Splunk® Enterprise

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Known issues

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features and removed features in this manual.

Authentication and authorization issues

Date filed Issue number Description
2022-07-29 SPL-227621, SPL-227998 Export of search results in the GUI fails with "Service Unavailable" with PYTHONHTTPSVERIFY=1

Workaround:
Turn off PYTHONHTTPSVERIFY for now

https://docs.splunk.com/Documentation/Splunk/latest/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk_Python_modules

2022-07-21 SPL-227153 After upgrade to 9.0, external indexes are missing from searchable choice list when creating a new role

Workaround:
The following setting needs to be enabled in server.conf:

[introspection:distributed-indexes] https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Serverconf

2022-04-19 SPL-222791, SPL-207068 SPL - list_introspection capability is not properly applied to some search REST endpoints

Workaround:
Permissions are now properly applied to the following REST endpoints:

• /services/server/introspection/search/dispatch • /services/server/introspection/search/distributed

Splunk software now displays errors when users with insufficient privileges access these endpoints using the 'rest' command or the HTTP API. To resolve these errors, add the list_introspection capability to the authorize.conf file for the role of the user that requires the endpoint information. Adding this capability to your roles ensures that searches and integrations continue to work properly.

2022-04-06 SPL-222105 When all inherited roles are taken out from admin role, it will cause admin user failed to show other users even though all capabilities is set natively.

Workaround:
Two possible approaches:

1. Remove the option grantableRoles = admin from authorize.conf - this is not permanent workaround and will need to be done every time admin role is modified.

2. Add any capabilities that the other user roles have to the "admin" role.

2020-12-04 SPL-198284, SPL-231587 Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default

Workaround:
Set limits.conf back to default, by removing any override of max_searches_per_process.

For example:

[search]
max_searches_per_process=1

to

[search]
2018-04-13 SPL-153403 After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2016-07-26 SPL-125052 Sole Admin can demote his/herself to Power without path of recovery in GUI

Workaround:
Through the command line, you can open notepad and modify the password file to regain 'Admin' status.

Upgrade issues

Date filed Issue number Description
2020-11-09 SPL-197140 UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found"

Workaround:
1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3

OR 2. Upgrade to Solaris 11.4

2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-07-10 SPL-191850 The .deb installation package will fail if dpkg version doesn't support an .xz compressed control file.

Workaround:
Update dpkg to version 1.17.6 or later.
2018-04-13 SPL-153403 After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2017-03-13 SPL-138647 Possible compatibility issues between new 6.6 and later default sslVersions, cipherSuites and external services, e.g. e-mail, LDAP

Workaround:
If security is not a significant concern, simply revert back to the 6.5.x SSL/TLS defaults, e.g. for e-mail, add to $SPLUNK_HOME/etc/system/local/alert_actions.conf

[email]
sslVersions = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To configure LDAP with the same settings used by e-mail alerts: $SPLUNK_HOME/etc/openldap/ldap.conf

TLS_PROTOCOL_MIN 3.1
TLS_CIPHER_SUITE TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH


To completely revert the LDAP configuration to the 6.5.x SSL/TLS defaults, comment out TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE


If you would like to retain the more secure 6.6.x defaults, but prefer to add an exception for your less secure external services, follow the procedure below:

1. To determine what sslVersions and cipherSuites are supported by a server, run splunk cmd openssl s_client -connect hostname:port | awk '/Protocol/ || /Cipher/ || /Verify/'.

The example below is for a Postfix SMTP server:

eserv@indexer01:~$ splunk cmd openssl s_client -connect smtp-server01:465 | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=1 C = US, O = Example Customer, OU = IT, CN = Example Customer IT CA, emailAddress = customer@example.org verify error:num=19:self signed certificate in certificate chain New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

   Protocol : TLSv1 
   Cipher : DHE-RSA-AES256-SHA 
   Verify return code: 19 (self signed certificate in certificate chain)

2. Check the OpenSSL output for Protocol and Cipher. In the example above, Protocol = TLSv1 and Cipher = DHE-RSA-AES256-SHA

3. Update Splunk's relevant sslVersions and/or cipherSuite. In the example above, sslVersions should be set to tls (allows TLSv1, TLSv1.1, TLSv1.2) and DHE-RSA-AES256-SHA should be appended to the end of the default cipherSuites definition, e.g. add
$SPLUNK_HOME/etc/system/local/alert_actions.conf
:

[email]
sslVersions = tls

cipherSuites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA

Data input issues

Date filed Issue number Description
2022-09-08 SPL-229853, SPL-229208 PowerShell Modular input stopped working after UF 9.0 upgrade
2022-04-08 SPL-222366 Ingest Actions does not work with Splunk's free license

Search issues

Date filed Issue number Description
2022-10-24 SPL-231946 |metadata command ignores splunk_server parameter

Workaround:
Use other search commands like |tstats instead of |metadata if you need to filter on splunk_server
2022-10-12 SPL-231441, SPL-223053 eventstats will generate less results when time range is large
2022-09-28 SPL-230857, SPL-229969 regex doesn't honor the caret symbol ^ (start of string) in some conditions.
2022-08-02 SPL-227728, SPL-226351 Mcatalog subsearch hitting maxout limit preventing metric rollup from populating results correctly.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-21 SPL-227157, SPL-226132 User with format phxxxx cannot open a dashboard on 9.x
2022-06-23 SPL-226017, SPL-176333 Lookups may return incorrect results due to internal caching

Workaround:
Add

allow_caching=f to the lookup command:

| lookup <name> allow_caching=f ... 

On 7.3+: Add allow_caching=f to the lookup definition on the search head

transforms.conf:
[<lookup name>]
allow_caching = f

To check if you might be running into this issue, you'll need to enable debug on the search in question by adding:

| noop log_DEBUG=CachedProvider
<pre>
If you have hits for the cached lookup, like in the sample log below, you can hit this issue.

<pre>
DEBUG CachedProvider - Cached provider metrics: lookup=<lookup name> hits=67064 misses=321 total=67385
2021-12-21 SPL-216787 Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
In Splunk Enterprise 8.1.7, 8.2.4, and higher change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

2021-09-22 SPL-212495, SPL-196040, SPL-219811 Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none
2021-02-25 SPL-201628 `srchTimeWin` and `srchTimeEarliest` settings cannot be unset for the admin role.

Workaround:
Ensure that the admin role is not configured as "Unset" and is explicitly configured to either no restriction or a restriction in the UI (Navigate to Edit Role > Resources > Role search time window limit), or through conf file authorize.conf under attribute name srchTimeEarliest.
2020-12-06 SPL-198314 Exporting _time field applies user timezone offset but contains the server's timezone (usually +0000)

Workaround:
Force a specific time format by using strftime in an eval command.

for example, add

 | convert timeformat="%FT%T.%3Q%z" ctime(_time)

to the end of your search

2020-12-04 SPL-198284, SPL-231587 Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default

Workaround:
Set limits.conf back to default, by removing any override of max_searches_per_process.

For example:

[search]
max_searches_per_process=1

to

[search]
2020-12-01 SPL-198149, SPL-198866, SPL-199358 KVStore lookup indexing leads to slow search performance and intermittent errors in searches

Workaround:
If you encounter this problem, change the enable_splunkd_kv_lookup_indexing parameter to true in the [lookup] stanza of limits.conf in the $SPLUNK_HOME/etc/system/local directory on your search peers.
2020-08-31 SPL-194426 External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-02-12 SPL-183259 When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios

Workaround:
Dedup values in search before, for example:

instead of

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch:

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example:

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]
2020-01-10 SPL-181573 geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit.

Workaround:
- Increase globallimit to the value of "unique values" number mentioned in the warning message:

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2017-04-04 SPL-140765 Splunk having problems extracting json file consisting of 68k plus key-value pairs
2016-11-29 SPL-133182 When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


2014-10-02 SPL-91638, SPL-107375 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.

Saved search, alerting, scheduling, and job management issues

Date filed Issue number Description
2022-08-22 SPL-228900, SPL-220208 Summary Director consuming a lot of CPU
2019-09-20 SPL-176812 Multiple SH Clustering with single deployer can't use datamodel summary sharing
2018-09-19 SPL-160286 The data preview for the Add Data workflow does not display for Log to Metrics source types
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-08-14 SPL-143947 Report acceleration is broken for users with a configured role-based access filter

Charting, reporting, and visualization issues

Date filed Issue number Description
2022-09-21 SPL-230467, SPL-224661 Custom table cell renderer doesn't work consistently on refresh or when switching back from Edit -> Source view

Workaround:
refresh page
2022-08-04 SPL-227909, SPL-228844 Inconsistent behavior for new dashboard with showing/not showing data/search results from default token
2022-07-21 SPL-227157, SPL-226132 User with format phxxxx cannot open a dashboard on 9.x
2022-04-26 SPL-223193, SPL-233133 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox
2021-04-05 SPL-203554 After upgrading from 8.1 to 8.2 or higher, dashboard images in the Dashboard Studio fail to load.

Workaround:
Two workaround options:

1. Re-upload the image. (Best for non-admins or Splunk Cloud customers) 2. Copy/move collections (splunk-dashboard-icons and splunk-dashboard-images) from splunk-dashboard-app to splunk-dashboard-studio to see the custom images/icons in studio dashboards.

2021-02-12 SPL-201015 PNG export in the Dashboard Studio in Safari doesn't work on first try

Workaround:
Press the download button again
2020-07-28 SPL-192751 Dropdowns in XML Chart Formatting Modal does not show in dark mode
2020-07-20 SPL-192213 Dark mode does not get applied to XML dashboards when using unicode characters like smiley icons

Workaround:
Do not use unicode characters in Dashboards with dark mode.
2016-09-15 SPL-128819, SPL-130243, SPL-130245 Editing panel in dashboard removes charting.legend.masterlegend option

Workaround:
Use <option name="charting.legend.masterLegend">null</option>
2016-04-27 SPL-118911 In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.


Data model and pivot issues

Date filed Issue number Description
2022-08-22 SPL-228900, SPL-220208 Summary Director consuming a lot of CPU
2019-09-20 SPL-176812 Multiple SH Clustering with single deployer can't use datamodel summary sharing

Indexer and indexer clustering issues

Date filed Issue number Description
2016-08-25 SPL-127353 Data rebalance finishes early when one peer is the source for all buckets

Workaround:
when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time

Distributed search and search head clustering issues

Date filed Issue number Description
2022-07-26 SPL-227395, SPL-228155 Deployer push is taking longer time

Workaround:
+No workaround found so far on 9.0.0
2022-04-20 SPL-222917, SPL-230428 Crash in indexer discovery service on search head
2022-03-22 SPL-221130, SPL-224931, SPL-225711 Search head clustering - intermittent "Splunk Cloud" logo shown on splunkweb and "UNKNOWN_VERSION" Splunk version returned

Workaround:
Customers can verify whether their environment is affected with following SPL against their SHs:

index=_internal host IN (<CommaSeparatedSHList>) source=*web_service.log* "Splunk appserver version=UNKNOWN_VERSION build=000"

Refreshing the browser tab will temporarily resolve the issue. No root cause/fix has been identified yet.

2021-09-22 SPL-212495, SPL-196040, SPL-219811 Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none
2021-03-26 SPL-203060 The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:
  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.


2019-09-02 SPL-175786 Not able to update search head settings by bundle application from deployer under Full mode if conf files are put in bundle's local folder
2017-11-29 SPL-146802 Distributed environment requires index defined on search head for log event alerts
2017-03-13 SPL-138654 Splunk searches fail when filepath gets too long on Windows
2016-07-12 SPL-124085 On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled.

Universal forwarder issues

Date filed Issue number Description
2022-09-08 SPL-229853, SPL-229208 PowerShell Modular input stopped working after UF 9.0 upgrade
2022-07-30 SPL-227653, SPL-231927 UF throws erroneous WARN for KVSTORE SSL misconfiguration on startup - server.conf//sslVerifyServerCert or "Starting migrate-kvstore."

Workaround:
It's safe to ignore the warning or you can disable the kvstore explicitly with server.conf:
[kvstore]
disabled = true
2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-06-06 SPL-225379 Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd

Workaround:
whenever changing UF user, pls manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start
2022-05-16 SPL-224264, SPL-224265 Splunk UF not starting on Debian 11 (x86_64 and arm64)
2022-05-13 SPL-224167 Splunk UF for CentOS-7 (ARM64) is not available

Workaround:
UF for CentOS7 ARM 64 will be available in the 9.0.1 maintenance release.
2022-04-20 SPL-222917, SPL-230428 Crash in indexer discovery service on search head
2020-11-09 SPL-197140 UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found"

Workaround:
1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3

OR 2. Upgrade to Solaris 11.4

Monitoring Console issues

Date filed Issue number Description
2019-11-13 SPL-179528 The splunktcp and splunktcp-ssl stanzas are not reloadable in inputs.conf
2017-08-14 SPL-143981 Uninstall app dialog does not show the app name correctly when the app doesn't have the label
2017-05-24 SPL-141982 Upload modal should use size=large File element
2017-04-19 SPL-141274 Clicking Install multiple times in Install dialog causes error
2017-03-07 SPL-138351, SPL-172626 The role change of DMC via UI does not reflect to distsearch.conf

Workaround:
As a workaround can the customer manually modify the distsearch.conf.
2016-11-14 SPL-132151 XML error when trying to download uninstalled app

Splunk Web and interface issues

Date filed Issue number Description
2022-05-31 SPL-225037 Remote dataset dropdown menu resets to "Index" after selecting federated provider
2021-12-21 SPL-216787 Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
In Splunk Enterprise 8.1.7, 8.2.4, and higher change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection

Windows-specific issues

Date filed Issue number Description
2022-03-19 SPL-221019 WEC + subscription with ContentFormat "Events" - indexed ForwardedEvents show "Splunk could not get the description for this event" for the "Message" field

Workaround:
Following steps should be followed:

- to reconfigure subscription type to RenderedText:

wecutil ss <subscription-name> /cf:RenderedText

- in order to work around a MS defect on the WindowsEventViewer causing field description resolution failures within the WindowsEventViewer, when configuring RenderedText contentFormat you might want to also change the subscription locale, if not already done, to en-US:

wecutil ss <subscription-name> /l:en-US

and the same also for the datetime format on the WEC server to English (United States), see also here:

https://serverfault.com/questions/606144/win2012r2-eventlog-subscription-dont-display-informations https://social.technet.microsoft.com/Forums/ie/en-US/3fd3d1fc-1194-4899-978c-3283085648bc/eventlog-forwarding-issues-either-the-component-that-raises-this-event-is-not-installed-on-your

- please make sure to install the most recent Windows add-on compatible with your Splunk release, following the official installation documentation:

https://docs.splunk.com/Documentation/AddOns/released/Windows/Install

- please configure inputs.conf on the splunk instance running on the WEC server as follows, in order to onboard the ForwardedEvents data in XML format:

[WinEventLog://ForwardedEvents]
renderXml = true

then save and restart splunk in order to apply the changes.

- last, but not least, unless renderXml was set to true already before installing/upgrading to a regressed version, you will need to rewrite your searches and reports in order to comply with the new/XML-specific field extractions shipped in the Windows add-on, since the data is now onboarded in XML format.

REST, Simple XML, and Advanced XML issues

Date filed Issue number Description
2020-07-28 SPL-192792 tsidxWritingLevel and other fields are set empty after updating index in UI
2017-07-13 SPL-143111 "Splunkd daemon is not responding" when edit local windows event log collection
2016-10-31 SPL-131072 Datamodel backend allows invalid time values

PDF issues

Date filed Issue number Description
2016-11-23 SPL-132925 Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

Admin and CLI issues

Date filed Issue number Description
2022-06-23 SPL-226016, SPL-226271, SPL-229579 Splunk crashed with SplunkConfigChangeWatcherThread if there is a symbolic link to a directory while config_change_tracker is enabled
2022-06-21 SPL-225949 federated.conf.spec and federated.conf.example files are missing from the product build

Workaround:
Modify 'federated.conf.spec' and 'federated.conf.example' with the contents on the below document:

https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Federatedconf

To check the workaround is working, restart the instance to see if logs appear. (See attached image: Image-20221110-234300.png)

2021-03-26 SPL-203060 The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:
  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.


2020-07-28 SPL-192792 tsidxWritingLevel and other fields are set empty after updating index in UI
2020-04-14 SPL-186365 Users are able to create/clone knowledge objects into apps where they lack permissions
2019-08-05 SPL-174406, SPL-109254 Root unable to run splunk cli if SPLUNK_OS_USER is set
2018-08-13 SPL-158658 A timeout or slow response when accessing Splunk Web Licensing page

Workaround:
A timeout or slow performance of the license management page is caused by a build-up of historical license warning messages, which are processed every time the page is accessed. Can be verified by running this search on the License Manager:

| rest splunk_server=local /services/licenser/messages

If a high value is returned for that end point, you are likely affected. Log a support ticket with Splunk to obtain a license reset key, and apply the key to clear out any historical license warning messages. After the reset license is applied, the license management pages should load normally.

2017-11-29 SPL-146820 Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app

Workaround:
Navigate to a visible app, such as the search and reporting app, and access the Splunk settings pages from that app context.
2017-11-07 SPL-146255 limits.conf enable_clipping cloropleth setting is app/user tunable rather than global like the rest of limits.conf
2017-04-03 SPL-140747 SSL connection in Python when using new ciphers may be slow.
2016-11-09 SPL-131880 Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page

Uncategorized issues

Date filed Issue number Description
2022-10-20 SPL-231793 Crashing in TcpOutEloop thread with assertion_failure="_refCount > 0" when forwarding to more than 10 hosts with forceTimebasedAutoLB=true.

Workaround:
Set one of the following

forceTimebasedAutoLB=false ( eliminates crash) or autoBatch=false ( Reduces chances of crash significantely) or connectionsPerTarget=1 (eliminates crash)

2022-10-19 SPL-231712 Create/Edit Role - In the UI, the "Wildcards" tool cannot be used to specify allowed federated indexes for standard mode federated search
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing

Workaround:
To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens: 1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle. 2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment. 3. Trigger a search from the local deployment. This will make sure that the bundle is sent ASAP towards the remote deployment.

2022-07-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround:
Use REST API to create the federated saved search instead:

curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1
See [[Documentation:*:RESTREF:RESTfederated|Federated search endpoint descriptions]] in the REST API Reference Manual.

2022-06-23 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-04-27 SPL-223358, SPL-217652 Splunk Assist: The CertAssist component does not display all hosts that use the same certificate
2022-04-22 SPL-223082 CMC > License Usage > Archive Storage > and check under Index Storage Usage Details > Archived Last 90 days , I see 0 results
2022-04-12 SPL-222543, SPL-224946 Unable to generate diag - "UnicodeDecodeError: 'utf-8' codec can't decode byte XxXX in position YY: invalid start byte"

Workaround:
The problem is caused by non-ASCII/UTF-8 characters, that are present in your configuration and are not supported. You can remediate the problem:

1. Either remove non-ASCII/UTF-8 characters from your configuration files. 2. Or take a backup of '$SPLUNK_HOME/lib/python3.7/site-packages/splunk/clilib/cli_common.py' and in line 127: Add parameter to "line.decode" - either "errors='replace'", or "errors='ignore'". Eg: line.decode(errors='replace')

2022-02-24 SPL-219715, SPL-225376, SPL-225374, SPL-225375 Workload Management fails to enable on restart if a rule contains a role that is missing on the platform
2022-02-08 SPL-218841 Reporting command in verbose mode returns 0 events despite correct event_count
2022-02-08 SPL-218842, SPL-219793 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.
2021-10-14 SPL-213745 Standard mode federated search: Unable to set federated index as default index
2021-04-24 SPL-204740, SPL-204735 Deletion of a workload pool is allowed if there is a 'disabled' rule that is related to that workload pool and this can cause errors if the rule is re-enabled later

Workaround:
To prevent this issue: When you delete a workload pool, please make sure that you delete any disabled workload rules that are associated with that workload pool.

To resolve the issue if you encounter this: Disable or delete the workload rule that is associated with a workload pool that does not exist anymore.

2021-03-29 SPL-203100 Summary page on monitoring console doesn't show correct RF/SF when not running on the CM.
2021-03-19 SPL-202682 The license usage report tab name is Previous 60 days, but the reports run over the last 30 days
2021-02-10 SPL-200532 SmartStore: Stuck fixup due to inability to freeze unsearchable/unstable bucket

Workaround:
This issue is caused by a single unsearchable bucket that has been frozen while not existing on remote storage. The bucket copy on the peer node's cache remains stuck in the fixup state, resulting in messages to the effect that all data is not searchable, the replication factor is not met, and the search factor is not met.

To resolve, on the peer node, invoke the "/services/cluster/slave/buckets" endpoint, specifying the faulty bucket, setting "search_state=Searchable" to make the bucket searchable. You do not need to restart the peer node afterwards.

Here is the syntax for the required endpoint:

curl -k -u admin https://<peer_node_with_bucket>:<mgmt_port>/services/cluster/slave/buckets/<bucket_id>/change_bucket -d bucket_mask=0 -d search_state=Searchable -d generation_id=0 -d searchable_sources="peer,site,server_name,host_port_pair,replication_port,replication_use_ssl,searchable,bucket_mask

Note that pairs of angle brackets indicate variables that must correspond to your instance and bucket.

2020-10-01 SPL-195810 Using CLI command to stop migration of KVstore on a SHC running on Windows OS can cause the SHC captain to reach an invalid state

Workaround:
Restart the SHC captain
2020-08-10 SPL-193389 Parallel upload is not supported in gcp-sse-kms encryption mode

Workaround:
In the volumes using gcp-sse-kms encryption mode, specify "remote.gs.upload_chunk_size = 0" to disable parallel upload.
2020-07-30 SPL-192936 Subsecond search - When you update metric.timestampResolution via the UI, it is not updated on the search head index.conf file. This does not affect search functionality.
2020-05-06 SPL-188800 Starting Splunk software with incorrect KV store storage engine causes KV store to crash

Workaround:
In the [kvstore] stanza of your server.conf file, set the storageEngine setting to match the storage engine that you're using, either wiredTiger or mmapv1. To learn which storage engine you're using, check whether the file extensions in the var/lib/splunk/kvstore/mongo directory are *.wt for Wired Tiger or *.ns for Memory Mapped.
2019-10-03 SPL-177447 Bundle replication takes longer than expected time for indexers that have bundleEnforcerBlacklist configured
2019-09-26 SPL-177144, SPL-177326 Under heavy search workload, the search memory usage estimation may be higher than actual usage
2019-09-25 SPL-177008, SPL-176710, SPL-177009 Workload management fails to enable for addition of a pool with 1% cpu and 1% memory
2019-09-16 SPL-176514 Offline rebuild of unsearchable bucket may lead to stale information in dbinspect searches
2019-09-13 SPL-176447 SmartStore: Migration uploads of auto_high_volume buckets can fail indefinitely due to an XFS bug

Workaround:
Before migration, lower the max_concurrent_uploads setting in server.conf to 2.

After migration, revert the setting to the default of 8.

2019-07-19 SPL-173449, SPL-173259 timezone isn't stored for start_time/end_time of rule schedule every_day/every_week/every_month
2019-03-26 SPL-168314 SmartStore standalone instance + Monitoring Console: Bootstrapping panel needs to reflect the standalone bootstrapping process
2018-03-20 SPL-152330, SPL-151992 After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2017-06-29 SPL-142789, SPL-95144 Indexed message for Windows security event logs shows "FormatMessage error"

Workaround:
Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.
2017-05-09 SPL-141693 DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-04-27 SPL-141478 $_index_name does not resolve properly when used with the thawedPath pathname
2017-03-27 SPL-140442, SOLNESS-11786 In Splunk Enterprise 6.6.0 and later, with Enterprise Security 4.5.2 and 4.6.0, roles without "edit_roles" capability cannot perform operations on notable event review statuses.

Workaround:
If users cannot perform operations on notable event review statuses or have issues viewing "Edit all selected" links on Incident Review, user roles must be provided with the "edit_roles" capability.
2017-03-14 SPL-138731 New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled

Workaround:
Users can do any of the following:

1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.

2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk

3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/

2017-01-06 SPL-134707 Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.
2016-11-21 SPL-132670 Mac OS 10.11: disable boot-start doesn't remove the file /Library/LaunchAgents//com.splunk.plist by enabling boot-start in prior Splunk/UF
2016-08-31 SPL-127800 Opting in to data sharing on a monitoring console produces duplicate data.
2016-06-21 SPL-123174 JSON indexed_extractions doesn't work for TCP inputs

Splunk Analytics for Hadoop

Date filed Issue number Description
2017-04-04 ERP-2040 Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x

Workaround:
Upgrade Hadoop to 2.8.2 or higher.
2015-09-09 ERP-1650 timestamp data type not properly deserialized.
2015-08-05 ERP-1619 Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception.

Workaround:
Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search.
2015-07-07 ERP-1598 minsplit rampup - splits generation takes too long.

Workaround:
Set minsplits=maxsplits
2015-05-12 ERP-1502 Non-accelerated pivot search on Pivot UI page waits for a long time to return result.
2015-01-08 ERP-1343, SPL-95174 Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error.

Workaround:
Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....)
2014-10-27 ERP-1216 Data Explorer preview does not honor existing sourcetypes for big5/sjis files.
2014-10-03 ERP-1164 Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory.

Workaround:
To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads.
Last modified on 18 November, 2022
PREVIOUS
Welcome to Splunk Enterprise 9.0
  NEXT
Splunk Enterprise and anti-virus products

This documentation applies to the following versions of Splunk® Enterprise: 9.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters