Known issues

2) If this issue is encountered after offline upgrade, please run the following steps on problematic SH nodes. - Stop the search head that has the stale KV store member - Run the command splunk clean kvstore --cluster - Restart the search head. This triggers the initial synchronization with other KV store members. - Run the command splunk show kvstore-status to verify synchronization has succeeded.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

• 6.0.0 to 6.0.6
• 6.1.0 to 6.1.4
• 6.2.0 to 6.2.6
• 6.3.0 to 6.3.1
• 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

To configure LDAP with the same settings used by e-mail alerts: $SPLUNK_HOME/etc/openldap/ldap.conf

To completely revert the LDAP configuration to the 6.5.x SSL/TLS defaults, comment out TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE

If you would like to retain the more secure 6.6.x defaults, but prefer to add an exception for your less secure external services, follow the procedure below:

1. To determine what sslVersions and cipherSuites are supported by a server, run splunk cmd openssl s_client -connect hostname:port | awk '/Protocol/ || /Cipher/ || /Verify/'.

The example below is for a Postfix SMTP server:

   Protocol : TLSv1 
   Cipher : DHE-RSA-AES256-SHA 
   Verify return code: 19 (self signed certificate in certificate chain)

2. Check the OpenSSL output for Protocol and Cipher. In the example above, Protocol = TLSv1 and Cipher = DHE-RSA-AES256-SHA

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

EXTRACT-cs_uri_stem1 = (GET|POST) (?<cs_uri_stem1>[^-]++)

if(isnull(status), "NULL",status)

$ cat $SPLUNK_HOME/etc/system/local/limits.conf [search] use_search_evaluator_v2=false

for example, add

 | convert timeformat="%FT%T.%3Q%z" ctime(_time)

to the end of your search

instead of

... | foreach field [| eval "<<FIELD>>"=... ] 

use something like this

... | fieldformat "field"=... 

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

[lookup] use_lookups_v2=0

This setting is only available in later releases of 7.2.x and 7.3.x.

NOTE: This setting is not available in Splunk 8.x. If using this workaround in 7.2.x or 7.3.x, do not upgrade to 8.x until this issue is fixed.

Fall back to the old search evaluator, this needs to be changed on both search heads and indexers: $SPLUNK_HOME/etc/system/local/limits.conf:

[search]
use_search_evaluator_v2 = false

| noop search_optimization.replace_table_with_fields=f

Or, if you can restructure the search, so if you would have something with a transforming command first:

index=_internal 
| stats latest(_time) AS _time BY host index  
| table host _time index 
| transpose 2

Or run the search in VERBOSE mode.

On the search head, set limits.conf:

[search]
phased_execution_mode = singlethreaded

On the search head, set user preference timezone to non-default one

REGEX = (.)

Example of configuration that would show this issue: props.conf:

[splunkd]
REPORT-Whatever = this-breaks-searching

and transforms.conf:

[this-breaks-searching]
REGEX = .
FORMAT = myfield::myvalue

| makeresults 
| map search="|makeresults |sendemail to=\"email@test.com\" format=csv"

Move |sendemail command outside of the |map function if possible

For sending one result at a time, have a look at sendresults from https://splunkbase.splunk.com/app/1794/ as an alternative to | map search="... | sendemail"

Or using the "per result" and then the email alert action on a saved search might be an option.

instead of

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch:

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example:

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

| makeresults 
| eval a="" 
| eval a=split(a,"z"), b="junk" 
| foreach * 
    [| eval typeof_<<FIELD>>=typeof(<<FIELD>>)]
| mvexpand a

Add an eval before mvexpand to handle this for example:

...
| eval a=if(tostring(typeof(a))="Invalid","",a) 
| mvexpand a

... | sort 0 - _time

Pick a timerange that is known to start with values if possible.

If you're using timechart:

fixedrange=f

If not, something like this might help:

...
| trendline sma5(count) as smooth_count 
| streamstats max(eval(if(isnotnull(smooth_count),1,null()))) AS flag 
| where flag=1 
| fields - flag 
| predict smooth_count

or something simpler with fillnull:

...
| fillnull smooth_count
| predict smooth_count

However, this will impact the prediction as no data isn't the same as 0

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

Instead of: rex mode=sed field=test "s/^/\"/g"

Do: rex mode=sed field=test "s/^/\"/"

[<FIELD>] INDEXED_VALUE=false

1.) use SOURCE_KEY=_raw in transforms stanza where modular regex is used. ie: [cmta-xml-extract-relay-di-out-details] REGEX = (?:(?<relay_host_out>\S+) )?\(TCP\|cmta_helper_ip:client_ip\|(?<client_port>\d+)\|cmta_helper_ip:relay_ip_out\|(?<server_port>\d+)\)

1. SOURCE_KEY = di_relay_out

SOURCE_KEY = _raw

Or include the field in the search: sourcetype=cmta_xml client_ip=* di_relay_out=* | table _raw

| makeresults | eval _raw="Deutsche Mütter kochen gut" | search "Mütter"

don't return results.

Workaround, on both search heads and indexers: limits.conf [search] use_search_evaluator_v2=false

limits.conf: [search] use_search_evaluator_v2=false

Examples searches that don't filter out values: index=_internal (NOT clientip=127.0.0.0/8) | stats count BY clientip

index=_internal (clientip!=127.0.0.0/8) | stats count BY clientip

index=_internal | stats count BY clientip | search (clientip!=127.0.0.0/8) | stats sum(count) BY clientip | noop search_optimization=false

Filtering with | where is OK: index=_internal | where NOT cidrmatch("127.0.0.0/8", clientip) | stats count BY clientip

allow_caching=f to the lookup command:

| lookup <name> allow_caching=f ...

On 7.3+: Add allow_caching=f to the lookup definition on the search head

transforms.conf:
[<lookup name>]
allow_caching = f

To check if you might be running into this issue, you'll need to enable debug on the search in question by adding:

| noop log_DEBUG=CachedProvider
<pre>
If you have hits for the cached lookup, like in the sample log below, you can hit this issue.

<pre>
DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385

[stats]
use_stats_v2 = f

in $SPLUNK_HOME/etc/system/local/limits.conf

OR

Revert back to the old serialization format (CSV), however, this applies to all searches, so you won't be getting the (performance) benefits of the new format.

$SPLUNK_HOME/etc/system/local/limits.conf: [search] results_serial_format=csv

| streamstats window=2 last(metric) as curr, first(metric) as prev | eval delta_ = curr-prev

... | rename *_* AS *-* | replace "something" by "somethingelse"

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

[search] phased_execution_mode = singlethreaded

1. add an additional panel with this query where we get the token from and hide that panel. 2. use another base search, that's hidden already.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

DEV also suggested increasing the number of pipelines on the UF, though this has not been verified in the customer deployment as far as I'm aware.

• Remove any settings that define default values already set in the /default/distsearch.conf file.
• Removes comments preceded by a hash.
• Reorders the KV pairs alphanumerically within a stanza.
• Reorders stanzas within the file.

/opt/splunk/etc/shcluster/apps/<myapp>/local/app.conf
[launcher]
version = 1.0.1

server.conf [shclustering] conf_replication_include.user-prefs = false

that will definitely stop those replications.

| tstats count WHERE index=* BY index host source sourcetype

2. on the SH don't allow batch mode through limits.conf: [search] allow_batch_mode = false This will affect all searches, not just metasearch though

To avoid this situation, either use the merge_to_default push mode or inspect the deployer's set of app local directories and ensure that they contain only whitelisted files. For details on the configuration replication whitelist, see "Configuration updates that the cluster replicates" in the Distributed Search manual.

For details on how the push mode determines the way that the deployer pushes configurations, see "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual.

Contact support for an alternative script to restore backup (restorekv.py)

1. Shutdown all cluster members.
2. Upgrade all members.
3. Start the member

[httpServer] max_content_length = 1500MB

The other option is to disable the search which controls the generation of the large lookup file. In this case, the search is:

[Endpoint - Local Processes Tracker - Lookup Gen]

[search] phased_execution_mode = singlethreaded

stop the affected peer

1. /opt/splunk/bin/splunk stop
2. rm /opt/splunk/var/run/splunk/cluster/remote-bundle/*.bundle
3. rm -Rf /opt/splunk/etc/slave-apps
4. /opt/splunk/bin/splunk start
   

dfsjob[search index=airlinedata | stats count by Origin Dest | join max=0 left=L right=R where L.Dest=R.Origin [ | search index=airlinedata | stats count by Origin Dest | join max=0 left=L right=R where L.Dest=R.Origin [| search index=airlinedata | stats count by Origin Dest] | rename L.* AS * , R.* AS * ]]

Indexer acknowledgement uses the _raw field to track completeness of delivery for each event. In some cases, when an event does not contain a valid _raw field, Splunk servers fail to determine whether the event is completely delivered and do not return acknowledgement for it, even when the event is processed successfully. As a result, the forwarder sends the same event again, leading to duplication of indexed data. This can affect metric indexes, where events with the JSON source type will not have _raw fields.

When this issue occurs, the workaround is to set useACK=false to disable indexer acknowledgement. You may want to set up multiple forwarding/HEC channels or ports with two useACK settings, to meet the needs of both kinds of source events: those that contain the _raw field and those that do not.

OR 2. Install package by untarring tgz file to /opt/splunkforwarder

• 6.0.0 to 6.0.6
• 6.1.0 to 6.1.4
• 6.2.0 to 6.2.6
• 6.3.0 to 6.3.1
• 6.3.1511.1

Upgrade your older instances to the latest maintenance releases or on your 6.6.x Splunk instances. Add the following stanza to server.conf:

1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

2. For some more up-to-date clients, it is possible to enforce TLS1.2 (e.g. --tlsv1.2 for curl) in order to connect successfully.

3. Upgrade OpenSSL on your platform and link it with your client (e.g. Python, curl, etc..). For example, OpenSSL 1.0.2 is currently available on Mac OSX via Homebrew (see https://brew.sh) and is compatible with the new Splunk 6.6 default sslVersions, cipherSuites.

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

2 Setup a proxy UF which takes input from the original UF and send input out syslog server. This solution only requires config change and no patch release is required.

`$daily_usage_search$($splunk_server$, $size_search$, $host$, "$split_by_field_name$", "$pool$")`

to

`$daily_usage_search$($splunk_server$, $size_search$, $host$, "$pool$", "$split_by_field_name$")`

in the following file

$SPLUNK_HOME/etc/apps/splunk_monitoring_console/default/data/ui/views/license_usage_historic.xml

Step 2: Restart splunk

(1) For log in page, use the following URL.

e.g.) http://IP:Port/en-US/account/login

(2) Register non-login page such as Home, Search etc.

2. Assign this user ownership of the scheduled searches.

3. Share the searches at the app level and grant read/write permission to the correct set of users.

(1) For log in page, use the following URL.

e.g.) http://IP:Port/en-US/account/login

(2) Register non-login page such as Home, Search etc.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

• Remove any settings that define default values already set in the /default/distsearch.conf file.
• Removes comments preceded by a hash.
• Reorders the KV pairs alphanumerically within a stanza.
• Reorders stanzas within the file.

Upload a pre-created/pre-existing csv lookup, but it is often not possible.

1. add an additional panel with this query where we get the token from and hide that panel. 2. use another base search, that's hidden already.

For on-prem, manually edit the props.conf file to set SHOULD_LINEMERGE to 'false'.

[search] display.events.fields = ["description","except_extract_1","except_extract_2","except_extract_3","sap_order_status","sourcetype","source","status","request_mode","request_id","request_status_id","object_id","BillToCity_","Airline_","BillToName_","BillToCountry_","City_"] display.events.type = table

Specifically impacts apps that use rest endpoints. The workaround is to use the old way of authenticating, username/password.

Specifically impacts apps that use rest endpoints. The workaround is to use the old way of authenticating, username/password.

$SPLUNK_HOME/bin/python3 (linux)
$SPLUNK_HOME\bin\Python3 (Windows)

and rename the python.exe executable to python3.exe for example, if you're using Windows.

b. copy the custom python exe into $SPLUNK_HOME/bin and set PYTHONPATH to the custom python lib

1. add this to server.conf:

[general]
python.version = force_python3

2. copy custom python executable to $SPLUNK_HOME/bin

3. in $SPLUNK_HOME/etc/splunk-launch.conf add PYTHONPATH to the OS install directory, for example on Windows:

PYTHONPATH=C:\Python3\lib

c. shim the scripted input's python script with a shell script that calls python in turn (bash, powershell)

$SPLUNK_HOME/etc/system/local/outputs.conf:

[tcpout]
negotiateProtocolLevel = 5

do filtering later in | search

TZ=:/etc/localtime

Or whatever timezone customer want to set. TZ=<timezone> Example TZ=US/Pacific

splunk stop; splunk start;

Note: Please don't run splunk restart

<collection label="Others">

           <view source="unclassified" match="Dashboard"/>
     </collection>  
 

"Search String", "Trigger Condition", and "Link To Results".