Splunk® Enterprise

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Fixed issues

Splunk Enterprise 9.1.0.2

Splunk Enterprise 9.1.0.2 was released on July 31, 2023. It delivers the update described in https://advisory.splunk.com/advisories/SVD-2023-0606.

Splunk Enterprise 9.1.0.1

Splunk Enterprise 9.1.0.1 was released on July 6, 2023. This release fixes the following issue:

Date filed Issue number Description
2023-06-08 SPL-240758, SPL-241690, SPL-241691, SPL-241704, SPL-241705, SPL-241706 "File Integrity checks found 4281 files that did not match the system-provided manifest." shows in message but does not appear in the "Integrity Check of Installed Files" dashboard.

Workaround:
Clear the notification to dismiss the error and it will not appear again.

Splunk Enterprise 9.1.0

Splunk Enterprise 9.1.0 was released on June 28, 2023. This release includes fixes for the following issues.

Issues are listed in all relevant sections. Some issues might appear more than once.

Data input issues

Date resolved Issue number Description
2023-04-12 SPL-235416 Case sensitive sourcetypes in Ingest Actions UI preview won't fetch results

Search issues

Date resolved Issue number Description
2024-05-17 SPL-255737 Version 2 of the stats command can't distinguish prestats and non-prestats data in summary index at the event level.
2023-05-05 SPL-239409 The 'sendemail' command no longer honors the field order from search results
2023-01-24 SPL-227018, SPL-241609, SPL-242656 In rare cases in some buckets, searches can return some empty field values or missing events for indexed fields when the bucket contains small metadata files (between 4-8KB) leading to "not all cwpairs were found" in search.log
2022-11-11 SPL-232477, SPL-224816 Transparent mode tstats with prestats and no reporting commands show timeline results
2022-11-09 SPL-224816, SPL-232036, SPL-232477 Standard mode federated searches of accelerated data models with 'tstats' fail or produce unexpected behavior when 'prestats=t'
2022-10-06 SPL-227547 Fix hash algorithm for numbers and handle hash collisions for lookups
2022-09-30 SPL-230091, SPL-231852 Search can use large amount of memory on large/malformed events that (look like) XML
2022-09-13 SPL-229278 Search crashes with "StatsBuffer found inconsistent row" after upgrading
2022-07-05 SPL-205436, SPL-208943 in batch mode, on distributed search, addtotals with wildcard that matches more than 50 fields populates the _time field with other field's value (like the sourcetype, index, splunk_server) for result above 50
2022-06-20 SPL-223897, SPL-226446, SPL-226447 Mstat breaks with multivalue "asset" dimension,

Federated search issues

Date resolved Issue number Description
2023-05-04 SPL-239362, SPL-237883 Transparent Mode federated search - Using table and stats in the same federated search causes the search to return empty results , when run in smart or fast mode
2023-02-08 SPL-225826 Transparent mode federated searches over accelerated data model datasets cannot return remote results because their summaries are not present on the RSH
2022-11-11 SPL-232477, SPL-224816 Transparent mode tstats with prestats and no reporting commands show timeline results
2022-11-09 SPL-224816, SPL-232036, SPL-232477 Standard mode federated searches of accelerated data models with 'tstats' fail or produce unexpected behavior when 'prestats=t'
2022-05-12 SPL-220289, SPL-245017 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Charting, reporting, and visualization issues

Date resolved Issue number Description
2023-03-01 SPL-236548, SPL-237216, SPL-236740 SXML dashboards without the "version=" stanza in the search app may have <set>..</set> tags changed to <set /> when upgrading to 9.0.3 or 9.0.4
2023-02-27 SPL-234045 "Invalid value" for earliest/latest in time token in "Advanced" time range section
2023-01-31 SPL-235340 Overlapping UI elements in Dashboard Studio when global banner with hyperlink is used
2023-01-31 SPL-235420 Link to Dashboard show first 30 apps
2022-12-06 SPL-233133, SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-12-05 SPL-231930, SPL-233667 Refresh not working as expected when chunking is used
2022-12-01 SPL-228658, SPL-236371, SCP-57718 "Down Arrow" for chart legend scrolling does not work
2022-11-15 SPL-231315, SPL-214759, SPL-232576 Custom VIZ - data chunk duplication
2022-11-14 SPL-231838 Form fieldset input choice strings are not localized
2022-10-19 SPL-230678 "Dashboard not found" error after changing permissions
2022-10-03 SPL-217434, SPL-230995, SPL-230996 custom viz never receive meta.data.done = true with base post search
2022-09-20 SPL-230171, SPL-230364, SPL-240369, SPL-232173 Charts not showing in SimpleXML dashboard PDF export
2022-05-25 SPL-221382 Map visualizations are not supported in Dashboard Studio export
2022-05-05 SPL-223193, SPL-233133 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"

Distributed search and search head clustering issues

Date resolved Issue number Description
2022-06-13 SPL-225573, SPL-225560 Can't work around slow failure issues in SHC proxied /search/jobs requests because timeouts are not configurable.

Indexer and indexer clustering issues

Date resolved Issue number Description
2023-02-02 SPL-235074, SPL-207384 Searches return incomplete results during addPeer/BatchAdding after Cluster Manager restart.
2022-10-13 SPL-228672, SPL-231396 validation of bundle returns "restart required" always on any app when there is a password field with encrypted bundles

Universal forwarder issues

Date resolved Issue number Description
2023-10-27 SPL-246145, SPL-233334 Warnings "user splunk does not exist" observed while installing rpm builds
2023-10-27 SPL-246143, SPL-233334 Warnings "user splunk does not exist" observed while installing rpm builds
2023-10-27 SPL-246256, SPL-233334 Warnings "user splunk does not exist" observed while installing rpm builds
2023-02-15 SPL-232028, SPL-236165, SPL-236166 Windows Defender logs stop being forwarded but other Winevent logs continue to forward until UF is restarted
2022-11-02 SPL-231793 Crashing in TcpOutEloop thread with assertion_failure="_refCount > 0"

Monitoring Console issues

Date resolved Issue number Description
2022-10-31 SPL-223475, SPL-190358 Monitoring console Index Usage for maxTotalDataSizeMB does not handle SmartStore

Splunk Web and interface issues

Date resolved Issue number Description
2023-05-23 SPL-239623, SPL-220440 Global banner with hyperlink breaks UI layout.
2022-11-14 SPL-231838 Form fieldset input choice strings are not localized

Windows-specific issues

Date resolved Issue number Description
2023-02-15 SPL-232028, SPL-236165, SPL-236166 Windows Defender logs stop being forwarded but other Winevent logs continue to forward until UF is restarted
2023-01-05 SPL-233007, SPL-234066 KV Store fails to find the private key for a given certificate on Windows. It searches for -sslCertificateSelector subject=US

Uncategorized issues

Date resolved Issue number Description
2023-09-18 SPL-233858 Splunk kernel drivers have expired on existing Windows installations
2023-01-10 SPL-233484 Crash on SplunkConfigChangeWatcherThread - Splunkd crashing while config_change_tracker enabled and file changes happen on a disabled app
2022-06-22 SPL-204428, SPL-203620 AWS SDK log messages should not be turned on for on-prem builds
2022-06-13 SPL-225531, SPL-225490 Splunk's REST API HTTP server can be blocked for long periods of time by internally proxied "/search/jobs" requests.
Last modified on 20 June, 2024
Field alias behavior change   Deprecated and removed in version 9.1

This documentation applies to the following versions of Splunk® Enterprise: 9.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters