Splunk Stream

Release Notes

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Known issues

Version 7.2.0 of Splunk Stream contains the following known issues.

If no issues appear below, no issues have yet been reported:

Date filed Issue number Description
2022-11-08 STREAM-5280 Character limit of ssl_subject of TCP protocol of SplunkStream
2021-08-18 STREAM-4918 Stream is not decoded - OCI functions
2020-12-08 STREAM-4641, STREAM-4635 Update the actual hostname if stream events host has value $decideOnStartup

Workaround:
Create the etc/system/local/inputs.conf file with the actual hostname manually.
2020-08-20 STREAM-4522 ES configuration template disables NetFlow

Workaround:
Look to be ES_IP_RAW this is the problem

 

The problem is on line 157 there is two commas:

  },,    

    {

      "aggType": "value",        "desc": "VXLAN Network Identifier",        "enabled": true,        "name": "vxlan_id",        "term": "flow.vxlan-id"     }     ],

Remove the extra comma to make it look like: 

   },    
   {

      "aggType": "value",        "desc": "VXLAN Network Identifier",        "enabled": true,        "name": "vxlan_id",        "term": "flow.vxlan-id"     }     ],

2020-01-06 STREAM-4301, STREAM-4409 Windows: Capture stops with "pcap_loop returned error code -1 read error: PacketReceivePacket failed; network capture stopped" and isn't restarted

Workaround:
Re-configure one of the streams assigned to the forwarder in the Stream app, for example, you can add/enable a dummy stream and disable it again later, or change on of the configuration options for an existing Stream

https://docs.splunk.com/Documentation/StreamApp/latest/User/ConfigureStreamsMetadata or restarting Splunk Forwarder service in Windows, for example through services.msc

Sample scenario where you might run into this: Reconfiguration of the NIC while Stream is running (for example, changing the flow control mode in our testing)

2019-10-31 STREAM-4235 PCAP files are not getting ingested from UI in 7.2

Workaround:
The workaround is to load pcap file from a command line. This can be done from any machine that has Stream TA installed.  Invoke the streamfwd binary directly with the '-r' option:  streamfwd -r <pcap file>
Last modified on 25 May, 2023
Fixed issues   Boost C++

This documentation applies to the following versions of Splunk Stream: 7.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters