Splunk Cloud Platform

Release Notes

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Known and fixed issues for

This page lists selected known issues and fixed issues for .

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.

Version 9.0.2208

This version includes the following known issues:

Date filed or added Issue number Description
2024-06-04 SPL-237180 Saved searches on Splunk Cloud Platform that are owned by nobody are scheduled using the default time zone settings in the user-prefs.conf file instead of the system time zone in Splunk Cloud. But, searches are run internally as splunk-system-user, which is tied to system time in Splunk Cloud Platform and is based on UTC (Coordinated Universal Time).


The mismatch between the default time zone settings in the user-prefs.conf file and Splunk Cloud system time can lead to potential discrepancies in search results under certain conditions when the time zones for nobody and splunk-system-user get out of sync.  

If you're experiencing mismatched time zones with nobody owned searches following migration from Splunk Enterprise to Splunk Cloud Platform, reassign searches to a user account attached to a role, so searches aren't assigned to nobody. An alternative workaround is to set the schedules for nobody-owned saved searches to UTC, which ensures that searches are the same as system time.

2024-02-11 SPL-250916 Add a filter to the GET SHs only of all deployment clients in check_bundles_ready of dc_helpers.py.
2023-07-20 SPL-240969 props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.

Workaround:
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-05-22 SPL-240242 Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-28 SPL-239339 Workload Management ignores Place in Pool action.
2023-03-30 SPL-238029 Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.
2022-12-14 SPL-234045 "Invalid value" for earliest/latest in time token in "Advanced" time range section.

Workaround: Replace the Earliest/Latest values in the Advanced section of the time range picker. This temporary workaround must be done each time the dashboard is opened.

2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.

Workaround: To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens:

  1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle.
  2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed or added Issue number Description
2023-06-29 SPL-241621 Dashboards are loading slower than typical.

Workaround:
Set disable_highcharts_accessibility=true in web-features.conf to restore dashboard performance.
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.

Version 9.0.2205

This version includes the following known issues:

Date filed or added Issue number Description
2023-05-22 SPL-240242 Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-28 SPL-239339 Workload Management ignores Place in Pool action.
2023-03-30 SPL-238029 Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.

Workaround: To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens:

  1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle.
  2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2022-08-19 SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-07-21 SPL-227163 Frequent disable and enable updates of ssg_enable_modular_input causes search head instability and configuration file replication delays.

Workaround: Disable the splunk_secure_gateway app.

2022-03-17 SPL-220932 On the Classic Experience, private app upload fails without any error message even when the AppInspect field check_that_app_passes_slim_validation_for_cloud triggers a warning.

Workaround:
Validate with AppInspect report that this check (check_that_app_passes_slim_validation_for_cloud) is triggering a warning. Address the warning to pass this section. Errors are typically related to SLIM and the manifest file(s) packaged within the app.

Version 8.2.2203

This version includes the following known issues:

Date filed or added Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-08-19 SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-07-27 SPL-227530 Splunk-to-Splunk federated search: After upgrade, the remote search head gets stuck in a loop of transferring proxy bundles to the remote indexers and failing.

Workaround: To stop a proxy bundle (pb_t1) from being sent endlessly from the remote deployment to it's indexers, you need to ensure that the local deployment generates a new bundle. Once this one new bundle is generated and sent to the remote deployment (as (pb_t2), the remote deployment will stop sending the previous bundle to the indexers.

To make sure that happens:

  1. There must be a valid transparent mode federated provider definition that connects the local deployment to the remote deployment that keeps sending the proxy bundle.
  2. You can create a dummy tag on the local deployment to trigger the bundle replication from the local deployment to the remote deployment.
2022-07-21 SPL-227163 Frequent disable and enable updates of ssg_enable_modular_input causes search head instability and configuration file replication delays.

Workaround: Disable the splunk_secure_gateway app.

2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-03-17 SPL-220932 On the Classic Experience, private app upload fails without any error message even when the AppInspect field check_that_app_passes_slim_validation_for_cloud triggers a warning.

Workaround:
Validate with AppInspect report that this check (check_that_app_passes_slim_validation_for_cloud) is triggering a warning. Address the warning to pass this section. Errors are typically related to SLIM and the manifest file(s) packaged within the app.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2022-05-02 SPL-223508 When trying to load a Studio dashboard, the page shows "Splunk Cloud is currently under maintenance."
2022-01-19 SPL-217505 Federated searches fail when table command is used

Workaround:
Fix a federated search that runs into this issue by appending | noop search_optimization.replace_table_with_fields=f to the search string.

Version 8.2.2202

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-08-19 SPL-223193 "Open in Search" function doesn't work with chained searches in Dashboard Studio when the time range depends on an input/token, showing error "Invalid earliest_time"
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-05-02 SPL-223508 When trying to load a Studio dashboard, the page shows "Splunk Cloud is currently under maintenance."

Workaround:

  • Restarting the search head fixes the issue temporarily.
  • A more permanent workaround is to set set enforce_dashboards_csp=false under the [settings] stanza in etc/system/local/web.conf. After changing this setting, a restart will be required to take effect.
2022-03-17 SPL-220932 On the Classic Experience, private app upload fails without any error message even when the AppInspect field check_that_app_passes_slim_validation_for_cloud triggers a warning.

Workaround:
Validate with AppInspect report that this check (check_that_app_passes_slim_validation_for_cloud) is triggering a warning. Address the warning to pass this section. Errors are typically related to SLIM and the manifest file(s) packaged within the app.
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-22 PAPP-23255 In version 4.1.73 of Phantom App on Splunk, there is an erroneous error message when syncing workbooks. The sync performs successfully, but upon completion, the error message states that the sync failed. You can safely ignore this error message. A fix will be included in the next GA release of Phantom App on Splunk.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed Issue number Description
2022-03-17 SPL-220924 On the Victoria Experience, the Uploaded Apps UI page fails to load if a Splunk managed app is uploaded with same Id and version number through the self-service UI.

Workaround:
Contact Splunk Support to reinstall the app.

Version 8.2.2201

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-03-09 SPL-220289 Federated Search Transparent Mode: Commands that have subsearches like join and append may result in failures on RSH due to missing application context

Workaround:
If the search is being run in an application context that does not exist on the remote deployment, install the missing application on the remote deployment.
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-22 PAPP-23255 In version 4.1.73 of Phantom App on Splunk, there is an erroneous error message when syncing workbooks. The sync performs successfully, but upon completion, the error message states that the sync failed. You can safely ignore this error message. A fix will be included in the next GA release of Phantom App on Splunk.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed Issue number Description
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head

Version 8.2.2112

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issue:

Date filed Issue number Description
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.

Version 8.2.2111

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-08-12 SPL-224045 Data intended for Summary Indexes may be be misrouted to the default "main" index and lead to incomplete search results for searches using the Summary Index.
2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following Issues:

Date filed Issue number Description
2021-10-21 SPL-213892 Splunkbase apps installed via self-service cannot be upgraded in Victoria Experience version 8.2.2109.

The following error message appears: An error occurred while installing the app:400

Version 8.2.2109

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-01-19 SPL-217505 Federated searches fail when 'table' command is used

Workaround:
Fix a federated search that runs into this issue by appending `| noop search_optimization.replace_table_with_fields=f` to the search string.
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.
2021-10-21 SPL-213892 Splunkbase apps installed via self-service cannot be upgraded in Victoria Experience version 8.2.2109.

The following error message appears: An error occurred while installing the app:400

2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-09-02 SPL-211648 In transparent mode, federated search with eventtype and macro is not applied to remote deployment search head
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following Issues:

Date filed Issue number Description
2021-08-12 SPL-210244 No default value selected on radio buttons in Simple XML dashboards
2021-08-05 SPL-209879 Unable to upload private apps in .tar.gz format on Victoria Experience.

Workaround:
Upload the app in .tar format

Version 8.2.2107

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2021-12-03 SPL-215861 EPS drops after upgrade as a result of default 50k export cap in limits.conf.
2021-10-21 SPL-214005 Victoria Experience self-service app install: Lookups deployed by apps cannot be managed via UI, Admin Config Service (ACS API), or Splunk REST APIs.

Workarounds:
  • Edit and update lookup files using the Splunk app for Lookup File Editing.
  • Use the outputlookup command to update the lookup.
2021-08-12 SPL-210244 No default value selected on radio buttons in Simple XML dashboards
2021-08-05 SPL-209879 Unable to upload private apps in .tar.gz format on Victoria Experience.

Workaround:
Upload the app in .tar format
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

Version 8.2.2106

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2021-08-05 SPL-209879 Unable to upload private apps in .tar.gz format on Victoria Experience.

Workaround:
Upload the app in .tar format
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following Issues:

Date filed Issue number Description
2021-06-29 SPL-207228 Invalid UTF-8 bytes (stats search corruption) in audit.log search results break search head cluster heartbeat communication
2021-05-13 SPL-205645 Index deletion fails in deployments on Victoria Experience
2021-05-11 SPL-205528 manager/search/datainputstats only displays a maximum of 30 modular inputs

Version 8.2.2105

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy
2021-05-13 SPL-205645 Index deletion fails in deployments on Victoria Experience
2021-05-11 SPL-205528 manager/search/datainputstats only displays a maximum of 30 modular inputs
2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed Issue number Description
2021-06-30 SPL-207554 Savedsearches.conf not in sync/not replicating to all SHC members

Version 8.2.2104

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy


Version 8.1.2103

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2021-05-24 SPL-206131 Examples Hub does not load when using a reverse proxy

This version fixes the following issues:

Date filed Issue number Description
2021-04-21 SPL-201945 streamstats command not functioning as expected after upgrade

Version 8.1.2101

This version includes the following known issues:

Date filed Issue number Description
2022-12-02 SPL-226717 The behavior of the maxspan and maxpause arguments for the transaction command are currently reversed from the way they are documented in transaction in the Splunk Platform Search Reference. This bug will be fixed in a future release.

The following are the current behaviors for the maxspan and maxpause arguments:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2021-04-21 SPL-201945 streamstats command not functioning as expected after upgrade
Last modified on 19 September, 2024
New features   Splunk Cloud Platform Field alias behavior change

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2208

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters