Splunk Cloud Platform

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Known and fixed issues for

This page lists selected known issues and fixed issues for this release of . Use the Version drop-down list to see known issues and fixed issues for other versions of .

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.


Version 9.0.2303

This version includes the following known issues:

Date filed or added Issue number Description
2023-07-20 SPL-240969 props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.

Workaround:
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-06-29 SPL-241368 Updating HEC token in Splunk Web with upper case 'Default' as the index causes an empty index to be set.
2023-06-29 SPL-241274 Dashboard Studio fails to load dashboards and displays the error "Cannot convert undefined or null to object" when search results return "null" values.

Workaround: Replace the "null" value with "empty" by appending an SPL replace command to the search query. For example, | replace "null" WITH "empty" IN <fieldname>.

2023-05-30 Not applicable ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1.
2023-05-22 SPL-240242 Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.
2023-05-10 SPL-239808 For customers running Splunk Cloud Platform version 9.0.2303 on Google Cloud Platform (GCP), Splunk Secure Gateway does not work. All features including device management and registration are not functional.
2023-05-09 SPL-239689 In transparent mode Federated Search for Splunk, custom search commands and the "outputlookup" command should run only on the local deployment. Instead they run on the remote deployment, leading to errors, incorrect results.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-27 SPL-239293 Transparent Mode Federated Search: Check to turn off forwarding DMA or RA summarization search runs causes federated searches to fail.
2023-04-24 SPL-237902 Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy.

Workaround: Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include latest=now in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected: index=main earliest=-10s latest=now.

Running the same search without including latest=now might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches.

2023-04-17 SPL-238767 Standard mode federated search with longer-than-a-minute from command searches might encounter socket ReadWrite errors when the federated provider points to a cloud load balancer, due to idle timeout on the LoadBalancer config

Workaround: If you encounter this issue, update the federated provider definition (created on the federated search head in Splunk Web), so that its Remote Host points to a remote deployment cluster member instead of to the remote deployment cluster load balancer.

2023-04-14 SPL-238738 Federated search does not support the "Show Source" field action in either standard or transparent mode.
2023-04-11 SPL-238512 The federated search UI does not support mapping federated indexes to data model datasets that have dot characters in their names.
2023-03-30 SPL-238029 Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.
2023-03-28 SPL-237883 Transparent Mode federated search - Using table and stats in the same federated search causes the search to return empty results.
2023-03-14 SPL-237265 Sometimes when a search is aborted by workload rule, 'wlm_terminated' information message is not written to audit log
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2022-02-25 SPL-219793 Some commands in federated searches return incorrect resultCount values when run in Verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-22 SPL-219540 outputlookup command in a federated search creates output on RSH
2022-02-08 SPL-218842 Some reporting commands in federated search return incorrect eventCount

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2023-01-31 SPL-226717 The current behavior of the maxspan and maxpause arguments for the transaction command is now correctly documented in transaction in the Splunk Platform Search Reference.

The maxspan and maxpause arguments are documented as follows:

maxspan
Syntax: maxspan=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If value is negative, the maxspan constraint is disabled and there is no limit. .
Default: -1 (no limit)
maxpause
Syntax: maxpause=<int>[s | m | h | d]
Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than the integer specified for maxpause. Events that exceed the maxpause limit are treated as part of a separate transaction. If the value is negative, the maxpause constraint is disabled and there is no limit.
Default: -1 (no limit)
2023-01-26 SPL-235416 Case sensitive sourcetypes in Ingest Actions UI preview won't fetch results
2022-12-14 SPL-234045 "Invalid value" for earliest/latest in time token in "Advanced" time range section.

Workaround: Replace the Earliest/Latest values in the Advanced section of the time range picker. This temporary workaround must be done each time the dashboard is opened.

2022-10-26 SPL-230549 The rex function in default mode now treats the caret ( ^ ) properly. For example, the following search extracts 192..

| makeresults | fields - _* * | eval ip_input = "192.168.1.1" | rex offset_field=offset max_match=0 field=ip_input "^(?<extract>\d+\.)" | table ip_input extract offset

Previously, the following search with the regular expression ^(?<roles>\S+)\n* incorrectly returned three rows.

| makeresults | eval roles="ess_analyst ess_correlation_engineer<br><br/> user" | rex max_match=0 field=roles "^(?<roles>\S+)\n*"

Now that the behavior of the caret ( ^ ) has been fixed, the same search returns one row of results. in order to generate three rows of results like before, the regular expression in the search must be changed to (?m)^(?<role>\S+), like this:

|makeresults | eval roles="ess_analyst ess_correlation_engineer user" | rex max_match=0 field=roles "(?m)^(?<role>\S+)"

The results of the search look something like this:

_time role roles
2023-05-19 21:18:57 ess_analyst

ess_correlation_engineer
user

ess_analyst

ess_correlation_engineer
user

2022-10-12 SPL-226038 In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t
2022-03-25 SPL-224816 Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t
2023-04-04 SPL-212295 Federated searches over Splunk Cloud Platform deployments that are set up as transparent mode federated providers might fail after those deployments upgrade to 9.0.2303.

Workaround: Update the service account role on the transparent mode federated provider so that the role has access to the indexes that must be available for federated searches. See Service accounts and federated search security in the Search Manual.

2023-03-07 SPL-233037 For a KV Store autolookup with 'case_sensitive_match' set to default/true, when the SPL searches for a case sensitive field value (that is, <field name as in props.conf>=<case sensitive field value>) the reverse lookup is performed incorrectly. The root cause is the default value of `reverse_lookup_honor_case_sensitive_match` being changed from true to false.
Last modified on 19 September, 2023
PREVIOUS
New features 		  NEXT
Splunk Cloud Platform Field alias behavior change

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2303

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters