Splunk® Enterprise

Release Notes

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once. To check for additional security issues related to this release, visit the Splunk Security Portal.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features and removed features in this manual.

Upgrade issues

Date filed Issue number Description
2020-12-05 SPL-198311 KVstore failed to start after offline upgrade of SHC from Splunk Enterprise 7.x to 8.x

Workaround:
1) Use Searchable Rolling Upgrade rather than Offline upgrade for SHC nodes migration/upgrade.

2) If this issue is encountered after offline upgrade, please run the following steps on problematic SH nodes. - Stop the search head that has the stale KV store member - Run the command splunk clean kvstore --cluster - Restart the search head. This triggers the initial synchronization with other KV store members. - Run the command splunk show kvstore-status to verify synchronization has succeeded.

2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-07-10 SPL-191799 Upgrading Splunk Enterprise from 7.x or 8.0.x to 8.0.5 breaks Splunk Add-on for Service Now

Workaround:
As a manual workaround, the "import html" statement on Line 16 of splunk/lib/python3.7/site-packages/splunk/util.py file could be commented out, which does not require Splunk restart to take affect.
2018-04-13 SPL-153403 After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2017-05-23 SPL-141961 Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port.

Workaround:
This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
  • 6.0.0 to 6.0.6
  • 6.1.0 to 6.1.4
  • 6.2.0 to 6.2.6
  • 6.3.0 to 6.3.1
  • 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites

Workaround:
Users can do either of the following:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

2017-03-13 SPL-138647 Possible compatibility issues between new 6.6 and later default sslVersions, cipherSuites and external services, e.g. e-mail, LDAP

Workaround:
If security is not a significant concern, simply revert back to the 6.5.x SSL/TLS defaults, e.g. for e-mail, add to $SPLUNK_HOME/etc/system/local/alert_actions.conf

[email]
sslVersions = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To configure LDAP with the same settings used by e-mail alerts: $SPLUNK_HOME/etc/openldap/ldap.conf

TLS_PROTOCOL_MIN 3.1
TLS_CIPHER_SUITE TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To completely revert the LDAP configuration to the 6.5.x SSL/TLS defaults, comment out TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE


If you would like to retain the more secure 6.6.x defaults, but prefer to add an exception for your less secure external services, follow the procedure below:

1. To determine what sslVersions and cipherSuites are supported by a server, run splunk cmd openssl s_client -connect hostname:port | awk '/Protocol/ || /Cipher/ || /Verify/'.

The example below is for a Postfix SMTP server:

eserv@indexer01:~$ splunk cmd openssl s_client -connect smtp-server01:465 | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=1 C = US, O = Example Customer, OU = IT, CN = Example Customer IT CA, emailAddress = customer@example.org verify error:num=19:self signed certificate in certificate chain New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

   Protocol : TLSv1 
   Cipher : DHE-RSA-AES256-SHA 
   Verify return code: 19 (self signed certificate in certificate chain)

2. Check the OpenSSL output for Protocol and Cipher. In the example above, Protocol = TLSv1 and Cipher = DHE-RSA-AES256-SHA

3. Update Splunk's relevant sslVersions and/or cipherSuite. In the example above, sslVersions should be set to tls (allows TLSv1, TLSv1.1, TLSv1.2) and DHE-RSA-AES256-SHA should be appended to the end of the default cipherSuites definition, e.g. add
$SPLUNK_HOME/etc/system/local/alert_actions.conf
:

[email]
sslVersions = tls

cipherSuites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA

2014-08-20 SPL-89640 When running Splunk on Linux as non-root user and using RPM to upgrade, the RPM writes $SPLUNK_HOME/var/log/introspection as root, causing errors upon restarts

Workaround:
Chown the $SPLUNK_HOME/var/log/introspection directory to the user Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Data input issues

Date filed Issue number Description
2021-10-07 SPL-213416, SPL-209519 dedicatedIOthreads is not respected, causing HEC performance problems

Workaround:
Scale HEC by adding indexers instead of tuning dedicatedIOthreads
2021-10-05 SPL-213290, SPL-209519 8.2.x dedicatedIOthreads is not respected, causing HEC performance problems

Workaround:
Scale HEC by adding indexers instead of tuning dedicatedIOthreads
2021-03-21 SPL-202725 sslServerHandshakeTimeout only applies to port 8089 where it should apply to all http server ports
2020-09-29 SPL-195635, SPL-202178, SPL-206477, SPL-202163, SPL-206534 Splunkd increased memory usage over time when monitoring UDP port(s) with in inputs.conf
2019-11-04 SPL-178916, SPL-171961 The datetime.xml timestamp recognition file does not recognize two-year dates after 2019 or Unix epoch-time seconds higher than 1599999999 (12:26:39 UTC 13 Sep 2020)
2015-11-12 SPL-109362 When the disk runs out of space for the limit set in the server.conf, add data workflow gets stuck with "Uploading file" message modal in the review stage
2015-05-22 SPL-101981 Field extractions do not work when sourcetypes use quotes in the Getting Data In interface.
2015-03-17 SPL-98163 INDEXED_EXTRACTIONS=W3C is truncating field cs_uri_stem when spaces are present in URL

Workaround:
Create a separate extraction in props.conf where defined w3c extraction method:

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

Search issues

Date filed Issue number Description
2021-08-10 SPL-210070, SPL-209599 Searches with hundreds of search commands can crash the main Splunk server.
2021-06-02 SPL-206635, SPL-210969 tstats "fillnull_value" only works for results from tsidx (accelerated DM) but not from unaccelerated results (fallback search)

Workaround:
Use eval (calculated field) in datamodel to fill the null values in the definition itself, with something like this
if(isnull(status), "NULL",status)
2021-05-05 SPL-205362, SPL-206450 No events are returned when data with preceding wildcards(*) is ingested

Workaround:
Switch back to search evaluator v1

$ cat $SPLUNK_HOME/etc/system/local/limits.conf [search] use_search_evaluator_v2=false

2021-03-03 SPL-201924, SPL-200335 Lookup definition with filter not working in Splunk 8.X
2020-12-06 SPL-198314, SPL-233681, SPL-233762 Exporting _time field applies user timezone offset but contains the server's timezone (usually +0000)

Workaround:
Force a specific time format by using strftime in an eval command.

for example, add

 | convert timeformat="%FT%T.%3Q%z" ctime(_time)

to the end of your search

2020-09-01 SPL-194461, SPL-194199 |fieldformat in |foreach statement doesn't work

Workaround:
Either use eval or fieldformat outside of foreach

instead of

... | foreach field [| eval "<<FIELD>>"=... ] 

use something like this

... | fieldformat "field"=... 
2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-08-18 SPL-193853, DOCGUILD-4143 Use of 'sparkline' with no argument incorrectly invokes a 'deprecated stats command syntax' info message
2020-07-22 SPL-192373, SPL-191605 fields command being run before streamstats in search causing incorrect results
2020-07-21 SPL-192269, SPL-188997 Search performance degradation with chained lookups.

Workaround:
In limits.conf:

[lookup] use_lookups_v2=0

This setting is only available in later releases of 7.2.x and 7.3.x.

NOTE: This setting is not available in Splunk 8.x. If using this workaround in 7.2.x or 7.3.x, do not upgrade to 8.x until this issue is fixed.

2020-07-15 SPL-192057, SPL-188608 Realtime and in-progress adhoc searches shows "Job terminated unexpectedly" on members of SHC other than the SH from which the search originated
2020-07-10 SPL-191799 Upgrading Splunk Enterprise from 7.x or 8.0.x to 8.0.5 breaks Splunk Add-on for Service Now

Workaround:
As a manual workaround, the "import html" statement on Line 16 of splunk/lib/python3.7/site-packages/splunk/util.py file could be commented out, which does not require Splunk restart to take affect.
2020-07-08 SPL-191676, SPL-191092 sendalert failed as results.csv.gz was not found
2020-07-03 SPL-191486, SPL-191993 CASE() combined with OR and non-CASE() statements only returns the results for the CASE() part

Workaround:
Change the search to do the case sensitive matching outside of a search command, for example with a |rex command.

Fall back to the old search evaluator, this needs to be changed on both search heads and indexers: $SPLUNK_HOME/etc/system/local/limits.conf:

[search]
use_search_evaluator_v2 = false
2020-06-26 SPL-191342, SPL-191877 All event types are extracted for numeric _raw data
2020-05-14 SPL-189147, SPL-186735 Renaming sourcetypes on search time causing performance impact

Workaround:
Use the new sourcetype in a search but this does not provide backward compatibility for customer's dashboard searches
2020-04-14 SPL-186357, SPL-184352 No more "Wrap results" option when using "Show source" in 8.0+
2020-04-14 SPL-186424, SPL-185211 indexed_kv_limit related warning messages
2020-04-07 SPL-185956, SPL-186131 replace_table_with_fields optimizer doesn't guarantee field order for searches where this matters , for example: <non-transforming search> | table | transpose

Workaround:
Add this to the search if field ordering for the first table command matters:
| noop search_optimization.replace_table_with_fields=f

Or, if you can restructure the search, so if you would have something with a transforming command first:

index=_internal 
| stats latest(_time) AS _time BY host index  
| table host _time index 
| transpose 2

Or run the search in VERBOSE mode.

2020-04-01 SPL-185692, SPL-185078 update MaxMind GeoLite2-City DB to latest version 20200317
2020-04-01 SPL-185691, SPL-185078 update MaxMind GeoLite2-City DB to latest version 20200317
2020-03-19 SPL-185099, SPL-188339 Datamodel summaries contain wrong addresses for multi-value fields causing errors: Failed to read size=XX events from rawdata. Rawdata may be corrupted

Workaround:
the problem here is with tsidx files in the summary buckets, so raw data is intact and there is no data loss. The read errors are simply related to bad addresses coming from the summary. The only possible workaround is to disable the acceleration, which is not the best, but for now it is the way to get rid of the problem, until the fix will be delivered.
2020-03-06 SPL-184463, SPL-184961 Multiple timezone indexer cluster - timechart span=1d snaps to multiple hours

Workaround:
Use "span=24h" instead of "span=1d"

On the search head, set limits.conf:

[search]
phased_execution_mode = singlethreaded

On the search head, set user preference timezone to non-default one

2020-03-05 SPL-184348, SPL-184601, SPL-185393, SPL-185394 Splunk returns no results after adding field extractions without capturing group in REGEX when using FORMAT field::value

Workaround:
Add a capturing group to the REGEX.

REGEX = (.)

Example of configuration that would show this issue: props.conf:

[splunkd]
REPORT-Whatever = this-breaks-searching

and transforms.conf:

[this-breaks-searching]
REGEX = .
FORMAT = myfield::myvalue
2020-03-05 SPL-184392, SPL-185145, SPL-192489, SPL-185102 Any jobs starting with subsearch_ will return a 403 when requested from the jobs endpoint, for example "| sendemail" from within "|map" search fails with " Client is not authorized to perform requested action" in python.log

Workaround:
Issue seen for searches like this:
| makeresults 
| map search="|makeresults |sendemail to=\"email@test.com\" format=csv"

Move |sendemail command outside of the |map function if possible

For sending one result at a time, have a look at sendresults from https://splunkbase.splunk.com/app/1794/ as an alternative to | map search="... | sendemail"

Or using the "per result" and then the email alert action on a saved search might be an option.

2020-03-04 SPL-184283 Improve `WildcardMatcher` performance eliding generation of unnecessary regex patterns.
2020-03-03 SPL-184223, SPL-181448 mstats - The same search query with mstats produces different results each time it is run
2020-02-26 SPL-183947, SPL-184689 Search process crashes on idx processing lookup in FAST mode
2020-02-21 SPL-183750, SPL-181801 | delete command may generate unnecessary errors when SmartStore cache is under pressure
2020-02-12 SPL-183259 When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios

Workaround:
Dedup values in search before, for example:

instead of

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch:

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example:

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]
2020-02-05 SPL-182842 Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map

Workaround:
Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats
2020-01-30 SPL-182511, SPL-183265 split() on an empty string results in typeof(field) = Invalid and a "| mvexpand" will then not return that event

Workaround:
For searches that look like this:
| makeresults 
| eval a="" 
| eval a=split(a,"z"), b="junk" 
| foreach * 
    [| eval typeof_<<FIELD>>=typeof(<<FIELD>>)]
| mvexpand a

Add an eval before mvexpand to handle this for example:

...
| eval a=if(tostring(typeof(a))="Invalid","",a) 
| mvexpand a


2020-01-24 SPL-182145, SPL-184307 Issue with eval on _time field before stats, streamstats, eventstats or chart with "latest_time()" "earliest_time()"

Workaround:
sort on _time before the stats
... | sort 0 - _time
2020-01-21 SPL-181973 Predict command visualization is broken when the time series starts with an empty fields

Workaround:
Make sure that there are no leading null values for the field you're predicting:

Pick a timerange that is known to start with values if possible.

If you're using timechart:

Add
fixedrange=f
to timechart SPL

If not, something like this might help:

...
| trendline sma5(count) as smooth_count 
| streamstats max(eval(if(isnotnull(smooth_count),1,null()))) AS flag 
| where flag=1 
| fields - flag 
| predict smooth_count

or something simpler with fillnull:

...
| fillnull smooth_count
| predict smooth_count

However, this will impact the prediction as no data isn't the same as 0

2020-01-10 SPL-181573 geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit.

Workaround:
- Increase globallimit to the value of "unique values" number mentioned in the warning message:

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

2020-01-09 SPL-181525, SPL-182404, SPL-182841, SPL-182843 Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map

Workaround:
Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats
2020-01-08 SPL-181499, SPL-181551 Suppress warning message when update=true used in real-time search
2020-01-02 SPL-181332, SPL-181303 Rex mode sed - 7.1.0+ - Sed with caret (^) is giving an incorrect result/not functioning as expected

Workaround:
- To remove the global flag at the end of the sed command i.e.

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

2020-01-02 SPL-181330, SPL-181303 Rex mode sed - 7.1.0+ - Sed with caret (^) is giving an incorrect result/not functioning as expected

Workaround:
- To remove the global flag at the end of the sed command i.e.

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

2020-01-02 SPL-181331, SPL-181303 Rex mode sed - 7.1.0+ - Sed with caret (^) is giving an incorrect result/not functioning as expected

Workaround:
- To remove the global flag at the end of the sed command i.e.

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

2019-12-18 SPL-182532, SPL-186259, SPL-188691, SPL-188692 Splunk Analytics for Hadoop does not return any search result when using "earliest and latest" clause in 7.3.3 version

Workaround:
No workaround is available
2019-12-18 SPL-181155, SPL-177255 Searching for lookup default_match value includes default_match value in lispy

Workaround:
For each lookup field <FIELD> that's causing issues, add to fields.conf:

[<FIELD>] INDEXED_VALUE=false

2019-11-28 SPL-180256, SPL-189830, SPL-180411, SPL-181700, SPL-190537 fields extracted with modular regex show incomplete required fields list in smartmode for transforming or non-streaming commands , producing no results found

Workaround:
Workaround:

1.) use SOURCE_KEY=_raw in transforms stanza where modular regex is used. ie: [cmta-xml-extract-relay-di-out-details] REGEX = (?:(?<relay_host_out>\S+) )?\(TCP\|cmta_helper_ip:client_ip\|(?<client_port>\d+)\|cmta_helper_ip:relay_ip_out\|(?<server_port>\d+)\)

  1. SOURCE_KEY = di_relay_out

SOURCE_KEY = _raw


Or include the field in the search: sourcetype=cmta_xml client_ip=* di_relay_out=* | table _raw

2019-11-15 SPL-179745, SPL-177665 (7.2.x) - tstats where clause does not filter as expected
2019-11-15 SPL-179746, SPL-177665 (7.3.x) - tstats where clause does not filter as expected when structured like "WHERE * NOT (field1=foo AND field2=bar)"
2019-11-14 SPL-179594, SPL-177665 tstats where clause does not filter as expected when structured like "WHERE * NOT (field1=foo AND field2=bar)"
2019-11-14 SPL-179583, SPL-179771 Issue searching for some non-ascii character, no results returned

Workaround:
For searches with umlaut and other special characters like this

| makeresults | eval _raw="Deutsche Mütter kochen gut" | search "Mütter"

don't return results.

Workaround, on both search heads and indexers: limits.conf [search] use_search_evaluator_v2=false

2019-11-12 SPL-179453, SPL-177399 Search on indexers crashes in reverse_lookup when working with kvstore lookup (use_lookups_v2=false)
2019-11-11 SPL-179357, SPL-179700 Negated subnet CIDR filter doesn't work in search.

Workaround:
Workaround:

limits.conf: [search] use_search_evaluator_v2=false

Examples searches that don't filter out values: index=_internal (NOT clientip=127.0.0.0/8) | stats count BY clientip

index=_internal (clientip!=127.0.0.0/8) | stats count BY clientip

index=_internal | stats count BY clientip | search (clientip!=127.0.0.0/8) | stats sum(count) BY clientip | noop search_optimization=false

Filtering with | where is OK: index=_internal | where NOT cidrmatch("127.0.0.0/8", clientip) | stats count BY clientip

2019-10-23 SPL-178303, SPL-176333 Lookups may return incorrect results due to internal caching

Workaround:
Add

allow_caching=f to the lookup command:

| lookup <name> allow_caching=f ...

On 7.3+: Add allow_caching=f to the lookup definition on the search head

transforms.conf:
[<lookup name>]
allow_caching = f

To check if you might be running into this issue, you'll need to enable debug on the search in question by adding:

| noop log_DEBUG=CachedProvider
<pre>
If you have hits for the cached lookup, like in the sample log below, you can hit this issue.

<pre>
DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385
2019-10-17 SPL-178149, SPL-179202 Wrong output of stats caused by incorrect value of _tmpResultsDir
2019-10-08 SPL-177675, SPL-180073, SPL-180267, SPL-180268 Crash in BucketSummaryActorThread for a specific summary directory, persists after removing
2019-10-04 SPL-177553, SPL-177977 For very large group by field values in certain stats results, search displays "Unable to moveRowPtrToInline"

Workaround:
Force use of the older (slower) stats implementation by setting
[stats]
use_stats_v2 = f

in $SPLUNK_HOME/etc/system/local/limits.conf

2019-05-23 SPL-170987 WARN SearchAssistant - recurseSyntax: Stanza entry not found for data-type
2019-02-05 SPL-166001 16MB+ events are not displayed on the search results, but they will be listed on the fields sidebar and in the timeline. search.log message: "SRSSerializer - max str len exceeded - probably corrupt"

Workaround:
Make sure fields are under 16777216 characters (or 16MB, usually _raw is the biggest)

OR

Revert back to the old serialization format (CSV), however, this applies to all searches, so you won't be getting the (performance) benefits of the new format.

$SPLUNK_HOME/etc/system/local/limits.conf: [search] results_serial_format=csv

2017-10-15 SPL-145694 Delta command does not calculate correctly for some mixed integer and float values

Workaround:
An equivalent SPL command is the following

| streamstats window=2 last(metric) as curr, first(metric) as prev | eval delta_ = curr-prev

2017-08-23 SPL-144350 Archived Index is created without error when the splunk index is invalid
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2017-04-04 SPL-140765 Splunk having problems extracting json file consisting of 68k plus key-value pairs
2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-17 SPL-103247 Filtering on _time uses different semantics for the "=" operator on microseconds depending on whether the value is quoted.
2015-04-23 SPL-100170 Automatic Lookups limitation: No results returned in Smart Mode when there are nested lookups and the intermediate field is not mentioned in the search.
2014-12-22 SPL-94910 The replace function does not apply to fields names with an underscore in them.

Workaround:
Rename the fields before the replace.

... | rename *_* AS *-* | replace "something" by "somethingelse"

2014-11-13 SPL-93039 The relevancy search command does not work, always returning 0 or -inf.
2014-10-02 SPL-91638, SPL-107375 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
2014-09-15 SPL-90861, SPL-90396, SPL-90886 If search encounters invalid offsets or invalid rawdata at TSIDX offsets, it skips reading any number of events from that bucket. No message is displayed, though the information is added to search.log.
2014-04-16 SPL-83129 Eval function strptime does not return results when 1970 date is used.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-03-27 SPL-82357 The splunk clean all -f CLI command doesn't remove data from the main index on Windows systems.
2014-03-15 SPL-81934 For clusters, may be unable to open search results output file for search results in a cluster.

Workaround:
Write to a temp file and rename to the target file.
2014-02-21 SPL-80942 Flashtimeline: 500 Internal Server Error when pasting long URL into panel name.
2013-12-18 SPL-78179 REST /saved/searches App names with special characters have invalid links.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2021-04-14 SPL-204072, SPL-207674, SPL-207675 Using a subsearch on an accelerated datamodel leads to incorrect results

Workaround:
limits.conf on the SH:

[search] phased_execution_mode = singlethreaded

2020-07-08 SPL-191676, SPL-191092 sendalert failed as results.csv.gz was not found
2020-05-28 SPL-189917 Alerts not working when special characters are used in trigger conditions

Workaround:
Click Advanced Edit for that Alert, in alert_condition, change it from [search mSec > 2] to [search mSec > 2] and save.
2020-03-23 SPL-185213, SPL-178252 DMA consuming much more RAM after upgrade to 7.X
2020-03-23 SPL-185212, SPL-178252 DMA consuming much more RAM after upgrade 7.X
2019-11-20 SPL-179987, SPL-178839 datamodels.conf does not respect stanza
2019-11-20 SPL-179988, SPL-178839 datamodels.conf does not respect stanza
2019-09-20 SPL-176812 Multiple SH Clustering with single deployer can't use datamodel summary sharing
2018-09-19 SPL-160286 The data preview for the Add Data workflow does not display for Log to Metrics source types
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-08-14 SPL-143947 Report acceleration is broken for users with a configured role-based access filter
2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain
2015-04-09 SPL-99421 Long name of app causes accelerated search to not complete normally and shows invalid results on Windows 2008 R2

Workaround:
Reduce length of name of the app and report acceleration searches will run properly within the context of the app.
2014-08-15 SPL-89332 Report acceleration summaries do not show in Settings when you have hundreds of reports accelerated.
2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-10 SPL-81645 Creating data model with root transaction name starting with root event name fails
2014-03-10 SPL-81637 Splunkd preview runs indefinitely on any file preview with "DATETIME_CONFIG=none".
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Charting, reporting, and visualization issues

Date filed Issue number Description
2020-07-16 SPL-192123, SPL-191120 Relative_time function in eval for token in dashboard date calculation returning future dates is wrong

Workaround:
To calculate relative_time as a SPL instead and then grab the required token from the results. This can be done in 2 ways:

1. add an additional panel with this query where we get the token from and hide that panel. 2. use another base search, that's hidden already.

2020-02-05 SPL-182842 Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map

Workaround:
Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats
2020-01-23 SPL-182114, SPL-179348 autoLB not switching IDX when reaching frequency limit

Workaround:
Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

2020-01-23 SPL-182113, SPL-179348 autoLB not switching IDX when reaching frequency limit

Workaround:
Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

2020-01-17 SPL-181933, SPL-181372 Bootstrap modal is not working in dashboard

Workaround:
No
2020-01-17 SPL-181932, SPL-181372 Bootstrap modal is not working in dashboard

Workaround:
No
2020-01-09 SPL-181525, SPL-182404, SPL-182841, SPL-182843 Issue with maps viz, geostats in combination with |append or |inputlookup append=t, some pie chart not showing on map

Workaround:
Avoid "| append" or "|inputlookup append=t" if you can in combination with geostats
2019-12-19 SPL-181194, SPL-179348 autoLB not switching IDX when reaching frequency limit

Workaround:
Reduce maxKBps on the UF - this was tested in the customer environment and showed some improvement in IDX switching.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

2019-10-17 SPL-178113, SPL-178989, SPL-179170, SPL-179171 Editing color scale using colorpalette in dashboard creates custom configuration
2016-09-15 SPL-128819, SPL-130243, SPL-130245 Editing panel in dashboard removes charting.legend.masterlegend option

Workaround:
Use <option name="charting.legend.masterLegend">null</option>
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2015-02-23 SPL-97193 The initial value for Multiselect input does not display properly in Visualizations Editor if input has empty string.

Distributed search and search head clustering issues

Date filed Issue number Description
2021-03-26 SPL-203060 The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:
  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.


2021-02-01 SPL-200032, SPL-201499 Incorrect behavior of deployer_push_lookup_mode: Lookup isn't overwritten if global setting is always_preserve, local app setting is always_overwrite and the app on the deployer hasn't changed

Workaround:
Change any configuration option or the lookup itself on the deployer, for example, increment the version in app.conf:
/opt/splunk/etc/shcluster/apps/<myapp>/local/app.conf
[launcher]
version = 1.0.1
2020-07-15 SPL-192057, SPL-188608 Realtime and in-progress adhoc searches shows "Job terminated unexpectedly" on members of SHC other than the SH from which the search originated
2020-05-27 SPL-189811, SPL-188575 SHC scheduled dispatched the same scheduled-indextime-rt search 3 times - impact on ITSI
2020-05-12 SPL-188977, SPL-186803 One SHC member has stuck at Restarting during rolling restart
2020-04-01 SPL-185654, SPL-184281 Explanation for user-prefs replication and option to disable these.

Workaround:
Disabling user-prefs replication:

server.conf [shclustering] conf_replication_include.user-prefs = false

that will definitely stop those replications.

2020-01-08 SPL-181498, SPL-181031 | metasearch + BatchMode order of magnitude slower than 7.2

Workaround:
1. Convert search to a tstats search instead:

| tstats count WHERE index=* BY index host source sourcetype

2. on the SH don't allow batch mode through limits.conf: [search] allow_batch_mode = false This will affect all searches, not just metasearch though

2019-12-17 SPL-181074, SPL-177889 Events found but not displayed, eventstats some events been ignored occasionally
2019-11-11 SPL-179351 loadjob fails when loading a job using savedsearch name - for specific regexes used in search string
2019-10-15 SPL-178002, SPL-175778 When pushing apps from the deployer to search head cluster members using 'full' mode, existing configurations in app default folders cannot be removed by redeploying the app
2019-10-15 SPL-178006, SPL-175784 Application does not exist error for bundle application with full mode when deploy app contains an empty default folder
2019-10-15 SPL-178003, SPL-175778 When pushing apps from the deployer to search head cluster members using 'full' mode, existing configurations in app default folders cannot be removed by redeploying the app
2019-10-15 SPL-178007, SPL-175784 Application does not exist error for bundle application with full mode when deploy app contains an empty default folder
2019-09-30 SPL-177270 Errors when accelerating saved searches that have variable component
2019-09-05 SPL-175964, SPL-178004, SPL-178005 README folders for some apps get deleted on captain during push from deployer to SHC
2019-08-13 SPL-174856, SPL-178008, SPL-178009 Out-of-sync issues can occur when using full or local_only push modes to push configurations from the deployer to the search head cluster

Workaround:
In full and local_only push modes, the deployer pushes configurations residing in $SPLUNK_HOME/etc/shcluster/apps/<app-name>/local directories to the captain, which then replicates them to the other members. During this process, the captain uses a whitelist to determine which configurations to replicate to members. The whitelist excludes certain configuration files, such as server.conf, limits.conf, and indexes.conf. Therefore, if the app local directories on the deployer contain such files, when you push them via full or local_only modes, the captain receives and applies those configurations to its own configuration directories but does not then replicate them to the other members, creating an out-of-sync situation.

To avoid this situation, either use the merge_to_default push mode or inspect the deployer's set of app local directories and ensure that they contain only whitelisted files. For details on the configuration replication whitelist, see "Configuration updates that the cluster replicates" in the Distributed Search manual.

For details on how the push mode determines the way that the deployer pushes configurations, see "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual.

2019-07-11 SPL-173029, SPL-184166, SPL-184164, SPL-184165 KV store backup/restore - large collection hangs at "Busy" status when trying to restore from a backup

Workaround:
To restore from the full kvstore folder backup, if available.

Contact support for an alternative script to restore backup (restorekv.py)

2019-03-13 SPL-167652 SHC-Repl: Enterprise Security app enabling inputs.conf replication causes issue when adding new SHC member.
2018-03-14 SPL-152148 KV store replication fails on the upgrade search head during SHC member-by-member upgrade.

Workaround:
To ensure there is no kvstore activity during upgrade, perform an offline upgrade as follows:
  1. Shutdown all cluster members.
  2. Upgrade all members.
  3. Start the member


2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-03-13 SPL-138654 Splunk searches fail when filepath gets too long on Windows
2016-07-12 SPL-124085 On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled.
2015-11-15 SPL-109471 For Real Time Scheduled Search in search head cluster, alerts are triggered twice when members cannot HB to captain
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-02-26 SPL-97385 $SPLUNK_HOME/var/run/splunk/snapshot contains large tarballs in the presence of large ES lookup table files.

Workaround:
The allowable size of the download can be increased by setting the following in server.conf.

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

2014-08-25 SPL-90028 Using "inputcsv dispatch=true" to read a CSV from a dispatch directory may not work on search head cluster members that have a replica of the desired artifact.
2014-08-14 SPL-89131 In a search head cluster, the search Job management page on cluster member doesn't immediately reflect 'isSaved' state after you click Save.
2014-08-02 SPL-88228 When user clicks on the RSS feed for an alert, search pool information is not displayed. Individual pool member information is displayed, however.

Data model and pivot issues

Date filed Issue number Description
2021-04-14 SPL-204072, SPL-207674, SPL-207675 Using a subsearch on an accelerated datamodel leads to incorrect results

Workaround:
limits.conf on the SH:

[search] phased_execution_mode = singlethreaded

2020-03-23 SPL-185212, SPL-178252 DMA consuming much more RAM after upgrade 7.X
2020-03-23 SPL-185213, SPL-178252 DMA consuming much more RAM after upgrade to 7.X
2019-11-20 SPL-179987, SPL-178839 datamodels.conf does not respect stanza
2019-11-20 SPL-179988, SPL-178839 datamodels.conf does not respect stanza
2019-09-20 SPL-176812 Multiple SH Clustering with single deployer can't use datamodel summary sharing
2014-12-08 SPL-94047, SPL-98628 While creating a Pivot and using the _time column as a Split column, the table columns aren't formatted in a human readable way, but displayed with the epoc timestamp.It works when using _time as a 'Split Row' column.
2014-05-01 SPL-83686 Data Model Pivot: Extra NULL column displays in Pivot with big data and Numbered Attribute in Split Columns.

Workaround:
The workaround is to add filter status=*, or make a more refined Data Model that has an object for events with status.
2014-03-24 SPL-82262, SPL-82241 Pivot search command fails for an admin trying to pivot on a Private Data Model created by a User.
2014-03-20 SPL-82164 Migrating invalid data models from 6.0 to 6.x fails.
2014-03-19 SPL-82133 Data model allows users to upload a JSON file which has Field names with spaces but will not validate it.
2014-03-11 SPL-81701 Data Model Pivot, "Legend Position" and "Stack Mode" change to default settings if you change the X/Y-Axis more than once.
2014-03-10 SPL-81645 Creating data model with root transaction name starting with root event name fails
2014-03-07 SPL-81538 When using Pivot, stack mode is lost when "Scatter Chart" is selected.
2013-11-26 SPL-77054, SPL-77055 Data model objects that have names starting with an underscore character ("_") do not work correctly and cannot be used in Pivot.

Indexer and indexer clustering issues

Date filed Issue number Description
2020-06-26 SPL-191346, SPL-188562 Indexers crashes: Crashing thread: cachemanagerDownloadExecutorWorker-318 fails on assertion: `_groups_remaining > 0'
2020-05-08 SPL-188878, SPL-189040 When a cluster slave restarts without $SPLUNK_HOME/etc/slave-apps, but current active bundle file still present, splunk starts up without slave-apps.

Workaround:
In maintenance mode on the CM

stop the affected peer

  1. /opt/splunk/bin/splunk stop
  2. rm /opt/splunk/var/run/splunk/cluster/remote-bundle/*.bundle
  3. rm -Rf /opt/splunk/etc/slave-apps
  4. /opt/splunk/bin/splunk start
2020-03-16 SPL-184958, SPL-183290 Using REST or CLI to validate and apply bundle causes peers to restart twice

Workaround:
Use the GUI to apply the settings
2020-03-16 SPL-184957, SPL-183290 (Quake) - Using REST or CLI to validate and apply bundle causes peers to restart twice

Workaround:
Use the GUI to apply the settings
2020-01-23 SPL-182121, SPL-182014 60 Indexers in a cluster are crashing sporadically -Crashing thread: cachemanagerDownloadExecutorWorker-10
2019-10-21 SPL-178220, SPL-179596 Cluster master can crash after triggering of data rebalance or primary rebalance

Workaround:
Extend rebalance_primaries_execution_limit_ms to half of rcv_timeout.
2019-10-20 SPL-178208, SPL-178824 Indexer cluster bundle push fails: _metrics missing from _cluster/default/indexes.conf

Workaround:
Add these stanzas to $SPLUNK_HOME/master-apps/_cluster/local/indexes.conf and push the bundle again:
[_metrics]
repFactor = 0

[_introspection]
repFactor = 0


2018-10-23 SPL-161815 Thawed buckets in a indexer cluster are sporadically unsearchable upon restart
2017-03-16 SPL-138846 In multisite clustering, deletion of events in hot buckets is not pushed to other sites
2016-08-25 SPL-127353 Data rebalance finishes early when one peer is the source for all buckets

Workaround:
when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time
2015-05-08 SPL-101184 Rolling restart in an Indexer Cluster may not be successful on a peer if a oneshot command is also running on that peer. Perform a manual restart to revive the peer.
2014-10-13 SPL-91861 On Windows indexer on an ec2 instance, splunk-optimize main thread can crash on buckets on the temporary drive z:\>.
2014-09-29 SPL-91432 On Windows when the master is down, the CLI command splunk offlinehangs when run from one of the streaming target peers.
2014-09-08 SPL-90630 On a multisite cluster, no warning is given when search head names are the same.
2014-07-29 SPL-87816 When implementing an indexer cluster or search head cluster, you cannot set pass4SymmKey in the general stanza. The system default values in the clustering and shclustering stanzas override any user-provided values in the general stanza.

Workaround:
Set the value in the [clustering] or [shclustering] stanza, depending on the type of cluster you're implementing.
2014-07-14 SPL-86799 After adding a new license to the clustering search head, splunkd on restart cannot be reached by splunkweb.
2014-04-29 SPL-83636 When configuring a multi-site cluster using cluster-config, the error messages are incorrect if the SF/RF was previously set.
2014-03-18 SPL-82038 Cluster-config does not work if a parameter value includes a space character.
2014-03-17 SPL-81955 Multisite: Peer takes approximately 6 minutes to restart when its site configuration is changed.
2014-01-06 SPL-78688 Peer is able to change to an invalid (empty) replication port
2013-08-06 SPL-72484 You cannot use the CLI to delete an index with a capital letter in its name.

Data Fabric Search issues

Date filed Issue number Description
2020-01-02 SPL-181315, SPL-180880 Non-escaped Brackets in dfsjob results in being interpreted as search command
2019-09-08 SPL-176133, SPL-175177, SPL-177151 DFS searches with nested joins fail, if the nested join uses the rename command.

Workaround:
Do not use the rename command in nested joins when constructing DFS SPL searches. Thus, the following DFS search will fail:
dfsjob[search index=airlinedata | stats count by Origin Dest | join max=0 left=L right=R where L.Dest=R.Origin [ | search index=airlinedata | stats count by Origin Dest | join max=0 left=L right=R where L.Dest=R.Origin [| search index=airlinedata | stats count by Origin Dest] | rename L.* AS * , R.* AS * ]]
2019-09-02 SPL-175783 Search results for the stats function perc95() are different for DFS and Splunk Enterprise

Workaround:
Use exactpercX(Y) function instead of perc95( ) to get more accurate results.
2019-07-24 SPL-173766 Search heads in a distributed search environment are unable to sync on available Spark resources

Universal forwarder issues

Date filed Issue number Description
2021-08-16 SPL-210384, SPL-211917 Rolling restart causes forwarders to block
2021-06-07 SPL-206864, SPL-175138 UF stops ingesting sourcetype upon message - Bug during applyPendingMetadata
2021-06-06 SPL-206837, SPL-175138 UF stops ingesting sourcetype upon message - Bug during applyPendingMetadata
2021-06-06 SPL-206836, SPL-175138 UF stops ingesting sourcetype upon message - Bug during applyPendingMetadata
2020-09-29 SPL-195635, SPL-202178, SPL-206477, SPL-202163, SPL-206534 Splunkd increased memory usage over time when monitoring UDP port(s) with in inputs.conf
2020-03-27 SPL-185540, SPL-183953 Batch Stanza deleting file upon restart/read completion
2019-12-11 SPL-180846, SPL-167310 Error in splunkd.log "splunk-perfmon - OutputHandler::composeOutput: Counter is not found: "
2019-06-25 SPL-172452, SPL-177658, SPL-185313 Endpoint /services/data/outputs/tcp/group/{name} missing important parameters
2019-05-28 SPL-171178, SPL-167307, SPL-202078 Indexer Acknowledgement causes metric index events that do not have "_raw" fields to be duplicated

Workaround:
Indexer acknowledgement is a feature that helps prevent loss of data when forwarders send data to an indexer. Indexer acknowledgement is controlled by the Boolean useACK setting in inputs.conf and outputs.conf.

Indexer acknowledgement uses the _raw field to track completeness of delivery for each event. In some cases, when an event does not contain a valid _raw field, Splunk servers fail to determine whether the event is completely delivered and do not return acknowledgement for it, even when the event is processed successfully. As a result, the forwarder sends the same event again, leading to duplication of indexed data. This can affect metric indexes, where events with the JSON source type will not have _raw fields.

When this issue occurs, the workaround is to set useACK=false to disable indexer acknowledgement. You may want to set up multiple forwarding/HEC channels or ports with two useACK settings, to meet the needs of both kinds of source events: those that contain the _raw field and those that do not.

2019-01-28 SPL-165635, SPL-191773, SPL-189789 splunk not reading file after log rotation
2018-04-10 SPL-153251 Universal Forwarder txz package cannot be installed on FreeBSD 11.1

Workaround:
1. Use pkg install instead of pkg add

OR 2. Install package by untarring tgz file to /opt/splunkforwarder

2017-05-23 SPL-141961 Older 6.0, 6.1, 6.2, 6.3 maintenance release versions unable to connect to 6.6.x and later via management port.

Workaround:
This applies to License Master/Slave, Deployment Server/Client, Cluster Master/Peers, Search Head/Peers and affects Splunk 6.6.x and the following versions:
  • 6.0.0 to 6.0.6
  • 6.1.0 to 6.1.4
  • 6.2.0 to 6.2.6
  • 6.3.0 to 6.3.1
  • 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 and later default sslVersions, cipherSuites

Workaround:
Users can do either of the following:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

2017-03-14 SPL-138731 New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled

Workaround:
Users can do any of the following:

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

2015-06-10 SPL-103010 Indexing throughput on a forwarder with four pipelinesets drops 30% compared to a forwarder with two pipelinesets.
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-07 SPL-99316 Universal Forwarders stop sending data repeatedly throughout the day

Workaround:
In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
2015-03-25 SPL-98594 Routing events to two different groups not working as expected.

Workaround:
1 On the original UF, instead of configuring 1 s2s and 1 syslog group, configure 2 s2s groups.

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

2014-08-05 SPL-88396 After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI

Workaround:
Create a server class, where you can see the client name, and use that group when you add data.

Distributed deployment, forwarder, deployment server issues

Date filed Issue number Description
2020-02-28 SPL-184113, SPL-201518 when targetRepositoryLocation is set in a  stanza in serverclass.conf, invalid key error is thrown on startup
2019-10-15 SPL-178003, SPL-175778 When pushing apps from the deployer to search head cluster members using 'full' mode, existing configurations in app default folders cannot be removed by redeploying the app
2019-10-15 SPL-178005, SPL-175964 README folders for some apps get deleted on captain during push from deployer to SHC
2014-10-02 SPL-91648, SPL-91358 Forwarder unable to push scripted inputs to a Linux deployment client from a Windows deployment server.
2014-08-15 SPL-89333 Using client filtering in forwarder management interface when the deployment server is servicing a large numbers of deployment clients (over approximately 5000) can cause a temporary spike in memory usage.
2014-06-20 SPL-85739 When running a high number of deployment clients for a server, memory growth may be excessive.

Workaround:
To mitigate this, set forceHttp10=always.

Monitoring Console issues

Date filed Issue number Description
2021-03-29 SPL-203100 Summary page on monitoring console doesn't show correct RF/SF when not running on the CM.
2021-01-19 SPL-199534, SPL-201388, SPL-201386, SPL-201838 "DMC Alert - Total License Usage Near Daily Quota" does not work in case of fixed-sourcetype license
2020-11-26 SPL-198032, SPL-201347, SPL-201348 MC - Daily License Usage reports pool size incorrectly when filtered by pool

Workaround:
Step 1: Search and update text from

`$daily_usage_search$($splunk_server$, $size_search$, $host$, "$split_by_field_name$", "$pool$")`

to

`$daily_usage_search$($splunk_server$, $size_search$, $host$, "$pool$", "$split_by_field_name$")`

in the following file

$SPLUNK_HOME/etc/apps/splunk_monitoring_console/default/data/ui/views/license_usage_historic.xml

Step 2: Restart splunk

2019-11-13 SPL-179528 The splunktcp and splunktcp-ssl stanzas are not reloadable in inputs.conf
2017-08-18 SPL-144193 Bundle validation errors prevent future app deployment to indexer cluster
2017-08-14 SPL-143981 Uninstall app dialog does not show the app name correctly when the app doesn't have the label
2017-08-04 SPL-143664 Uploaded apps page makes two calls to packages endpoint
2017-05-24 SPL-141982 Upload modal should use size=large File element
2017-04-19 SPL-141274 Clicking Install multiple times in Install dialog causes error
2017-04-19 SPL-141273 Task endpoint fetch once even when there's no last deploy task id
2017-03-07 SPL-138351, SPL-172626 The role change of DMC via UI does not reflect to distsearch.conf

Workaround:
As a workaround can the customer manually modify the distsearch.conf.
2016-11-14 SPL-132151 XML error when trying to download uninstalled app

Splunk Web and interface issues

Date filed Issue number Description
2020-12-04 SPL-198305 In Internet Explorer 11, using a "Favorite" link to access SplunkWeb fails

Workaround:
Register either one of the below URLs.

(1) For log in page, use the following URL.

e.g.) http://IP:Port/en-US/account/login

(2) Register non-login page such as Home, Search etc.

2020-06-26 SPL-191342, SPL-191877 All event types are extracted for numeric _raw data
2020-04-14 SPL-186357, SPL-184352 No more "Wrap results" option when using "Show source" in 8.0+
2019-11-21 SPL-179999 Show source action is not working when root endpoint is enabled
2019-07-11 SPL-173061 UI exposes a nonfunctional option for modifying permissions on custom search commands
2019-02-21 SPL-179445, SPL-183710, SPL-184707 custom.xml in default/data/ui/nav breaks navigation bar in other apps
2017-08-23 SPL-144350 Archived Index is created without error when the splunk index is invalid
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2016-11-14 SPL-132133 App Browser filtering of the apps does not work
2015-11-09 SPL-109165 Interactive Field Extractor hangs when using "^" as delimiter.

Workaround:
Use props and transforms to specify the delimiter of your choice.
2015-08-10 SPL-105061, SOLNESS-7274 Broken module prevents splunkweb from starting
2015-06-30 SPL-103701 Actions links should be removed for "Apps Browser"
2014-07-16 SPL-87015 chart count by source and *| cluster showcount=t | table cluster_count _raw) no metadata/ result is available when user drills down on Count and Percent columns.
2014-04-04 SPL-82650 A report created and scheduled by admin cannot be embedded by a power user.
2014-02-26 SPL-81103 Username surrounded by dollar signs cannot create saved searches.
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

Windows-specific issues

Date filed Issue number Description
2020-12-04 SPL-198305 In Internet Explorer 11, using a "Favorite" link to access SplunkWeb fails

Workaround:
Register either one of the below URLs.

(1) For log in page, use the following URL.

e.g.) http://IP:Port/en-US/account/login

(2) Register non-login page such as Home, Search etc.

2019-12-11 SPL-180846, SPL-167310 Error in splunkd.log "splunk-perfmon - OutputHandler::composeOutput: Counter is not found: "
2019-12-10 SPL-180763, SPL-167310 Error in splunkd.log "splunk-perfmon - OutputHandler::composeOutput: Counter is not found: "
2015-04-14 SPL-99687, SPL-129637 Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.

Workaround:
To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
2015-04-01 SPL-98978 On differing versions of Splunk Enterprise indexer (5.0.1) and universal forwarder (6.2.2), collection of the Security Event log can take increasingly longer over time.

Workaround:
To fix the problem, restart Windows on the forwarder.


2014-10-31 SPL-92596 After upgrade from Splunk Enterprise 6.1 or earlier to 6.4.x on Windows, splunkweb service does not start automatically. Attempts to start it manually show "Error 1053: The service did not respond to the start or control request in a timely fashion."

Workaround:
This is expected behavior. See the Splunk Answers post: http://answers.splunk.com/answers/177187/why-is-the-splunk-web-service-not-running-after-an.html
2014-09-25 SPL-91279 Splunk Universal Forwarder on Windows (specifically, the splunk-perfmon.exe process) does not release key handles.

Workaround:
See "Handle leak when an application collects performance data in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2" on the Microsoft Support website for a hotfix download.
2013-10-11 SPL-75116 The UI does not show configured items of some newly converted windows modular inputs that contain the name "default" in the stanza

Workaround:
Edit inputs.conf: in stanzas that contain WinRegMon://default, replace "default" with something else, then restart splunk.

REST, Simple XML, and Advanced XML issues

Date filed Issue number Description
2020-03-16 SPL-184958, SPL-183290 Using REST or CLI to validate and apply bundle causes peers to restart twice

Workaround:
Use the GUI to apply the settings
2020-03-16 SPL-184957, SPL-183290 (Quake) - Using REST or CLI to validate and apply bundle causes peers to restart twice

Workaround:
Use the GUI to apply the settings
2019-06-25 SPL-172452, SPL-177658, SPL-185313 Endpoint /services/data/outputs/tcp/group/{name} missing important parameters
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2016-10-31 SPL-131072 Datamodel backend allows invalid time values
2013-05-15 SPL-67453 When sending the following XML data as a GET or POST param to a custom splunkd endpoint: <dashboard>&lt;foo&gt;</dashboard>, the endpoint actually receives:<dashboard><foo></dashboard>.

PDF issues

Date filed Issue number Description
2016-11-23 SPL-132925 Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

2015-03-31 SPL-98890 Maps printed from Report page do not honor custom zoom and center.
2014-06-16 SPL-85497 Unable to save generated PDFs using Chrome internal PDF viewer.

Workaround:
Workaround: Enable Adobe Acrobat or Acrobat Reader as the default PDF viewer in Chrome. For more information, seehttps://support.google.com/chrome/answer/142056.


Admin and CLI issues

Date filed Issue number Description
2021-04-08 SPL-203821, SPL-182510, SPL-204154 Splunk anonymize will crash in certain Python 2 and Python 3 environments.

Workaround:
Use an older Splunk instance to anonymize.
2021-03-26 SPL-203060 The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:
  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.


2020-08-22 SPL-194053, SPL-193257 create_context=usr: notify mothership for newly created file

Workaround:
Change permissions after each lookup table creation

Upload a pre-created/pre-existing csv lookup, but it is often not possible.

2020-07-16 SPL-192123, SPL-191120 Relative_time function in eval for token in dashboard date calculation returning future dates is wrong

Workaround:
To calculate relative_time as a SPL instead and then grab the required token from the results. This can be done in 2 ways:

1. add an additional panel with this query where we get the token from and hide that panel. 2. use another base search, that's hidden already.

2020-04-14 SPL-186365 Users are able to create/clone knowledge objects into apps where they lack permissions
2019-08-05 SPL-174406, SPL-109254 Root unable to run splunk cli if SPLUNK_OS_USER is set
2017-11-29 SPL-146820 Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app

Workaround:
Navigate to a visible app, such as the search and reporting app, and access the Splunk settings pages from that app context.
2017-11-07 SPL-146255 limits.conf enable_clipping cloropleth setting is app/user tunable rather than global like the rest of limits.conf
2017-04-11 SPL-141051 When LINE_BREAKER is defined for a sourcetype, UI forces SHOULD_LINEMERGE to true

Workaround:
None in Splunk Cloud.

For on-prem, manually edit the props.conf file to set SHOULD_LINEMERGE to 'false'.

2017-04-03 SPL-140747 SSL connection in Python when using new ciphers may be slow.
2016-11-09 SPL-131880 Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page
2015-09-23 SPL-106978 Failed SHC captain election causes unnecessary change in server.conf
2015-03-11 SPL-97942 Capability defined in an app does not take effect when assigned to a role

Workaround:
The workaround is to change the ui-prefs in ./etc/users/username/local/ui-prefs.conf to look like this:

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

2014-04-07 SPL-82699 SSO: Acceleration icon fails to display in Searches, Reports, and Alerts page.
2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO.

Workaround:
Set server.conf [applicationsManager] allowInternetAccess = false
2013-05-02 SPL-66511 If $SPLUNK_HOME/etc is located on a case-insensitive filesystem, creating a new view with the same name as an existing view but with different case (capital letters vs lowercase, etc) silently overwrites the existing view.

Uncategorized issues

Date filed Issue number Description
2021-07-05 SPL-208338, SPL-208754, SPL-210528, SPL-210529 When using a License Manager that has both ITSI and Hunk license installed, all connected Splunk instances are showing Hunk branding
2021-05-02 SPL-205109 Excessive WARN ScopedLDAPConnection "Converting non-UTF-8 value to" in the splunkd.log file
2020-08-11 SPL-193425, SPL-191436 Diag needs updating so it obfuscates or removes values for remote.s3.kms.key_id values
2020-08-11 SPL-193426, SPL-191436 Diag needs updating so it obfuscates or removes values for remote.s3.kms.key_id values
2020-07-09 SPL-191770, SPL-174782 SAML Config Error When Optional Field is Empty
2020-06-04 SPL-190313, SPL-183454 slash character present in sourcetype prevents editing of Field Extractions
2020-04-16 SPL-186483, SPL-184315 Search Head Cluster Member appending splunk.secret with contents from memory

Workaround:
Recreating and redeploying splunk.secret
2020-04-14 SPL-186425, SPL-193996 SmartStore: Rebuilding an evicted DMA summary causes us to re-upload the old tsidx file with the newly rebuilt one
2020-04-11 SPL-186282, SPL-186347, SPL-186348, SPL-186349, SPL-186351, SPL-186647 DMA rebuild can cause indexer crashes in race condition when CacheManager reports a failed download (S3Client 403) in the same period where we're trying to upload for the same bucket
2020-04-02 SPL-185715, SPL-183142 Session token generated in JWT/Bearer token-based call cannot be used to auth rest calls

Workaround:
Only affects SH clusters but not standalone instance, from 7.3 onwards.

Specifically impacts apps that use rest endpoints. The workaround is to use the old way of authenticating, username/password.

2020-04-02 SPL-185714, SPL-183142 Session token generated in JWT/Bearer token-based call cannot be used to auth rest calls

Workaround:
Only affects SH clusters but not standalone instance, from 7.3 onwards.

Specifically impacts apps that use rest endpoints. The workaround is to use the old way of authenticating, username/password.

2020-02-17 SPL-183467, SPL-183647 It is not possible to use custom python on Universal Forwarder breaking scripted inputs for example

Workaround:
a. Install a copy of python in the splunk directory, for example
$SPLUNK_HOME/bin/python3 (linux)
$SPLUNK_HOME\bin\Python3 (Windows)

and rename the python.exe executable to python3.exe for example, if you're using Windows.

b. copy the custom python exe into $SPLUNK_HOME/bin and set PYTHONPATH to the custom python lib

1. add this to server.conf:

[general]
python.version = force_python3

2. copy custom python executable to $SPLUNK_HOME/bin

3. in $SPLUNK_HOME/etc/splunk-launch.conf add PYTHONPATH to the OS install directory, for example on Windows:

PYTHONPATH=C:\Python3\lib

c. shim the scripted input's python script with a shell script that calls python in turn (bash, powershell)

2020-02-10 SPL-183089, SPL-132957 Report created by user name with space in can not be accelerated
2020-02-07 SPL-183003, SPL-183000 diag cannot get index listings for UNC paths
2020-01-23 SPL-182112, SPL-183394 ERROR TcpInputProc - Encountered Streaming S2S error=Received reference to unknown channel_code=128 (or higher), in combination with useAck this can cause event duplication.

Workaround:
On the forwarder:

$SPLUNK_HOME/etc/system/local/outputs.conf:

[tcpout]
negotiateProtocolLevel = 5
2019-12-17 SPL-181055, SPL-181178 Eval operations in DFS are rounding results to the nearest integers instead of displaying results as floating point numbers.
2019-12-12 SPL-180896, SPL-191129, SPL-203942 diag fail with: UnicodeDecodeError on 8.0.0
2019-11-25 SPL-180147 Memory Consumption issue by powershell script
2019-11-13 SPL-179545, SPL-179201 Predicate search_time_range does not work with monitoring actions (abort, move, alert) for historical searches
2019-11-13 SPL-179562, SPL-179459 Predicates search_time_range doesn't work with scheduled searches
2019-11-12 SPL-179496, SPL-179347 msearch: multi-valued fields are not extracted properly
2019-11-08 SPL-179256, SPL-179703, SPL-180148, SPL-180149 kvstore inputlookup with large 'where' filter fails silently when hitting 300 second timeout

Workaround:
Change logic of your search,

do filtering later in | search

2019-11-05 SPL-180436 Index creation causing rolling restart on cloud stack due to DEFAULT.conf
2019-11-05 SPL-178973, SPL-176583 Check receipt existence before making GET call in dedup code
2019-10-18 SPL-178172, SPL-180649, SPL-181717 Disabling replication of kvstore collection for automatic lookup causes "Could not load lookup=..." errors to appear
2019-10-17 SPL-178148, SPL-180165, SPL-180474 Disable edit operation in HEC manager page for non-DMC search heads
2019-10-15 SPL-177999, SPL-175298 license_warnings_update_interval default value is less than minimum permitted threshold 10
2019-10-13 SPL-177925, SPL-176230 HealthReporter threads deadlock resulting in stuck _reload, blocked ingestion, eventually causing a crash
2019-10-09 SPL-177752, SPL-180193, SPL-180194, SPL-180195 Deadlock in splunk when using pstacks action
2019-10-03 SPL-177447 Bundle replication takes longer than expected time for indexers that have bundleEnforcerBlacklist configured
2019-09-26 SPL-177144, SPL-177326 Under heavy search workload, the search memory usage estimation may be higher than actual usage
2019-09-25 SPL-177008, SPL-176710, SPL-177009 Workload management fails to enable for addition of a pool with 1% cpu and 1% memory
2019-09-16 SPL-176514 Offline rebuild of unsearchable bucket may lead to stale information in dbinspect searches
2019-07-19 SPL-173449, SPL-173259 timezone isn't stored for start_time/end_time of rule schedule every_day/every_week/every_month
2019-06-05 SPL-171553, SPL-171647 Smartstore: S3 GET is being done before S3 PUT for the receipt.json causing 404 errors (Source peer should not check if the bucket/receipt exists during uploads)
2019-03-26 SPL-168314 SmartStore standalone instance + Monitoring Console: Bootstrapping panel needs to reflect the standalone bootstrapping process
2018-10-17 SPL-161632 Can't install RPM Splunk 7.2+ file in Red Hat EL5
2018-09-04 SPL-159598 mongo 3.4 to 3.6 upgrade sometimes misses fcv document
2018-04-18 SPL-153555, SPL-152283 mongod errors out on distros with older glibc (2.7 and below) with " Invalid access at address: 0x10"
2018-03-20 SPL-152330, SPL-151992 After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2018-03-14 SPL-152095 Edit Summary Indexing - Index List empty/incomplete for User with Power role after upgrading to 6.6.0+

Workaround:
add indexes_edit and dispatch_rest_to_indexers capability to the Power role for all indexes to be listed
2018-01-25 SPL-148514 Splunk not starting on Linux kernel version 4.13.0-31

Workaround:
Do not upgrade kernel to version 4.13.0-31. Use either an older release or 4.13.0-32.35+
2017-05-09 SPL-141693 DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-04-27 SPL-141478, SPL-237563 $_index_name does not resolve properly when used with the thawedPath pathname
2017-03-27 SPL-140442, SOLNESS-11786 In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.

Workaround:
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with the "edit_roles" capability.
2017-02-21 SPL-137224, SPL-119375, SPL-185125 high response time for splunkd affecting license master

Workaround:
Set TZ environment variable in $SPLUNK_HOME/etc/splunk-launch.conf


TZ=:/etc/localtime

Or whatever timezone customer want to set. TZ=<timezone> Example TZ=US/Pacific

splunk stop; splunk start;

Note: Please don't run splunk restart

2017-01-18 SPL-135260 Documentation for Search formatting keyboard shortcut for non-English languages
2017-01-06 SPL-134707 Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.
2016-11-21 SPL-132670 Mac OS 10.11: disable boot-start doesn't remove the file /Library/LaunchAgents//com.splunk.plist by enabling boot-start in prior Splunk/UF
2016-08-31 SPL-127800 Opting in to data sharing on a monitoring console produces duplicate data
2016-07-26 SPL-125052 Sole Admin can demote themself to Power without path of recovery in GUI.

Workaround:
Through the command line, you can open notepad and modify the password file to regain 'Admin' status.
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs
2015-10-07 SPL-107606 Inconsistency between summary and datamodel_summary files.
2015-06-18 SPL-103302 Files ownership are failed to be changed when using debian package to install splunk and $SPLUNK_HOME is a symlink

Workaround:
Run a recursive chown from the command line on $SPLUNK_HOME manually, post install.
2015-06-18 SPL-103325 SHC cookie-based auth depends on all SHC members being on the same mgmt port
2015-05-24 SPL-102008 On Internet Explorer, a warning message does not display when you cannot log in due to a time zone difference.
2015-05-11 SPL-101289 When the number of indexing pipeline sets is greater than four, indexing throughput decreases.
2015-05-06 SPL-100980 Single indexer does not scale when receiving parsed data from multiple PipelineSets.
2015-05-04 SPL-100792 There are multiple group=thruput metrics lines in metrics.log. Searches that do not differentiate among them may get falsely high totals.

Workaround:
Searches that key off these lines need to select their desired name=x category in order to see a single thruput value.
2015-04-24 SPL-100322 A view gets stuck with "loading" due to problematic navigation (default.xml)

Workaround:
Workaround is to use label attribute for collection element.

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
2015-03-26 SPL-98700 splunkd Indexer crashes in IndexerTPoolWorker due to duplicated bucket id.

Workaround:
The workaround is to remove the duplicated bucket.
2015-02-26 SPL-97389 When using timechart command, the embedded report shows different time format than the original report.
2015-01-08 SPL-95144, SPL-101986, SPL-101987, SPL-106884, SPL-107317, SPL-142789 Indexed message for Windows security event logs shows "FormatMessage error"

Workaround:
Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.
2014-11-10 SPL-92831 A mismatch of versions between the license-master and the license-slave is generating Warning messages like "WARN LMDirective - directive cmd=D_set_feature_state args='Acceleration,ENABLED' failed: reason='feature='Acceleration' is invalid' ."

Workaround:
The warnings can be ignored, the workaround is use same major versions (all on 6.2 or all on 6.1).


2014-10-24 SPL-92432, SPL-99583 Chart in dashboard panel does not honor interval settings.

Workaround:
In the panel XML, specify a larger height to use the correct interval settings.
2014-10-17 SPL-92162 Writing large amounts of data (> 20 GB) to KV store collections using outputlookup can result in high memory usage on the machine.
2014-09-11 SPL-90738 Monitoring a directory with an unknown sourcetype produces indexing errors.
2014-08-26 SPL-90139 <timestamp> does not display in the Patterns tab when searches are run in fast mode.
2014-04-22 SPL-83365 Splunk Enterprise on Windows does not show an error message when a user without the edit_license capability tries to add a license through the CLI.
2014-04-14 SPL-83068 Default index can be set to random index.
2014-04-01 SPL-82517, SPL-208875 Paper Size and Layout in PDF Schedule dialog do not respect Paper Size and Layout in Email Settings.
2014-03-23 SPL-82238 Datamodel fails to drill down further when the same attribute for Split Rows and Split Columns are selected.
2014-03-13 SPL-81856 Show all lines does not work in data model editor preview.
2014-03-12 SPL-81810 Licensing - license pool warning at license master keeps coming back after deleting it.

Workaround:
Delete the warnings on the peers first, then the License Manager.
2014-03-12 SPL-81781 In the Data Model Manager, "Acceleration Status" and "Access Count" fail to update when you click "Update".
2014-02-13 SPL-80568 Highcharts determines Y-axis values based on first point outside visible range.
2014-02-07 SPL-80285 In the Data Model Editor, the Edit Lookup page is blank if Lookup is shared only in Lookup Definitions.

Workaround:
For more information, see Add lookup files to Splunk.
2014-02-06 SPL-80187 In the Data Model Editor, lookup pages open with options displayed for other Lookup when the data model definition is private but the file is app or globally shared.

Workaround:
Share the definition. For more information, see Add lookup files to Splunk.
2014-01-31 SPL-79842 On Windows, Indexer doesnt accept new connections on splunktcpin port after queue blockage is resolved
2013-11-27 SPL-77139 Licenser pool usage gets reflected only after restarting splunkd.
2013-10-29 SPL-75764 Forwarder forwards duplicate data after props.conf is in place for cross platform scenario/when the forwarder is on Solaris and the indexer is on Linux.
2013-09-13 SPL-74337, BETA-496 You cannot specify a destination folder when installing on OSX.
2013-09-10 SPL-74209, SPL-74167 Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).

Workaround:
Specify the persistentQueue explicitly in the input definition.
2013-08-28 SPL-73826 Windows: hostname override not working properly
2012-02-22 SPL-48342 LDAP strategy host field cannot work with ipv6 format address but computer name is okay
2010-10-08 SPL-34347 wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue

Splunk Analytics Workspace

Date filed Issue number Description
2019-09-20 MAW-3060, MAW-3135 Email options for streaming alert creation does not result in expected email content

Workaround:
Avoid usage of the following email options when using streaming alerts:

"Search String", "Trigger Condition", and "Link To Results".

2019-09-16 MAW-3037, MAW-3066 Error may occur when saving an alert on a duplicate series

Workaround:
Identical series added to a chart are de-duplicated. When saving an alert, select the visible series, instead of the the de-duplicated one to avoid an error.
2019-08-26 MAW-2963 Opening a chart from dashboard does not respect saved chart type

Workaround:
After opening a chart from dashboard, you can change the chart mode to the original mode via the Analysis Panel.

Splunk Analytics for Hadoop

Date filed Issue number Description
2017-04-04 ERP-2040 Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x

Workaround:
Upgrade Hadoop to 2.8.2 or higher.
2015-09-09 ERP-1650 timestamp data type not properly deserialized.
2015-08-05 ERP-1619 Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception.

Workaround:
Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search.
2015-07-07 ERP-1598 minsplit rampup - splits generation takes too long.

Workaround:
Set minsplits=maxsplits
2015-05-12 ERP-1502 Non-accelerated pivot search on Pivot UI page waits for a long time to return result.
2015-01-08 ERP-1343, SPL-95174 Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error.

Workaround:
Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....)
2014-10-27 ERP-1216 Data Explorer preview does not honor existing sourcetypes for big5/sjis files.
2014-10-03 ERP-1164 Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory.

Workaround:
To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads.
Last modified on 29 October, 2024
Welcome to Splunk Enterprise 8.0   Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters