Splunk Cloud Platform

Release Notes

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Known and fixed issues for

This page lists selected known issues and fixed issues for this release of . Use the Version drop-down list to see known issues and fixed issues for other versions of .

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.

Version 9.2.2406

This version includes the following known issues:

Date filed or added Issue number Description
2024-11-19 SPL-266456 Federated Search -- > Cannot see or list federated indexes to assign / provide role-based access control


Workaround:
In Splunk Web, you can use a wildcard to identify one or more federated indexes and then assign them as searchable indexes for a role.

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings and then select Roles.
  2. Select the name of a role that you have given to users who run federated searches.
  3. Select 3. Indexes to display the contents of the Indexes tab.
  4. In the Wildcards section, enter a string that begins with Federated*, followed by the name of the federated index you want to assign to the role.
    For example, a string such as Federated*index123 will match an index named Federated:index123. However, note that wildcard strings can match multiple federated indexes. For example, Federated*index123 will also match a federated index named Federated:Myindex123, if it exists.
  5. Select Included for the federated* index that appears in the index list, to allow users with this role to see search results from the index or indexes that match the wildcard string.
  6. Select Save to save the changes you have made.
2024-09-17 SPL-263193 Nearly all data is duplicated for modular inputs in the Victoria search head cluster due to broken lease logic.
This issue is fixed in this release for patch version 9.2.2406.110 and higher.
2024-09-05 SPL-262259 Splunk to Splunk Federated searches do not utilize the dispatch.index_earliest and dispatch.index_latest parameters in the saved search configuration when the search is dispatched to the remote search head, leading to incorrect results.


Workaround:
These parameters can be added as a part of the search string, using the _index_earliest and _index_latest time modifiers. This will send the parameters correctly to the remote search head. See List of time modifiers in the Search Reference.

2024-08-27 SPL-261604 On-prem to Splunk Cloud transparent mode federated searches that use KVservice fail because the remote search head doesn't use the proxy bundle of the federated (local) search head.


Workaround:
If the failure is related to a lookup search not being resolved on the remote deployment, do this: Add local=true next to the invocation of the lookup in the search string. This addition forces the lookup to resolve on the local deployment and prevents the search from failing on the remote deployment. The remote deployment cannot access that lookup because the remote deployment uses KVservice, which does not engage in bundle replication.

2024-08-13 SPL-260705 sdselect - json_extract() and json_extract_exact() return quoted strings


Workaround:
Use the trim() evaluation function to remove the double quotes from strings returned by json_extract() and json_extract_exact() evaluation functions in sdselect searches. See Text functions in the Search Reference.

2024-07-19 SPL-257366 Using NOT with subsearch is failing with WARN message "Unable to extract et and lt from search with sid".
2024-07-15 SPL-251833 You might receive a Bulletin message in Splunk Web from indexers and indexer cluster members that indicates a security risk warning for the allowed e-mail domains list for alert actions that reads as follows:

Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.

You might receive this message multiple times, once for every indexer or indexer cluster member that is in your environment. It can happen any time that an indexer or indexer cluster member restarts.

  • If you receive this Bulletin message from an indexer or indexer cluster member, you can safely dismiss it without further action.
  • If you receive the message from or while logged into a search head or search head cluster member, then the potential security risk that it indicates is valid. To address the problem, configure the list of internet domains to which the search head can send emails as part of alert actions, as described in Configure email notification for your Splunk instance in the Alerting Manual.
2024-06-04 SPL-237180 Saved searches on Splunk Cloud Platform that are owned by nobody are scheduled using the default time zone settings in the user-prefs.conf file instead of the system time zone in Splunk Cloud. But, searches are run internally as splunk-system-user, which is tied to system time in Splunk Cloud Platform and is based on UTC (Coordinated Universal Time).


The mismatch between the default time zone settings in the user-prefs.conf file and Splunk Cloud system time can lead to potential discrepancies in search results under certain conditions when the time zones for nobody and splunk-system-user get out of sync.

If you're experiencing mismatched time zones with nobody owned searches following migration from Splunk Enterprise to Splunk Cloud Platform, reassign searches to a user account attached to a role, so searches aren't assigned to nobody. An alternative workaround is to set the schedules for nobody-owned saved searches to UTC, which ensures that searches are the same as system time.

2024-04-12 SPL-254077 CIDR match for tstats with ipv6 addresses isn't supported.

The tstats command currently doesn't filter events with CIDR match on fields that contain IPv6 addresses. Running tstats searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries:

Error in 'TsidxStats': WHERE clause is not an exact query
2024-01-05 SPL-240774 The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value


Workaround:
Perform field extractions by modifying your searches using other commands, such as the rex command or eval command.

2023-07-26 SPL-242487 Dashboard charts do not support screen reader or keyboard navigation.
2023-07-20 SPL-240969 props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.

Workaround:
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-05-30 Not applicable ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode

Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-24 SPL-237902 Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy.

Workaround: Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include latest=now in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected: index=main earliest=-10s latest=now.

Running the same search without including latest=now might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches.

2023-04-14 SPL-238738 Federated search does not support the "Show Source" field action in either standard or transparent mode.
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:
curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari

Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2024-09-17 SPL-263193 Nearly all data is duplicated for modular inputs in the Victoria search head cluster due to broken lease logic. This issue is fixed in this release for patch version 9.2.2406.110 and higher.
2024-08-14 SPL-258393 Field filters now supports custom roles. By default, to create, edit, or delete field filters, you must be a member of the admin or sc_admin role. To view field filters, you must be a member of the admin, sc_admin, or power user role. See Define roles on the Splunk platform with capabilities in Securing Splunk Platform.
2024-02-11 SPL-250916 Add a filter to the GET SHs only of all deployment clients in check_bundles_ready of dc_helpers.py.
Last modified on 05 December, 2024
What's new   Splunk Cloud Platform Field alias behavior change

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters