Known and fixed issues for
This page lists selected known issues and fixed issues for this release of . Use the Version drop-down list to see known issues and fixed issues for other versions of .
This version includes the following known issues:
|Date filed or added||Issue number||Description|
|2023-07-20||SPL-240969||props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.|
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
|2023-06-29||SPL-241368||Updating HEC token in Splunk Web with upper case 'Default' as the index causes an empty index to be set.|
|2023-06-29||SPL-241274||Dashboard Studio fails to load dashboards and displays the error "Cannot convert undefined or null to object" when search results return "null" values. |
Replace the "null" value with "empty" by appending an SPL replace command to the search query. For example,
|2023-05-30||Not applicable||ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1.|
|2023-05-22||SPL-240242||Federated Search: When exporting results, the remote search head (RSH) returns exceptions when it sees federated search head (FSH) socket errors. The RSH should ignore FSH socket errors.|
|2023-05-10||SPL-239808||For customers running Splunk Cloud Platform version 9.0.2303 on Google Cloud Platform (GCP), Splunk Secure Gateway does not work. All features including device management and registration are not functional.|
|2023-05-09||SPL-239689||In transparent mode Federated Search for Splunk, custom search commands and the "outputlookup" command should run only on the local deployment. Instead they run on the remote deployment, leading to errors, incorrect results.|
|2023-05-02||SPL-239436||In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode|
Define the lookup on both federated search head and remote search head.
|2023-04-27||SPL-239293||Transparent Mode Federated Search: Check to turn off forwarding DMA or RA summarization search runs causes federated searches to fail.|
|2023-04-24||SPL-237902||Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy.|
Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include
Running the same search without including
|2023-04-17||SPL-238767||Standard mode federated search with longer-than-a-minute |
Workaround: If you encounter this issue, update the federated provider definition (created on the federated search head in Splunk Web), so that its Remote Host points to a remote deployment cluster member instead of to the remote deployment cluster load balancer.
|2023-04-14||SPL-238738||Federated search does not support the "Show Source" field action in either standard or transparent mode.|
|2023-04-11||SPL-238512||The federated search UI does not support mapping federated indexes to data model datasets that have dot characters in their names.|
|2023-03-30||SPL-238029||Standard mode federated search - A multistats search with a tstats subsearch where prestats=t and a federated index is used as a data model throws an error.|
|2023-03-28||SPL-237883||Transparent Mode federated search - Using table and stats in the same federated search causes the search to return empty results.|
|2023-03-14||SPL-237265||Sometimes when a search is aborted by workload rule, 'wlm_terminated' information message is not written to audit log|
|2022-08-23||SPL-228969||Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character|
This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is
|2022-07-29||SPL-227633||Error : Script execution failed for external search command 'runshellscript'|
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
|2022-06-15||SPL-226877||Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space|
Use REST API to create the federated saved search instead:
|2022-02-25||SPL-219793||Some commands in federated searches return incorrect |
|2022-02-22||SPL-219540||outputlookup command in a federated search creates output on RSH|
|2022-02-08||SPL-218842||Some reporting commands in federated search return incorrect |
|2021-04-30||SPL-205069||onunloadCancelJobs failed to cancel search job on Safari|
Use another browser such as Chrome or Firefox
This version fixes the following issues:
|Date filed or added||Issue number||Description|
|2023-01-31||SPL-226717||The current behavior of the |
|2023-01-26||SPL-235416||Case sensitive sourcetypes in Ingest Actions UI preview won't fetch results|
|2022-12-14||SPL-234045||"Invalid value" for earliest/latest in time token in "Advanced" time range section.|
Workaround: Replace the Earliest/Latest values in the Advanced section of the time range picker. This temporary workaround must be done each time the dashboard is opened.
Previously, the following search with the regular expression
Now that the behavior of the caret ( ^ ) has been fixed, the same search returns one row of results. in order to generate three rows of results like before, the regular expression in the search must be changed to
The results of the search look something like this:
|2022-10-12||SPL-226038||In a transparent mode federated tstats search of an accelerated data model that is located only on the FSH, results are returned only from the FSH, not the RSH, when summariesonly=t|
|2022-03-25||SPL-224816||Standard mode federated searches with tstats fail or produce unexpected behavior when prestats=t|
|2023-04-04||SPL-212295||Federated searches over Splunk Cloud Platform deployments that are set up as transparent mode federated providers might fail after those deployments upgrade to 9.0.2303.|
Workaround: Update the service account role on the transparent mode federated provider so that the role has access to the indexes that must be available for federated searches. See Service accounts and federated search security in the Search Manual.
|2023-03-07||SPL-233037||For a KV Store autolookup with 'case_sensitive_match' set to default/true, when the SPL searches for a case sensitive field value (that is, <field name as in props.conf>=<case sensitive field value>) the reverse lookup is performed incorrectly. The root cause is the default value of `reverse_lookup_honor_case_sensitive_match` being changed from true to false.|
Splunk Cloud Platform Field alias behavior change
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2303