Known and fixed issues for
This page lists selected known issues and fixed issues for this release of . Use the Version drop-down list to see known issues and fixed issues for other versions of .
See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.
Version 9.2.2406
This version includes the following known issues:
Date filed or added | Issue number | Description |
---|---|---|
2024-11-19 | SPL-266456 | Federated Search -- > Cannot see or list federated indexes to assign / provide role-based access control
|
2024-09-17 | SPL-263193 | Nearly all data is duplicated for modular inputs in the Victoria search head cluster due to broken lease logic. This issue is fixed in this release for patch version 9.2.2406.110 and higher. |
2024-09-05 | SPL-262259 | Splunk to Splunk Federated searches do not utilize the dispatch.index_earliest and dispatch.index_latest parameters in the saved search configuration when the search is dispatched to the remote search head, leading to incorrect results.
|
2024-08-27 | SPL-261604 | On-prem to Splunk Cloud transparent mode federated searches that use KVservice fail because the remote search head doesn't use the proxy bundle of the federated (local) search head.
|
2024-08-13 | SPL-260705 | sdselect - json_extract() and json_extract_exact() return quoted strings
|
2024-07-19 | SPL-257366 | Using NOT with subsearch is failing with WARN message "Unable to extract et and lt from search with sid". |
2024-07-15 | SPL-251833 | You might receive a Bulletin message in Splunk Web from indexers and indexer cluster members that indicates a security risk warning for the allowed e-mail domains list for alert actions that reads as follows:Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web. You might receive this message multiple times, once for every indexer or indexer cluster member that is in your environment. It can happen any time that an indexer or indexer cluster member restarts.
|
2024-06-04 | SPL-237180 | Saved searches on Splunk Cloud Platform that are owned by nobody are scheduled using the default time zone settings in the user-prefs.conf file instead of the system time zone in Splunk Cloud. But, searches are run internally as splunk-system-user, which is tied to system time in Splunk Cloud Platform and is based on UTC (Coordinated Universal Time).
|
2024-04-12 | SPL-254077 | CIDR match for tstats with ipv6 addresses isn't supported. The Error in 'TsidxStats': WHERE clause is not an exact query |
2024-01-05 | SPL-240774 | The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value
|
2023-07-26 | SPL-242487 | Dashboard charts do not support screen reader or keyboard navigation. |
2023-07-20 | SPL-240969 | props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions. Workaround: Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app. |
2023-05-30 | Not applicable | ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1. |
2023-05-02 | SPL-239436 | In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode Workaround: Define the lookup on both federated search head and remote search head. |
2023-04-24 | SPL-237902 | Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy. Workaround:
Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include Running the same search without including |
2023-04-14 | SPL-238738 | Federated search does not support the "Show Source" field action in either standard or transparent mode. |
2022-08-23 | SPL-228969 | Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character Workaround:
This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is |
2022-07-29 | SPL-227633 | Error : Script execution failed for external search command 'runshellscript' Workaround: The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search. |
2022-06-15 | SPL-226877 | Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space Workaround:
Use REST API to create the federated saved search instead: |
2021-04-30 | SPL-205069 | onunloadCancelJobs failed to cancel search job on Safari Workaround: Use another browser such as Chrome or Firefox |
This version fixes the following issues:
Date filed or added | Issue number | Description |
---|---|---|
2024-09-17 | SPL-263193 | Nearly all data is duplicated for modular inputs in the Victoria search head cluster due to broken lease logic. This issue is fixed in this release for patch version 9.2.2406.110 and higher. |
2024-08-14 | SPL-258393 | Field filters now supports custom roles. By default, to create, edit, or delete field filters, you must be a member of the admin or sc_admin role. To view field filters, you must be a member of the admin, sc_admin, or power user role. See Define roles on the Splunk platform with capabilities in Securing Splunk Platform. |
2024-02-11 | SPL-250916 | Add a filter to the GET SHs only of all deployment clients in check_bundles_ready of dc_helpers.py. |
What's new | Splunk Cloud Platform Field alias behavior change |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!