 | SPL-98163 | INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL Workaround: Create a separate extraction in props.conf where defined w3c extraction method: EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++) |
Search issues
Date filed | Issue number | Description |
---|---|---|
2020-09-01 | SPL-194461, SPL-194199 | |fieldformat in |foreach statement doesn't work Workaround: Either use eval or fieldformat outside of foreach instead of ... | foreach field [| eval "<<FIELD>>"=... ] use something like this ... | fieldformat "field"=... |
2020-08-04 | SPL-193144, SPL-191605 | fields command being run before streamstats in search causing incorrect results |
2020-04-21 | SPL-186669, SPL-180741 | Clarification of expected behavior with subsearch |
2020-04-21 | SPL-186668, SPL-180741 | Clarification of expected behavior with subsearch |
2020-04-07 | SPL-185956, SPL-186131 | replace_table_with_fields optimizer doesn't guarantee field order for searches where this matters , for example: <non-transforming search> | table | transpose Workaround: Add this to the search if field ordering for the first table command matters: | noop search_optimization.replace_table_with_fields=f Or, if you can restructure the search, so if you would have something with a transforming command first: index=_internal | stats latest(_time) AS _time BY host index | table host _time index | transpose 2 Or
run the search in VERBOSE mode. |
2020-03-06 | SPL-184463, SPL-184961 | Multiple timezone indexer cluster - timechart span=1d snaps to multiple hours Workaround: Use "span=24h" instead of "span=1d" On the search head, set limits.conf: [search] phased_execution_mode = singlethreaded On the search head, set user preference timezone to non-default one |
2020-03-05 | SPL-184348, SPL-184601, SPL-185393, SPL-185394 | Splunk returns no results after adding field extractions without capturing group in REGEX when using FORMAT field::value Workaround: Add a capturing group to the REGEX. REGEX = (.) Example of configuration that would show this issue: props.conf: [splunkd] REPORT-Whatever = this-breaks-searching and transforms.conf: [this-breaks-searching] REGEX = . FORMAT = myfield::myvalue |
2020-02-21 | SPL-183749, SPL-181801 | | delete command may generate unnecessary errors when SmartStore cache is under pressure |
2020-02-12 | SPL-183259 | When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios Workaround: Dedup values in search before, for example: instead of index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId] add a stats or dedup in the subsearch: index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ] If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example: index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ] |
2020-02-05 | SPL-182842 | Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map Workaround: Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats |
2020-01-30 | SPL-182511, SPL-183265 | split() on an empty string results in typeof(field) = Invalid and a "| mvexpand" will then not return that event Workaround: For searches that look like this: | makeresults | eval a="" | eval a=split(a,"z"), b="junk" | foreach * [| eval typeof_<<FIELD>>=typeof(<<FIELD>>)] | mvexpand a Add an eval before mvexpand to handle this for example: ... | eval a=if(tostring(typeof(a))="Invalid","",a) | mvexpand a
|
2020-01-21 | SPL-181973 | Predict command visualization is broken when the time series starts with an empty fields Workaround: Make sure that there are no leading null values for the field you're predicting: Pick a timerange that is known to start with values if possible. If you're using timechart: Addfixedrange=fto timechart SPL If not, something like this might help: ... | trendline sma5(count) as smooth_count | streamstats max(eval(if(isnotnull(smooth_count),1,null()))) AS flag | where flag=1 | fields - flag | predict smooth_count or something simpler with fillnull: ... | fillnull smooth_count | predict smooth_count However, this will impact the prediction as no data isn't the same as 0 |
2020-01-10 | SPL-181573 | geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit. Workaround: - Increase globallimit to the value of "unique values" number mentioned in the warning message: "The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count." - Use very high globallimit in geostats and post process after if needed - Don't use BY in geostats - Use lower cardinality BY and/or higher globallimit in geostats |
2020-01-09 | SPL-181525, SPL-182404, SPL-182841, SPL-182843 | Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map Workaround: Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats |
2020-01-06 | SPL-181381, SPL-168867 | Deleted fields such as _confstr (source::|host::|sourcetype) occasionally resurface with a different field name |
2019-12-18 | SPL-181153, SPL-177255 | Searching for lookup default_match value includes default_match value in lispy Workaround: For each lookup field <FIELD> that's causing issues, add to fields.conf: [<FIELD>]
INDEXED_VALUE=false |
2019-11-15 | SPL-179745, SPL-177665 | (7.2.x) - tstats where clause does not filter as expected |
2019-11-15 | SPL-179746, SPL-177665 | (7.3.x) - tstats where clause does not filter as expected when structured like "WHERE * NOT (field1=foo AND field2=bar)" |
2019-11-14 | SPL-179594, SPL-177665 | tstats where clause does not filter as expected when structured like "WHERE * NOT (field1=foo AND field2=bar)" |
2019-11-12 | SPL-179452, SPL-177399 | Search on indexers crashes in reverse_lookup when working with kvstore lookup (use_lookups_v2=false) |
2019-10-23 | SPL-178302, SPL-176333 | Lookups may return incorrect results due to internal caching Workaround: Add allow_caching=f to the lookup command: | lookup <name> allow_caching=f ... On 7.3+: Add allow_caching=f to the lookup definition on the search head transforms.conf: [<lookup name>] allow_caching = f To check if you might be running into this issue, you'll need to enable debug on the search in question by adding: | noop log_DEBUG=CachedProvider <pre> If you have hits for the cached lookup, like in the sample log below, you can hit this issue. <pre> DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385 |
2019-10-10 | SPL-177844, SPL-177971, SPL-178245, SPL-178625 | "tostring" function doesn't add a leading zero when using the duration format in 7.2.x Workaround: | makeresults | eval duration1=5, duration2=5.0, duration3=10.0, duration1_str=tostring(duration1, "duration"), duration2_str=tostring(duration2, "duration"), duration3_str=tostring(duration3, "duration")
| fieldformat duration1=tostring(duration1, "duration")
| fieldformat duration2=tostring(duration2, "duration")
| fieldformat duration3=tostring(duration3, "duration")
| rex field=duration2_str mode=sed "s/:(\\d)\\./:0\\1./" `comment("bug in Splunk 7.2.6 duration formatting")` |
2019-10-08 | SPL-177675, SPL-180073, SPL-180267, SPL-180268 | Crash in BucketSummaryActorThread for a specific summary directory, persists after removing |
2019-09-24 | SPL-176990 | A predicate filter in the search is ignored when the field in the filter is not extracted from _raw Workaround: Add to limits.conf on the SH: [search] phased_execution_mode = singlethreaded This would be seen for filters for fields extracted from other fields than _raw, or calculated fields for example.
You will see an extra OR ... clause in the litsearch if you check the search.log |
2019-09-16 | SPL-176557, SPL-173492 | scheduled saved search delay significantly with with number of subsearches increasing |
2019-08-01 | SPL-174221, SPL-173445 | rest query that contains a NOT no longer works in 7.3.0 but worked in 7.2.5.1. Workaround: Add to limits.conf on the SH: [search]
phased_execution_mode = singlethreaded |
2019-07-29 | SPL-174005, SPL-182156, SPL-175325 | Search crashes on indexer in ChunkedCSVLineReader::initReader due to empty kvstore lookup folder in the bundle Workaround: Two options: 1) disable kvstore collection replication to the indexers (changes on the SH side): in collections.conf under collections stanza set replicate=false 2) enable old lookups code (changes on the Indexers side):
in limits.conf set the below
[lookup]
use_lookups_v2 = false |
2019-07-26 | SPL-173895, SPL-173452 | search time increases exponentially or factorially with number of subsearches |
2019-07-25 | SPL-173781 | Transaction command not merging common values in multivalue fields after 7.2 Workaround: From 7.2 onward when events with multivalue fields used for a transaction don't overlap completely, they are considered to be different transactions.
| makeresults
| eval foo="a,b,c"
| append
[ makeresults
| eval foo="c,d,e" ]
| eval foo=split(foo,",")
| transaction foo connected=f |
2019-07-08 | SPL-172836, SPL-171270 | dedup's sortby not working as expected when using head/transaction |
2019-07-01 | SPL-172676, SPL-169114 | LookupDataProvider warning correction in splunkd.log (with ES installed) |
2019-06-28 | SPL-172639, SPL-172773 | trim command throws error and truncates return when concatenating empty field to a number |
2019-05-28 | SPL-171188, SPL-168859 | Any transformational commands will not include the base fields when performing search in SMART mode resulting in required field not been included |
2019-05-23 | SPL-170987 | WARN SearchAssistant - recurseSyntax: Stanza entry not found for data-type |
2019-05-21 | SPL-170761, SPL-166901 | Search intermittently hangs when using custom python command and chunked protocol on Windows |
2019-04-05 | SPL-168797, SPL-166413 | info_max/min_time provides incorrect values when search is real time. |
2019-02-05 | SPL-166001 | 16MB+ events are not displayed on the search results, but they will be listed on the fields sidebar and in the timeline. search.log message: "SRSSerializer - max str len exceeded - probably corrupt" Workaround: Make sure fields are under 16777216 characters (or 16MB, usually _raw is the biggest) OR Revert back to the old serialization format (CSV), however, this applies to all searches, so you won't be getting the (performance) benefits of the new format. $SPLUNK_HOME/etc/system/local/limits.conf:
[search]
results_serial_format=csv |
2018-12-18 | SPL-164107, SPL-169524 | the mstats rate(x) function does not work with wildcards in the enhanced syntax Workaround: The rate(x) function is designed to be applied to a single counter metric. Use an explicit projection field name or use "_value" syntax with wildcard and group by. |
2017-10-15 | SPL-145694 | Delta command does not calculate correctly for some mixed integer and float values Workaround: An equivalent SPL command is the following | streamstats window=2 last(metric) as curr, first(metric) as prev | eval delta_ = curr-prev |
2017-08-23 | SPL-144350 | Archived Index is created without error when the splunk index is invalid |
2017-07-13 | SPL-143111 | "Splunkd daemon is not responding" when edit local windows event log collection |
2017-04-04 | SPL-140765 | Splunk having problems extracting json file consisting of 68k plus key-value pairs |
2016-11-29 | SPL-133182 | When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead. |
2015-08-10 | SPL-105061, SOLNESS-7274 | Broken module prevents splunkweb from starting |
2015-06-17 | SPL-103247 | Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted. |
2015-04-23 | SPL-100170 | Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search. |
2014-12-22 | SPL-94910 | The replace function does not apply to fields names with an underscore in them. Workaround: Rename the fields before the replace. ... | rename *_* AS *-* | replace "something" by "somethingelse" |
2014-11-13 | SPL-93039 | The relevancy search command does not work, always returning 0 or -inf. |
2014-10-02 | SPL-91638, SPL-107375 | For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member. |
2014-09-15 | SPL-90861, SPL-90396, SPL-90886 | If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log. |
2014-04-16 | SPL-83129 | Eval function strptime does not return results when 1970 date is used. |
2014-04-04 | SPL-82650 | A report created and scheduled by admin cannot be embedded by a power user. |
2014-03-27 | SPL-82357 | The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems. |
2014-03-15 | SPL-81934 | For clusters, may be unable to open search results output file for search results in a cluster. Workaround: Write to a temp file and rename to the target file. |
2014-02-21 | SPL-80942 | Flashtimeline: 500 Internal Server Error when pasting long URL into panel name. |
2013-12-18 | SPL-78179 | REST /saved/searches App names with special characters have invalid links. |
2013-08-19 | SPL-73386 | Users are not allowed to run historical scheduled search Workaround: 1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Saved search, alerting, scheduling, and job management issues
Date filed | Issue number | Description |
---|---|---|
2020-03-23 | SPL-185213, SPL-178252 | DMA consuming much more RAM after upgrade to 7.X |
2020-03-23 | SPL-185212, SPL-178252 | DMA consuming much more RAM after upgrade 7.X |
2019-11-20 | SPL-179987, SPL-178839 | datamodels.conf does not respect stanza |
2019-11-20 | SPL-179988, SPL-178839 | datamodels.conf does not respect stanza |
2019-10-04 | SPL-177527, SPL-162249 | The filter function of <splunk-search-dropdown> UI component is not working on Splunk Enterprise 7.1 and later. |
2019-09-16 | SPL-176557, SPL-173492 | scheduled saved search delay significantly with with number of subsearches increasing |
2019-09-15 | SPL-176477, SPL-177264, SPL-177933 | action.email.pdf.logo_path in savedsearches.conf doesn't work |
2019-08-23 | SPL-175380, SPL-175815, SPL-177312, SPL-177564 | When alert condition is not met, scheduled searches are deferred, leading to skip searches |
2019-07-21 | SPL-173502, SPL-173906, SPL-176216, SPL-176217, SPL-176218, SPL-178522 | Windows - Alert Triggered Time displays GMT despite Local Time set as AEST for Alert Owner in Preferences Workaround: setting TZ to Vladivostock, which is also GMT +10 |
2019-05-22 | SPL-170857, SPL-162249 | The filter function of <splunk-search-dropdown> UI component is not working on on Splunk Enterprise 7.1 and later. |
2018-09-19 | SPL-160286 | The data preview for the Add Data workflow does not display for Log to Metrics source types |
2017-11-29 | SPL-146802 | Distributed environment requires index defined on search head for log event alerts |
2015-11-15 | SPL-109471 | For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain |
2015-04-09 | SPL-99421 | Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2 Workaround: Reduce length of name of the app and report acceleration searches will run properly within the context of the app. |
2014-08-15 | SPL-89332 | Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated. |
2014-08-05 | SPL-88396 | After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI Workaround: Create a server class, where you can see the client name, and use that group when you add data. |
2014-05-01 | SPL-83686 | Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status. |
2014-03-24 | SPL-82262, SPL-82241 | Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User. |
2014-03-20 | SPL-82164 | Migrating invalid data models from 6.0 to 6.x fails. |
2014-03-19 | SPL-82133 | Data model allows users to upload a JSON file which has Field names with spaces but will not validate it. |
2014-03-10 | SPL-81645 | Creating data model with root transaction name starting with root event name fails |
2014-03-10 | SPL-81637 | Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none". |
2013-11-26 | SPL-77054, SPL-77055 | Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. |
Charting, reporting, and visualization issues
Date filed | Issue number | Description |
---|---|---|
2020-02-05 | SPL-182842 | Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map Workaround: Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats |
2020-01-23 | SPL-182114, SPL-179348 | autoLB not switching IDX when reaching frequency limit Workaround: Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching. DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware. |
2020-01-23 | SPL-182113, SPL-179348 | autoLB not switching IDX when reaching frequency limit Workaround: Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching. DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware. |
2020-01-09 | SPL-181525, SPL-182404, SPL-182841, SPL-182843 | Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map Workaround: Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats |
2019-12-19 | SPL-181194, SPL-179348 | autoLB not switching IDX when reaching frequency limit Workaround: Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching. DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware. |
2019-08-27 | SPL-175517, SPL-176861, SPL-178455 | fieldformat value in dashboard shows as epoch time until it sorted Workaround: When the field is sorted, It shows expected timeformat then. |
2019-02-26 | SPL-166952, SPL-164920 | Dashboard issue: Multiselect URL retains single value after Hide Filters selected |
2017-12-06 | SPL-147115 | Drilldown search fails when a timeformat is specified Workaround: Remove the timeformat specification from the drilldown search or manually remove the search from the URL and run it in a new window. |
2016-09-15 | SPL-128819, SPL-130243, SPL-130245 | Editing panel in dashboard removes charting.legend.masterlegend option Workaround: Use <option name="charting.legend.masterLegend">null</option> |
2016-04-27 | SPL-118911 | In SHC, referenced saved real-time searches in a dashboard do not stream results. Workaround: See Troubleshoot referenced real-time searches for workaround details.
|
2015-02-23 | SPL-97193 | The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string. |
Distributed search and search head clustering issues
Date filed | Issue number | Description |
---|---|---|
2020-04-30 | SPL-188575, SPL-189105, SPL-189811, SPL-190621 | SHC scheduled dispatched the same scheduled-indextime-rt search 3 times - impact on ITSI |
2019-12-17 | SPL-181067, SPL-177889 | Events found but not displayed, eventstats some events been ignored occasionally |
2019-12-17 | SPL-181031, SPL-181151, SPL-181498 | | metasearch + BatchMode order of magnitude slower than 7.2 Workaround: 1. Convert search to a tstats search instead:
2. on the SH don't allow batch mode through limits.conf:
|
2019-11-11 | SPL-179351 | loadjob fails when loading a job using savedsearch name - for specific regexes used in search string |
2019-10-15 | SPL-178002, SPL-175778 | When pushing apps from the deployer to search head cluster members using 'full' mode, existing configurations in app default folders cannot be removed by redeploying the app |
2019-10-15 | SPL-178003, SPL-175778 | When pushing apps from the deployer to search head cluster members using 'full' mode, existing configurations in app default folders cannot be removed by redeploying the app |
2019-09-30 | SPL-177270 | Errors when accelerating saved searches that have variable component |
2019-09-05 | SPL-175964, SPL-178004, SPL-178005 | README folders for some apps get deleted on captain during push from deployer to SHC |
2019-08-22 | SPL-175304, SPL-171401 | KVstore out of Sync In Two Out Of Nine SHs |
2019-08-13 | SPL-174856, SPL-178008, SPL-178009 | Out-of-sync issues can occur when using full or local_only push modes to push configurations from the deployer to the search head cluster Workaround: In full and local_only push modes, the deployer pushes configurations residing in $SPLUNK_HOME/etc/shcluster/apps/<app-name>/local directories to the captain, which then replicates them to the other members. During this process, the captain uses a whitelist to determine which configurations to replicate to members. The whitelist excludes certain configuration files, such as server.conf, limits.conf, and indexes.conf. Therefore, if the app local directories on the deployer contain such files, when you push them via full or local_only modes, the captain receives and applies those configurations to its own configuration directories but does not then replicate them to the other members, creating an out-of-sync situation. To avoid this situation, either use the merge_to_default push mode or inspect the deployer's set of app local directories and ensure that they contain only whitelisted files. For details on the configuration replication whitelist, see "Configuration updates that the cluster replicates" in the Distributed Search manual. For details on how the push mode determines the way that the deployer pushes configurations, see "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual. |
2019-08-06 | SPL-174495, SPL-174883, SPL-180980 | One of SHC members has been stuck at 'Restarting' during rolling restart for bundle push from deployer. |
2019-07-11 | SPL-173029, SPL-184166, SPL-184164, SPL-184165 | KV store backup/restore - large collection hangs at "Busy" status when trying to restore from a backup Workaround: To restore from the full kvstore folder backup, if available. Contact support for an alternative script to restore backup (restorekv.py) |
2019-07-02 | SPL-172712, SPL-172804 | deployer can not deploy when conf_deploy_repository is set non default value in 7.3.0. "Cannot find preservation mode for non-existent app" |
2019-04-10 | SPL-169046, SPL-170862, SPL-171283, SPL-171341, SPL-171367 | in SHC, several copies of the same scheduled index-time realtime search are running on distinct SHC instances - impacting ITSI itsi_event_grouping Workaround: The following is a w/a that has been used by one customer to temporarily get back to 1 itsi_event_grouping running: IMPORTANT: Follow these steps explicitly:
Connect to each Search-Heads and find the java processes (ps –ef|grep java)
|
2019-03-13 | SPL-167652 | SHC-Repl: Enterprise Security app enabling inputs.conf replication causes issue when adding new SHC member. |
2018-03-14 | SPL-152148 | KV store replication fails on the upgrade search head during SHC member-by-member upgrade. Workaround: To ensure there is no kvstore activity during upgrade, perform an offline upgrade as follows:
|
2017-11-29 | SPL-146802 | Distributed environment requires index defined on search head for log event alerts |
2017-03-13 | SPL-138654 | Splunk searches fail when filepath gets too long on Windows |
2016-07-12 | SPL-124085 | On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled. |
2015-11-15 | SPL-109471 | For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain |
2015-09-23 | SPL-106978 | Failed SHC captain election causes unnecessary change in server.conf |
2015-02-26 | SPL-97385 | $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files. Workaround: The allowable size of the download can be increased by setting the following in server.conf. [httpServer] max_content_length = 1500MB The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is: [Endpoint - Local Processes Tracker - Lookup Gen] |
2014-08-25 | SPL-90028 | Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact. |
2014-08-14 | SPL-89131 | In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save. |
2014-08-02 | SPL-88228 | When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however. |
Data model and pivot issues
Date filed | Issue number | Description |
---|---|---|
2020-03-23 | SPL-185212, SPL-178252 | DMA consuming much more RAM after upgrade 7.X |
2020-03-23 | SPL-185213, SPL-178252 | DMA consuming much more RAM after upgrade to 7.X |
2019-11-20 | SPL-179987, SPL-178839 | datamodels.conf does not respect stanza |
2019-11-20 | SPL-179988, SPL-178839 | datamodels.conf does not respect stanza |
2014-12-08 | SPL-94047, SPL-98628 | While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column. |
2014-05-01 | SPL-83686 | Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns. Workaround: The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status. |
2014-03-24 | SPL-82262, SPL-82241 | Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User. |
2014-03-20 | SPL-82164 | Migrating invalid data models from 6.0 to 6.x fails. |
2014-03-19 | SPL-82133 | Data model allows users to upload a JSON file which has Field names with spaces but will not validate it. |
2014-03-11 | SPL-81701 | Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once. |
2014-03-10 | SPL-81645 | Creating data model with root transaction name starting with root event name fails |
2014-03-07 | SPL-81538 | When using Pivot, stack mode is lost when "Scatter Chart" is selected. |
2013-11-26 | SPL-77054, SPL-77055 | Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot. |
Indexer and indexer clustering issues
Date filed | Issue number | Description |
---|---|---|
2020-04-30 | SPL-188562, SPL-189973, SPL-191346, SPL-191445 | Indexers crashes: Crashing thread: cachemanagerDownloadExecutorWorker-318 fails on assertion: `_groups_remaining > 0' |
2020-01-22 | SPL-182016, SPL-182086 | Cluster Peer rolling restart can cause unnecessary extra re-adds |
2019-06-12 | SPL-171893, SPL-173131 | SmartStore: After new index is enabled for remote store already migrated index take 20 hours to become searchable. Fixup reason: commit lone vote |
2019-03-13 | SPL-167708, SPL-170943, SPL-170937, SPL-170938 | Apply cluster bundle does not apply bundle to any indexers which are in progress of adding to cluster Workaround: restart affected indexer(s) |
2018-10-23 | SPL-161815 | Thawed buckets in a indexer cluster are sporadically unsearchable upon restart |
2017-03-16 | SPL-138846 | In multisite clustering, deletion of events in hot buckets is not pushed to other sites |
2016-08-25 | SPL-127353 | Data rebalance finishes early when one peer is the source for all buckets Workaround: when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time |
2015-05-08 | SPL-101184 | Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer. |
2014-10-13 | SPL-91861 | On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>. |
2014-09-29 | SPL-91432 | On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers. |
2014-09-08 | SPL-90630 | On a multisite cluster, no warning is given when search head names are the same. |
2014-07-29 | SPL-87816 | When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza. Workaround: Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing. |
2014-07-14 | SPL-86799 | After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb. |
2014-04-29 | SPL-83636 | When configuring a multi-site cluster using cluster-config, the error messages are incorrect if the SF/RF was previously set. |
2014-03-18 | SPL-82038 | Cluster-config does not work if a parameter value includes a space character. |
2014-03-17 | SPL-81955 | Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed. |
2014-01-06 | SPL-78688 | Peer is able to change to an invalid (empty) replication port |
2013-08-06 | SPL-72484 | You cannot use the CLI to delete an index with a capital letter in its name. |
Data Fabric Search issues
Date filed | Issue number | Description |
---|---|---|
2019-07-30 | SPL-174032 | Concurrent searches are not supported in non-clustered search head deployments if the search heads have a common Spark cluster. |
2019-03-11 | SPL-167574 | In federated searches, a DFS search may remain in the parsing stage if the remote job is in aqueued status because the disk quota has been reached. Workaround: Perform the following actions on the remote deployment:
|
2018-11-05 | SPL-162574 | The Share and Export buttons on the Jobs page of the remote deployment are not supported when the search is run from the federated provider as a remote job. |
Universal forwarder issues
Date filed | Issue number | Description |
---|---|---|
2021-04-23 | SPL-204658 | Centos/RedHat 8 - Splunk cannot be started with default systemd config (enable boot-start -systemd-managed 1) with systemctl: Job for Splunkd/SplunkForwarder.service failed because the control process exited with error code Workaround: Centos/Redhat 8 - update the ExecStartPost cgroup paths in the Splunkd/SplunkForwarder.service file, to point to the proper cgroup location. Change to: /sys/fs/cgroup/cpu/system.slice/%n /sys/fs/cgroup/memory/system.slice/%n From: /sys/fs/cgroup/cpu/init.scope/system.slice/%n /sys/fs/cgroup/memory/init.scope/system.slice/%n Example ExecStartPost settings in [service] stanza, after applying the change: ExecStartPost=/bin/bash -c "chown -R 2024:2024 /sys/fs/cgroup/cpu/system.slice/%n" ExecStartPost=/bin/bash -c "chown -R 2024:2024 /sys/fs/cgroup/memory/system.slice/%n" |
2019-12-11 | SPL-180846, SPL-167310 | Error in splunkd.log "splunk-perfmon - OutputHandler::composeOutput: Counter is not found: " |
2019-10-08 | SPL-177715, SPL-173094 | driver certificates for splknetdrv, splunkdrv, SplunkMonitorNoHandleDrv are all showing as not valid / expired in Windows UF |
2019-05-28 | SPL-171178, SPL-167307, SPL-202078 | Indexer Acknowledgement causes metric index events that do not have "_raw" fields to be duplicated Workaround: Indexer acknowledgement is a feature that helps prevent loss of data when forwarders send data to an indexer. Indexer acknowledgement is controlled by the Boolean useACK setting in inputs.conf and outputs.conf .
Indexer acknowledgement uses the When this issue occurs, the workaround is to set |
2019-01-28 | SPL-165635, SPL-191773, SPL-189789 | splunk not reading file after log rotation |
2018-04-10 | SPL-153251 | Universal Forwarder txz package cannot be installed on FreeBSD 11.1 Workaround: 1. Use pkg install instead of pkg add OR
2. Install package by untarring tgz file to /opt/splunkforwarder |
2017-05-23 | SPL-141961 | Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port. Workaround: This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf: [sslConfig]
|
2017-03-20 | SPL-139019 | Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites Workaround: Users can do either of the following: 1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX: [sslConfig] 2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully. 3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites. |
2017-03-14 | SPL-138731 | New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled Workaround: Users can do any of the following: 1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security. 2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk 3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/ |
2015-06-10 | SPL-103010 | Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets. |
2015-04-14 | SPL-99687, SPL-129637 | Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0. |
2015-04-07 | SPL-99316 | Universal Forwarders stop sending data repeatedly throughout the day Workaround: In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value. |
2015-03-25 | SPL-98594 | Routing events to two different groups not working as expected. Workaround: 1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups. 2 Setup a proxy UF which takes input from the original UF and send input out syslog server.
This solution only requires config change and no patch release is required. |
2014-08-05 | SPL-88396 | After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI Workaround: Create a server class, where you can see the client name, and use that group when you add data. |
2013-09-18 | SPL-74427, SPL-74448 | The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors. Workaround: To work around this issue, create a splunk user on your system before attempting to run the installer. |
Distributed deployment, forwarder, deployment server issues
Date filed | Issue number | Description |
---|---|---|
2019-10-15 | SPL-178003, SPL-175778 | When pushing apps from the deployer to search head cluster members using 'full' mode, existing configurations in app default folders cannot be removed by redeploying the app |
2019-10-15 | SPL-178005, SPL-175964 | README folders for some apps get deleted on captain during push from deployer to SHC |
2014-10-02 | SPL-91648, SPL-91358 | Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server. |
2014-08-15 | SPL-89333 | Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage. |
2014-06-20 | SPL-85739 | When running a high number of deployment clients for a server, memory growth may be excessive. Workaround: To mitigate this, set forceHttp10=always. |
Monitoring Console issues
Date filed | Issue number | Description |
---|---|---|
2019-10-13 | SPL-177926, SPL-176230 | HealthReporter threads deadlock resulting in stuck _reload, blocked ingestion, eventually causing a crash Workaround: You can work around the problem by setting the config full_health_log_interval to a very high value (default being 30s) In etc/system/local/health.conf: [health_reporter] full_health_log_interval = 1000000 |
2018-10-10 | SPL-161159, SPL-171211, SPL-174926, SPL-175193 | DMC/MC (UI) - KV Store-> Instance -> 'Average Replication Lag' is removed. The user no longer will be able to see "Average Replication Lag' for each instance. |
2017-08-18 | SPL-144193 | Bundle validation errors prevent future app deployment to indexer cluster |
2017-08-14 | SPL-143981 | Uninstall app dialog does not show the app name correctly when the app doesn't have the label |
2017-08-04 | SPL-143664 | Uploaded apps page makes two calls to packages endpoint |
2017-05-24 | SPL-141982 | Upload modal should use size=large File element |
2017-04-19 | SPL-141274 | Clicking Install multiple times in Install dialog causes error |
2017-04-19 | SPL-141273 | Task endpoint fetch once even when there's no last deploy task id |
2017-03-30 | SPL-140654, SPL-178056 | wrong integrity check alert for file etc/users/users.ini |
2017-03-07 | SPL-138351, SPL-172626 | The role change of DMC via UI does not reflect to distsearch.conf Workaround: As a workaround can the customer manually modify the distsearch.conf. |
2016-11-14 | SPL-132151 | XML error when trying to download uninstalled app |
Splunk Web and interface issues
Date filed | Issue number | Description |
---|---|---|
2020-02-11 | SPL-183231, SPL-178521 | idpCert.pem certificate gets malformed using Metadata XML File |
2020-02-11 | SPL-183229, SPL-178521 | idpCert.pem certificate gets malformed using Metadata XML File |
2020-01-23 | SPL-182139, SPL-182472, SPL-182773, SPL-182774 | Degradation in Web UI performance with large number of Knowledge Objects and Users Workaround: No workaround available. |
2019-10-28 | SPL-178515, SPL-179823, SPL-182060, SPL-182067, SPL-183204, SPL-183205 | Unable to view SAML settings when idpCerts is deleted |
2019-10-04 | SPL-177527, SPL-162249 | The filter function of <splunk-search-dropdown> UI component is not working on Splunk Enterprise 7.1 and later. |
2019-09-10 | SPL-176234, SPL-176350, SPL-176739 | Lookup file Permissions displays the csv filename instead of app name |
2019-08-26 | SPL-175725, CV-462 | Custom Visualizations Formatter Label Broken |
2019-07-11 | SPL-173061 | UI exposes a nonfunctional option for modifying permissions on custom search commands |
2019-07-03 | SPL-172753, SPL-172789 | Index Selection for roles only shows 100 indexes Workaround: Manually push configs from an app and not use the UI |
2019-06-28 | SPL-172639, SPL-172773 | trim command throws error and truncates return when concatenating empty field to a number |
2019-05-22 | SPL-170857, SPL-162249 | The filter function of <splunk-search-dropdown> UI component is not working on on Splunk Enterprise 7.1 and later. |
2017-08-23 | SPL-144350 | Archived Index is created without error when the splunk index is invalid |
2017-07-13 | SPL-143111 | "Splunkd daemon is not responding" when edit local windows event log collection |
2016-11-14 | SPL-132133 | App Browser filtering of the apps does not work |
2015-11-09 | SPL-109165 | Interactive Field Extractor hangs when using "^" as delimiter. Workaround: Use props and transforms to specify the delimiter of your choice. |
2015-08-10 | SPL-105061, SOLNESS-7274 | Broken module prevents splunkweb from starting |
2015-06-30 | SPL-103701 | Actions links should be removed for "Apps Browser" |
2014-07-16 | SPL-87015 | chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns. |
2014-04-04 | SPL-82650 | A report created and scheduled by admin cannot be embedded by a power user. |
2014-02-26 | SPL-81103 | Username surrounded by dollar signs cannot create saved searches. |
2013-08-19 | SPL-73386 | Users are not allowed to run historical scheduled search Workaround: 1. Create a special power/admin user who can run scheduled searches. 2. Assign this user ownership of the scheduled searches. 3. Share the searches at the app level and grant read/write permission to the correct set of users. |
Windows-specific issues
Date filed | Issue number | Description |
---|---|---|
2019-12-11 | SPL-180846, SPL-167310 | Error in splunkd.log "splunk-perfmon - OutputHandler::composeOutput: Counter is not found: " |
2019-12-10 | SPL-180763, SPL-167310 | Error in splunkd.log "splunk-perfmon - OutputHandler::composeOutput: Counter is not found: " |
2019-06-07 | SPL-171660, SPL-166645 | Splunk is filling the "C:/Windows/Temp" folder with .tmp files |
2019-06-05 | SPL-171491 | $SplunkStanzaName value is not set in PowerShell script |
2019-02-20 | SPL-166696, SPL-163851 | Bugcheck due to splunkdrv (WinRegMon driver) |
2015-11-13 | SPL-109430 | In Windows only, inheritance is broken for folders created by splunkd. Files created are accessible only to the user as whom splunkd is running. |
2015-04-14 | SPL-99687, SPL-129637 | Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events. Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0. |
2015-04-01 | SPL-98978 | On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time. Workaround: To fix the problem, restart Windows on the forwarder.
|
2014-10-31 | SPL-92596 | After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion." Workaround: This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html |
2014-09-25 | SPL-91279 | Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles. Workaround: See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download. |
2013-10-11 | SPL-75116 | The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza Workaround: Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk. |
REST, Simple XML, and Advanced XML issues
Date filed | Issue number | Description |
---|---|---|
2020-01-23 | SPL-182139, SPL-182472, SPL-182773, SPL-182774 | Degradation in Web UI performance with large number of Knowledge Objects and Users Workaround: No workaround available. |
2017-07-13 | SPL-143111 | "Splunkd daemon is not responding" when edit local windows event log collection |
2016-10-31 | SPL-131072 | Datamodel backend allows invalid time values |
2013-05-15 | SPL-67453 | When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard><foo></dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>. |
PDF issues
Date filed | Issue number | Description |
---|---|---|
2016-11-23 | SPL-132925 | Table data rows generated with the addcoltotals command do not show up in PDF Workaround: If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.
Remove the label and |
2015-03-31 | SPL-98890 | Maps printed from Report page do not honor custom zoom and center. |
2014-06-16 | SPL-85497 | Unable to save generated PDFs using Chrome internal PDF viewer. Workaround: Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.
|
Admin and CLI issues
Date filed | Issue number | Description |
---|---|---|
2021-04-23 | SPL-204658 | Centos/RedHat 8 - Splunk cannot be started with default systemd config (enable boot-start -systemd-managed 1) with systemctl: Job for Splunkd/SplunkForwarder.service failed because the control process exited with error code Workaround: Centos/Redhat 8 - update the ExecStartPost cgroup paths in the Splunkd/SplunkForwarder.service file, to point to the proper cgroup location. Change to: /sys/fs/cgroup/cpu/system.slice/%n /sys/fs/cgroup/memory/system.slice/%n From: /sys/fs/cgroup/cpu/init.scope/system.slice/%n /sys/fs/cgroup/memory/init.scope/system.slice/%n Example ExecStartPost settings in [service] stanza, after applying the change: ExecStartPost=/bin/bash -c "chown -R 2024:2024 /sys/fs/cgroup/cpu/system.slice/%n" ExecStartPost=/bin/bash -c "chown -R 2024:2024 /sys/fs/cgroup/memory/system.slice/%n" |
2020-08-22 | SPL-194053, SPL-193257 | create_context=usr: notify mothership for newly created file Workaround: Change permissions after each lookup table creation Upload a pre-created/pre-existing csv lookup, but it is often not possible. |
2019-11-25 | SPL-180152, SPL-173365 | UI displaying incorrect results from Data Model List view Workaround: If you toggle the visibility to "Visible in the App" and then back to "Created in the App" it only then renders the correct results. |
2019-11-25 | SPL-180151, SPL-173365 | UI displaying incorrect results from Data Model List view Workaround: If you toggle the visibility to "Visible in the App" and then back to "Created in the App" it only then renders the correct results. |
2019-11-25 | SPL-180153, SPL-173365 | UI displaying incorrect results from Data Model List view Workaround: If you toggle the visibility to "Visible in the App" and then back to "Created in the App" it only then renders the correct results. |
2019-11-12 | SPL-179501, SPL-181871, SPL-184331, SPL-184329 | Some page at "Settings > All Configurations" throws 404 ERROR |
2019-09-09 | SPL-176180, SPL-159600 | Clone dialog in Searches, Reports, and Alerts manager page is listing internal apps as target |
2019-07-11 | SPL-173041, SPL-174738 | Error when enabling Getting Started app on Windows: Invalid template path. |
2017-11-29 | SPL-146820 | Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app Workaround: Navigate to a visible app, such as the search and reporting app, and access the Splunk settings pages from that app context. |
2017-04-11 | SPL-141051 | When LINE_BREAKER is defined for a sourcetype, UI forces SHOULD_LINEMERGE to true Workaround: None in Splunk Cloud. For on-prem, manually edit the props.conf file to set SHOULD_LINEMERGE to 'false'. |
2017-04-03 | SPL-140747 | SSL connection in Python when using new ciphers may be slow. |
2016-11-09 | SPL-131880 | Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page |
2015-09-23 | SPL-106978 | Failed SHC captain election causes unnecessary change in server.conf |
2015-03-11 | SPL-97942 | Capability defined in an app does not take effect when assigned to a role Workaround: The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this: [search]
display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"]
display.events.type = table |
2014-04-07 | SPL-82699 | SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page. |
2013-05-25 | SPL-68010 | The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO. Workaround: Set server.conf [applicationsManager] allowInternetAccess = false |
2013-05-02 | SPL-66511 | If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view. |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2021-07-05 | SPL-208338, SPL-208754, SPL-210528, SPL-210529 | When using a License Manager that has both ITSI and Hunk license installed, all connected Splunk instances are showing Hunk branding |
2020-11-04 | SPL-197011, SPL-195826 | splunkd.exe is constantly crashing by Access violation, cannot read at address |
2020-11-04 | SPL-197009, SPL-195826 | splunkd.exe is constantly crashing by Access violation, cannot read at address |
2020-10-19 | SPL-196439, SPL-195411 | Redundant absent summary cachemanager open calls. |
2020-04-14 | SPL-186425, SPL-193996 | SmartStore: Rebuilding an evicted DMA summary causes us to re-upload the old tsidx file with the newly rebuilt one |
2020-04-02 | SPL-185715, SPL-183142 | Session token generated in JWT/Bearer token-based call cannot be used to auth rest calls Workaround: Only affects SH clusters but not standalone instance, from 7.3 onwards. Specifically impacts apps that use rest endpoints.
The workaround is to use the old way of authenticating, username/password. |
2020-04-02 | SPL-185714, SPL-183142 | Session token generated in JWT/Bearer token-based call cannot be used to auth rest calls Workaround: Only affects SH clusters but not standalone instance, from 7.3 onwards. Specifically impacts apps that use rest endpoints.
The workaround is to use the old way of authenticating, username/password. |
2020-02-16 | SPL-183454, SPL-184739, SPL-190313 | slash character present in sourcetype prevents editing of Field Extractions |
2020-02-07 | SPL-183002, SPL-183000 | diag cannot get index listings for UNC paths |
2019-12-05 | SPL-180575, SPL-181506, SPL-183342 | Splunk streaming cli RealTime searches consume high memory and don't stream results until Job finalizes Workaround: The workaround was to set phased_execution_mode to single threaded mode in limits.conf file, [search] phased_execution_mode = singlethreaded This is the same workaround that was used for similar issues with subsearches for bug SPL-176990 that was fixed in 7.3.3.
|
2019-11-25 | SPL-180147 | Memory Consumption issue by powershell script |
2019-11-08 | SPL-179256, SPL-179703, SPL-180148, SPL-180149 | kvstore inputlookup with large 'where' filter fails silently when hitting 300 second timeout Workaround: Change logic of your search, do filtering later in | search |
2019-11-05 | SPL-178973, SPL-176583 | Check receipt existence before making GET call in dedup code |
2019-10-18 | SPL-178172, SPL-180649, SPL-181717 | Disabling replication of kvstore collection for automatic lookup causes "Could not load lookup=..." errors to appear |
2019-10-16 | SPL-178058, SPL-174960 | Customer Spin Off for code fix - SmartStore - 0 bytes receipt.json Upload |
2019-10-16 | SPL-178057, SPL-174960 | (PinkiePie)- Customer Spin Off for code fix - SmartStore - 0 bytes receipt.json Upload |
2019-10-09 | SPL-177752, SPL-180193, SPL-180194, SPL-180195 | Deadlock in splunk when using pstacks action |
2019-10-07 | SPL-177659, SPL-177953, SPL-178124 | Embedding base64 image in dashboard is not displayed Workaround: No |
2019-10-01 | SPL-177347 | Collectd data via HEC blocks Heavy Forwarder queues when 'useACK = true' to send data to Indexers. |
2019-09-26 | SPL-177144, SPL-177326 | Under heavy search workload, the search memory usage estimation may be higher than actual usage |
2019-09-25 | SPL-177008, SPL-176710, SPL-177009 | Workload management fails to enable for addition of a pool with 1% cpu and 1% memory |
2019-09-16 | SPL-176514 | Offline rebuild of unsearchable bucket may lead to stale information in dbinspect searches |
2019-09-09 | SPL-176190, SPL-176640, SPL-178138 | Count option is not working when it is set with a token Workaround: In 7.3, page displays 5 records even after user selects 50. A browser refresh is required to display 50 records. |
2019-09-04 | SPL-175930, SPL-172448 | Added UI message for "Failed to localize" in splunkd.log |
2019-08-28 | SPL-175600, SPL-172097 | instrumentation IOStats in resource_usage.log is not being collected for some paths. |
2019-08-19 | SPL-175147 | WebUI overwrites srchIndexes Allowed |
2019-07-11 | SPL-173038 | Deprecated Feature SH Pooling has several functional problems in versions 7.1.x and above Workaround: Customers are strongly advised to use Search Head Clustering instead. |
2019-07-02 | SPL-172722, SPL-169562 | EXTRACT with REGEX capture groups are not extracting fields without specifying FORMAT. |
2019-06-27 | SPL-172559, SPL-169489 | DDAA fails with the error "Failed to download and update receipt file" |
2019-06-25 | SPL-172417, SPL-172431 | Entries for `coldToFrozenDir` and `coldToFrozenScript` in indexes.conf.spec incorrectly state that the settings are not available for remote storage enabled indexes. |
2019-06-20 | SPL-172272, SPL-182872, SPL-182939, SPL-182940 | Language localization needs to apply for placeholder 'Username' and 'Password' text on login page |
2019-06-14 | SPL-171958, SPL-171943 | Diag needs updating so it obfuscates or removes values for remote.s3*key values |
2019-06-06 | SPL-171600, SPL-167453 | Replicated bucket in indexer cluster is timestamped with earliest time 0 (January 1970) if its last slice is empty. |
2019-06-05 | SPL-171553, SPL-171647 | Smartstore: S3 GET is being done before S3 PUT for the receipt.json causing 404 errors (Source peer should not check if the bucket/receipt exists during uploads) |
2019-05-22 | SPL-170880, SPL-169429 | Do not evict bucket contents from target indexers after S3 upload |
2019-05-22 | SPL-170855, SPL-170282 | S3Client shows statusCode=403 with a wrong access_key when multiple on-prem remote storages are configured |
2019-05-22 | SPL-170856, SPL-170282 | S3Client shows statusCode=403 with a wrong access_key when multiple on-prem remote storages are configured |
2019-05-22 | SPL-170927, SPL-169411 | DDAA fails with buckets larger than 5GB |
2019-05-22 | SPL-170929, SPL-170618 | DDAA fails with the error "The specified key does not exist" |
2019-05-22 | SPL-170928, SPL-169489 | DDAA fails with the error "Failed to download and update receipt file" |
2019-05-14 | SPL-170421, SPL-169562 | EXTRACT with REGEX capture groups are not extracting fields without specifying FORMAT |
2019-03-26 | SPL-168314 | SmartStore standalone instance + Monitoring Console: Bootstrapping panel needs to reflect the standalone bootstrapping process |
2019-03-04 | SPL-167326 | $_index_name does not resolve properly when used with the thawedPath pathname |
2019-01-04 | SPL-164557, SPL-175202 | Add capability of skewing time validation for SAML assertions |
2018-10-17 | SPL-161632 | Can't install RPM Splunk 7.2+ file in Red Hat EL5 |
2018-09-04 | SPL-159598 | mongo 3.4 to 3.6 upgrade sometimes misses fcv document |
2018-04-18 | SPL-153555, SPL-152283 | mongod errors out on distros with older glibc (2.7 and below) with " Invalid access at address: 0x10" |
2018-03-20 | SPL-152330, SPL-151992 | After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user." Workaround: Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk [user_info] |
2018-03-14 | SPL-152095 | Edit Summary Indexing - Index List empty/incomplete for User with Power role after upgrading to 6.6.0+ Workaround: add indexes_edit and dispatch_rest_to_indexers capability to the Power role for all indexes to be listed |
2018-01-25 | SPL-148514 | Splunk not starting on Linux kernel version 4.13.0-31 Workaround: Do not upgrade kernel to version 4.13.0-31. Use either an older release or 4.13.0-32.35+ |
2017-05-09 | SPL-141693 | DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list. |
2017-04-27 | SPL-141478, SPL-237563 | $_index_name does not resolve properly when used with the thawedPath pathname |
2017-03-27 | SPL-140442, SOLNESS-11786 | In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses. Workaround: If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with the "edit_roles" capability. |
2017-01-18 | SPL-135260 | Documentation for Search formatting keyboard shortcut for non-English languages |
2017-01-06 | SPL-134707 | Splunk restart does not create missing server.pem certificate on Windows Workaround: Use bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate. |
2016-11-21 | SPL-132670 | Mac OS 10.11: disable boot-start doesn't remove the file /Library/LaunchAgents//com.splunk.plist by enabling boot-start in prior Splunk/UF |
2016-08-31 | SPL-127800 | Opting in to data sharing on a monitoring console produces duplicate data |
2016-07-26 | SPL-125052 | Sole Admin can demote themself to Power without path of recovery in GUI. Workaround: Through the command line, you can open notepad and modify the password file to regain 'Admin' status. |
2016-06-21 | SPL-123174 | JSON indexed_extractions doesn't work for TCP inputs |
2015-10-07 | SPL-107606 | Inconsistency between summary and datamodel_summary files. |
2015-06-18 | SPL-103302 | Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink Workaround: Run a recursive chown from the command line on $SPLUNK_HOME manually, post install. |
2015-06-18 | SPL-103325 | SHC cookie-based auth depends on all SHC members being on the same mgmt port |
2015-05-24 | SPL-102008 | On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference. |
2015-05-11 | SPL-101289 | When the number of indexing pipeline sets is greater than four, indexing throughput decreases. |
2015-05-06 | SPL-100980 | Single indexer does not scale when receiving parsed data from multiple PipelineSets. |
2015-05-04 | SPL-100792 | There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals. Workaround: Searches that key off these lines need to select their desired name=x category in order to see a single thruput value. |
2015-04-24 | SPL-100322 | A view gets stuck with "loading" due to problematic navigation (default.xml) Workaround: Workaround is to use label attribute for collection element. <collection label="Others"> <view source="unclassified" match="Dashboard"/> </collection> |
2015-03-26 | SPL-98700 | splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id. Workaround: The workaround is to remove the duplicated bucket. |
2015-02-26 | SPL-97389 | When using timechart command, the embedded report shows different time format than the original report. |
2015-01-08 | SPL-95144, SPL-101986, SPL-101987, SPL-106884, SPL-107317, SPL-142789 | Indexed message for Windows security event logs shows "FormatMessage error" Workaround: Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service. |
2014-11-10 | SPL-92831 | A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ." Workaround: The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).
|
2014-10-24 | SPL-92432, SPL-99583 | Chart in dashboard panel does not honor interval settings. Workaround: In the panel XML, specify a larger height to use the correct interval settings. |
2014-10-17 | SPL-92162 | Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine. |
2014-09-11 | SPL-90738 | Monitoring a directory with an unknown sourcetype produces indexing errors. |
2014-08-26 | SPL-90139 | <timestamp> does not display in the Patterns tab when searches are run in fast mode. |
2014-04-22 | SPL-83365 | Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI. |
2014-04-14 | SPL-83068 | Default index can be set to random index. |
2014-04-01 | SPL-82517, SPL-208875 | Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings. |
2014-03-23 | SPL-82238 | Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected. |
2014-03-13 | SPL-81856 | Show all lines does not work in data model editor preview. |
2014-03-12 | SPL-81810 | Licensing - license pool warning at license master keeps coming back after deleting it. Workaround: Delete the warnings on the peers first, then the License Manager. |
2014-03-12 | SPL-81781 | In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update". |
2014-02-13 | SPL-80568 | Highcharts determines Y-axis values based on first point outside visible range. |
2014-02-07 | SPL-80285 | In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions. Workaround: For more information, see Add lookup files to Splunk. |
2014-02-06 | SPL-80187 | In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared. Workaround: Share the definition. For more information, see Add lookup files to Splunk. |
2014-01-31 | SPL-79842 | On Windows, Indexer doesnt accept new connections on splunktcpin port after queue blockage is resolved |
2013-11-27 | SPL-77139 | Licenser pool usage gets reflected only after restarting splunkd. |
2013-10-29 | SPL-75764 | Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux. |
2013-09-13 | SPL-74337, BETA-496 | You cannot specify a destination folder when installing on OSX. |
2013-09-10 | SPL-74209, SPL-74167 | Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >). Workaround: Specify the persistentQueue explicitly in the input definition. |
2013-08-28 | SPL-73826 | Windows: hostname override not working properly |
2013-06-13 | SPL-69304 | If license slaves are running <6.0 version, they do not have the idx field and in theLicense Usage view, the split by index field will show a field named UNKNOWN. |
2013-04-30 | SPL-66213 | PDF server app is not working with latest Xvfb |
2012-02-22 | SPL-48342 | LDAP strategy host field cannot work with ipv6 format address but computer name is okay |
2010-10-08 | SPL-34347 | wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue |
Splunk Analytics for Hadoop
Date filed | Issue number | Description |
---|---|---|
2017-04-04 | ERP-2040 | Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x Workaround: Upgrade Hadoop to 2.8.2 or higher. |
2015-09-09 | ERP-1650 | timestamp data type not properly deserialized. |
2015-08-05 | ERP-1619 | Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception. Workaround: Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search. |
2015-07-07 | ERP-1598 | minsplit rampup - splits generation takes too long. Workaround: Set minsplits=maxsplits |
2015-05-12 | ERP-1502 | Non-accelerated pivot search on Pivot UI page waits for a long time to return result. |
2015-01-08 | ERP-1343, SPL-95174 | Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error. Workaround: Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....) |
2014-10-27 | ERP-1216 | Data Explorer preview does not honor existing sourcetypes for big5/sjis files. |
2014-10-03 | ERP-1164 | Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory. Workaround: To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads. |
Welcome to Splunk Enterprise 7.3 | Splunk Enterprise and anti-virus products |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0
Feedback submitted, thanks!