Known and fixed issues for

This page lists selected known issues and fixed issues for this release of . Use the Version drop-down list to see known issues and fixed issues for other versions of .

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.

Version 9.2.2406

This version includes the following known issues:

Date filed or added	Issue number	Description
2024-09-05	SPL-262259	Splunk to Splunk Federated searches do not utilize the dispatch.index_earliest and dispatch.index_latest parameters in the saved search configuration when the search is dispatched to the remote search head, leading to incorrect results. Workaround: These parameters can be added as a part of the search string, using the `_index_earliest` and `_index_latest` time modifiers. This will send the parameters correctly to the remote search head. See List of time modifiers in the Search Reference.
2024-08-27	SPL-261604	On-prem to Splunk Cloud transparent mode federated searches that use KVservice fail because the remote search head doesn't use the proxy bundle of the federated (local) search head. Workaround: If the failure is related to a `lookup` search not being resolved on the remote deployment, do this: Add `local=true` next to the invocation of the lookup in the search string. This addition forces the lookup to resolve on the local deployment and prevents the search from failing on the remote deployment. The remote deployment cannot access that lookup because the remote deployment uses KVservice, which does not engage in bundle replication.
2024-08-13	SPL-260705	sdselect - json_extract() and json_extract_exact() return quoted strings Workaround: Use the `trim()` evaluation function to remove the double quotes from strings returned by `json_extract()` and `json_extract_exact()` evaluation functions in `sdselect` searches. See Text functions in the Search Reference.
2024-07-19	SPL-257366	Using NOT with subsearch is failing with WARN message "Unable to extract et and lt from search with sid".
2024-07-15	SPL-251833	You might receive a Bulletin message in Splunk Web from indexers and indexer cluster members that indicates a security risk warning for the allowed e-mail domains list for alert actions that reads as follows: Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web. You might receive this message multiple times, once for every indexer or indexer cluster member that is in your environment. It can happen any time that an indexer or indexer cluster member restarts. If you receive this Bulletin message from an indexer or indexer cluster member, you can safely dismiss it without further action. If you receive the message from or while logged into a search head or search head cluster member, then the potential security risk that it indicates is valid. To address the problem, configure the list of internet domains to which the search head can send emails as part of alert actions, as described in Configure email notification for your Splunk instance in the Alerting Manual.
2024-06-04	SPL-237180	Saved searches on Splunk Cloud Platform that are owned by nobody are scheduled using the default time zone settings in the user-prefs.conf file instead of the system time zone in Splunk Cloud. But, searches are run internally as splunk-system-user, which is tied to system time in Splunk Cloud Platform and is based on UTC (Coordinated Universal Time). The mismatch between the default time zone settings in the user-prefs.conf file and Splunk Cloud system time can lead to potential discrepancies in search results under certain conditions when the time zones for nobody and splunk-system-user get out of sync. If you're experiencing mismatched time zones with nobody owned searches following migration from Splunk Enterprise to Splunk Cloud Platform, reassign searches to a user account attached to a role, so searches aren't assigned to nobody. An alternative workaround is to set the schedules for nobody-owned saved searches to UTC, which ensures that searches are the same as system time.
2024-04-12	SPL-254077	CIDR match for tstats with ipv6 addresses isn't supported. The `tstats` command currently doesn't filter events with CIDR match on fields that contain IPv6 addresses. Running `tstats` searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries: Error in 'TsidxStats': WHERE clause is not an exact query
2024-01-05	SPL-240774	The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value Workaround: Perform field extractions by modifying your searches using other commands, such as the `rex` command or `eval` command.
2023-07-26	SPL-242487	Dashboard charts do not support screen reader or keyboard navigation.
2023-07-20	SPL-240969	props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions. Workaround: Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-05-30	Not applicable	ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1.
2023-05-02	SPL-239436	In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode Workaround: Define the lookup on both federated search head and remote search head.
2023-04-24	SPL-237902	Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy. Workaround: Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include `latest=now` in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected: `index=main earliest=-10s latest=now`. Running the same search without including `latest=now` might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches.
2023-04-14	SPL-238738	Federated search does not support the "Show Source" field action in either standard or transparent mode.
2022-08-23	SPL-228969	Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is `Network_Traffic`, you cannot map a federated index to the subordinate data model dataset `Network_Traffic.All_Traffic`. As a workaround, users can run `tstats` searches that use the `nodename` argument to filter out data that does not belong to a specific data model dataset: `\| tstats ... where nodename=Network_Traffic.All_Traffic`.
2022-07-29	SPL-227633	Error : Script execution failed for external search command 'runshellscript' Workaround: The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15	SPL-226877	Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space Workaround: Use REST API to create the federated saved search instead: `curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1`. See Federated search endpoint descriptions in the REST API Reference Manual.
2021-04-30	SPL-205069	onunloadCancelJobs failed to cancel search job on Safari Workaround: Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added	Issue number	Description
2024-08-14	SPL-258393	Field filters now supports custom roles. By default, to create, edit, or delete field filters, you must be a member of the admin or sc_admin role. To view field filters, you must be a member of the admin, sc_admin, or power user role. See Define roles on the Splunk platform with capabilities in Securing Splunk Platform.
2024-02-11	SPL-250916	Add a filter to the GET SHs only of all deployment clients in check_bundles_ready of dc_helpers.py.

Related answers from Splunk Community

Known and fixed issues for

Version 9.2.2406

Comments

Known and fixed issues for Splunk Cloud Platform

Was this topic useful?