Known issues - Splunk Documentation (2024)

Splunk® Enterprise

Release Notes

  1. Documentation
  2. Splunk® Enterprise
  3. Release Notes
  4. Known issues

What's new

Known issues for this release

  • Known issues
  • Increased skipped search rate after upgrade to 9.0
  • Splunk Enterprise and anti-virus products
  • Workaround for network accessibility issues on Splunk Windows systems under certain conditions
  • Performance Monitor inputs show maximum values of 100 percent usage for a process on multicore Microsoft Windows machines
  • Transparent huge memory pages and Splunk performance
  • Linux kernel memory overcommitting and Splunk crashes
  • Splunk Enterprise and NUMA architectures
  • Field alias behavior change

Fixed issues

Deprecated features

Third-party software

Known issues - Splunk Documentation (12)

  • Known issues with backup systems
  • How do I work around known issue ITSI-4387?
  • Any known issues when upgrading from 7.0.5 to 7.1....
  • Any known issues with upgrading to Splunk version ...
  • How to find further documentation on the defect nu...
  • Splunk Query issue
  • CSV file parsing issue
  • charting.data.count worked in Splunk 6.2.x, but wh...
  • Issue with transforms.conf
  • Known issue

Read more...

The following are issues and workarounds for this version of Splunk Enterprise.

Issues are listed in all relevant sections. Some issues appear more than once.

Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.

For a list of deprecated features and platforms, refer to Deprecated features and removed features in this manual.

Upgrade issues

Date filedIssue numberDescription
2024-04-04SPL-253690, SPL-247255Issue with Splunk Enterprise version 9.1.x and 9.2.0 when connected to proxy server

Workaround:
An enhancement was introduced to the search process in Splunk Enterprise version 9.1.1 that optimizes searches by using the peer's IP address instead of querying DNS for the target peers. If an http_proxy is specified in the server.conf file, the enhancement causes the originating peer's IP address to fail to resolve. As a result, the IP address of the proxy, instead of the originating peer, is logged and utilized in the peers.csv file during search operations, causing the following error message to display in Splunk Web: "Received error from proxy server".


To disable the new DNS query optimization and eliminate the error, add the following setting to the distsearch.conf file:

[distributedSearch]useIPAddrAsHost=false

2024-02-20SPL-251301Unable to install/upgrade Splunk Enterprise & UF RPM package v9.2.x on the same server.
2020-08-31SPL-194426External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-07-10SPL-191850The .deb installation package will fail if dpkg version doesn't support an .xz compressed control file.

Workaround:
Update dpkg to version 1.17.6 or later.

2018-04-13SPL-153403After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


Authentication and authorization issues

Date filedIssue numberDescription
2022-04-06SPL-222105When all inherited roles are taken out from admin role, it will cause admin user failed to show other users even though all capabilities is set natively.

Workaround:
Two possible approaches:

1. Remove the option grantableRoles = admin from authorize.conf - this is not permanent workaround and will need to be done every time admin role is modified.

2. Add any capabilities that the other user roles have to the "admin" role.

2020-12-04SPL-198284, SPL-231587Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default

Workaround:
Set limits.conf back to default, by removing any override of max_searches_per_process.

For example:

[search]max_searches_per_process=1

to

[search]
2018-04-13SPL-153403After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2016-07-26SPL-125052Sole Admin can demote themself to Power without path of recovery in GUI.

Workaround:
Through the command line, you can open notepad and modify the password file to regain 'Admin' status.

Data input issues

Date filedIssue numberDescription
2022-08-17SPL-228646, SPL-228645Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-08-09SPL-228117, SPL-257140"file" is incorrectly listed as a supported scheme for ingest actions in outputs.conf.spec
2022-04-08SPL-222366Ingest Actions does not work with Splunk Free, Personalized Devtest, Developer, and Forwarder-only licenses

Search issues

Date filedIssue numberDescription
2024-05-09SPL-255514"| timechart count" search is causing Splunk to crash with "Crashing thread: searchOrchestrator"

Workaround:
When using a search with only the timechart command in a search:

| timechart count

Splunk instance will crash with "Crashing thread: searchOrchestrator". Currently there is no workaround other than not using this search string

2024-04-12SPL-254077, SPL-241370CIDR match for tstats with ipv6 addresses isn't supported

Workaround:
The tstats command currently doesn't filter events with CIDR match on fields that contain IPv6 addresses. Running tstats searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries:

Error in 'TsidxStats': WHERE clause is not an exact query

2024-04-04SPL-253690, SPL-247255Issue with Splunk Enterprise version 9.1.x and 9.2.0 when connected to proxy server

Workaround:
An enhancement was introduced to the search process in Splunk Enterprise version 9.1.1 that optimizes searches by using the peer's IP address instead of querying DNS for the target peers. If an http_proxy is specified in the server.conf file, the enhancement causes the originating peer's IP address to fail to resolve. As a result, the IP address of the proxy, instead of the originating peer, is logged and utilized in the peers.csv file during search operations, causing the following error message to display in Splunk Web: "Received error from proxy server".


To disable the new DNS query optimization and eliminate the error, add the following setting to the distsearch.conf file:

[distributedSearch]useIPAddrAsHost=false

2023-06-09SPL-240774The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value

Workaround:
Perform field extractions by modifying your searches using other commands, such as the rex command or eval command.

2023-04-14SPL-238738Federated Search for Splunk does not support the "Show Source" Field Action
2023-03-28SPL-237902Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy

Workaround:
Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include 'latest=now' in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected.

index=main earliest=-10s latest=now

Running the same search without including 'latest=now' might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches. See Specify earliest relative time offset and latest time in ad hoc searches in the Splunk platform Search Manual.

2022-07-29SPL-227633Error: Script execution failed for external search command 'runshellscript'

Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.

2021-12-21SPL-216787Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
In Splunk Enterprise 8.1.7, 8.2.4, and higher change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

2021-09-22SPL-212495, SPL-196040, SPL-219811Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none

2020-12-04SPL-198284, SPL-231587Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default

Workaround:
Set limits.conf back to default, by removing any override of max_searches_per_process.

For example:

[search]max_searches_per_process=1

to

[search]
2020-08-31SPL-194426External search command chunked v2 python SDK fails with multibyte result data under python 3.

Workaround:
Apps may experience this issue if they: implement a custom search command using the Splunk Enterprise SDK for Python between versions 1.6.5 and 1.6.13; are executed by Splunk Enterprise or Splunk Cloud using Python 3; and are sent events with multi-byte characters.

App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps.

Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available.

2020-02-12SPL-183259When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios

Workaround:
Dedup values in search before, for example:

instead of

index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId]

add a stats or dedup in the subsearch:

index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]

If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example:

index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ]
2020-01-10SPL-181573geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit.

Workaround:
- Increase globallimit to the value of "unique values" number mentioned in the warning message:

"The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count."

- Use very high globallimit in geostats and post process after if needed

- Don't use BY in geostats

- Use lower cardinality BY and/or higher globallimit in geostats

2017-07-13SPL-143111"Splunkd daemon is not responding" when edit local windows event log collection
2017-04-04SPL-140765Splunk having problems extracting json file consisting of 68k plus key-value pairs
2016-11-29SPL-133182When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead.
2014-10-02SPL-91638, SPL-107375For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.

Federated search issues

Date filedIssue numberDescription
2024-01-18SPL-249666, SPL-244551FS-StandardMode: Standalone sub-search with HEAD doesn't return any results
2023-09-20SPL-244927, SPL-244124, SPL-247063, SPL-246460, PSRT-7170Federated searches that include 'table' or 'rex' commands return 0 events when run in verbose mode
2023-09-05SPL-244248, SPL-239298Federated Search, Enterprise --> Cloud configuration: Performance degradation increases when the number of indexers increases in the RSH

Workaround:
One possible workaround is to use a more efficient query. For example, use "| tstats count where index=main by splunk_server" instead of "index=main | stats count by splunk_server".


Another workaround is to change the max_workers_searchparser setting to a value lower than its default.

Use this workaround if you are using your Splunk Enterprise federated search head (FSH) instance only for running federated searches. This workaround might affect non-federated searches.

On the Splunk Enterprise FSH, follow these steps:

  1. Create limits.conf in a local/ folder.
  2. Set the max_workers_searchparser setting to a number lower than its default (1 or 2). For more information about this setting see the Admin Manual.
  3. Test which setting value provides a better performance.

2023-07-20SPL-242282, SPL-242864Federated Searches fail for union commands when query optimization diverge between FSH x RSH
2023-05-02SPL-239436In standard mode federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH

Workaround:
Define the lookup on both federated search head and remote search head.

2023-04-14SPL-238738Federated Search for Splunk does not support the "Show Source" Field Action
2023-04-10SPL-238501Federated search "outputlookup" command cannot add data to local lookup table

Workaround:
Define the same lookup on the remote search head too, so the remote search head will not error out early and return 0 results.

2022-10-19SPL-231712Create/Edit Role - In the UI, the "Wildcards" tool cannot be used to specify allowed federated indexes for standard mode federated search
2022-07-15SPL-226877Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround:
Use REST API to create the federated saved search instead:

curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1
See [[Documentation:SplunkCloud:latest:RESTREF:RESTfederated|Federated search endpoint descriptions]] in the REST API Reference Manual.

2022-05-31SPL-225037Remote dataset dropdown menu resets to "Index" after selecting federated provider
2022-02-25SPL-219793Some commands in federated searches return incorrect resultCount values when run in verbose mode

Workaround:
Use Verbose and Smart mode specifically for searches with transforming commands like stats, chart, and timechart, and then review the results in the Statistics tab. To review event counts, run non-transforming searches in Fast mode.

Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending | fields * to the ends of your searches.

2022-02-08SPL-218841Reporting command in verbose mode returns 0 events despite correct event_count
2021-10-14SPL-213745, SPL-251131Standard mode federated search: Unable to set federated index as default index

Saved search, alerting, scheduling, and job management issues

Date filedIssue numberDescription
2023-07-21SPL-242301, SPL-231558The UI trigger for summary rebuild doesn't work for some accelerated data models that have no root-event dataset and have a reporting command in first root search dataset

Workaround:
The workaround is to change the Data Model definition to reorder the root search objects such that the root search object that can be accelerated is the very first one in the list.

For instance, for the provided `test_internal_audit_logs.json`, edit the JSON file on disk and move `failed_searches` dataset before `fully_completed_searches`.

2023-07-07SPL-241821Data Model Accelerations that have Automatic Rebuilds enabled may lead to unbounded memory growth due to search expansion, resulting in Out of Memory errors

Workaround:
For a data model that is experiencing high memory usage, perform the following steps:

  1. On your Splunk platform deployment, in Splunk Web, select Settings and then Data Models.
  2. Select Edit for the data model that is experiencing high memory usage, and then select Edit Acceleration.
  3. Open Advanced Settings.
  4. Disable Automatic Rebuilds.

Furthermore, applying index constraints to restrict the list of indexes searched for building a given DMA summary and applying tags allowlisting would help curtail the memory usage.

2019-09-20SPL-176812Multiple SH Clustering with single deployer can't use datamodel summary sharing
2018-09-19SPL-160286The data preview for the Add Data workflow does not display for Log to Metrics source types
2017-11-29SPL-146802Distributed environment requires index defined on search head for log event alerts
2017-08-14SPL-143947Report acceleration is broken for users with a configured role-based access filter

Charting, reporting, and visualization issues

Date filedIssue numberDescription
2023-11-23SPL-247466Dashboard Studio layers button is not working in Windows 10

Workaround:
Change object layers by manually editing the order of elements in the layout structure in the dashboard definition.

2023-06-14SPL-240965Dashboard Studio home dashboard flickers on specific viewport resolutions with scrollbar visibility set to always

Workaround:
Resize the viewport or current monitor resolution. If the issue persists, try changing the dimensions of the dashboard.

2023-06-08SPL-240750Inconsistency in displayed timezone in Dashboard Studio when using time range tokens
2016-04-27SPL-118911In SHC, referenced saved real-time searches in a dashboard do not stream results.

Workaround:
See Troubleshoot referenced real-time searches for workaround details.

Distributed search and search head clustering issues

Date filedIssue numberDescription
2021-09-22SPL-212495, SPL-196040, SPL-219811Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles

Workaround:
none

2021-03-26SPL-203060The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:

  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.
2017-11-29SPL-146802Distributed environment requires index defined on search head for log event alerts
2017-03-13SPL-138654Splunk searches fail when filepath gets too long on Windows
2016-07-12SPL-124085On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled.

Data model and pivot issues

Date filedIssue numberDescription
2023-07-21SPL-242301, SPL-231558The UI trigger for summary rebuild doesn't work for some accelerated data models that have no root-event dataset and have a reporting command in first root search dataset

Workaround:
The workaround is to change the Data Model definition to reorder the root search objects such that the root search object that can be accelerated is the very first one in the list.

For instance, for the provided `test_internal_audit_logs.json`, edit the JSON file on disk and move `failed_searches` dataset before `fully_completed_searches`.

2023-07-07SPL-241821Data Model Accelerations that have Automatic Rebuilds enabled may lead to unbounded memory growth due to search expansion, resulting in Out of Memory errors

Workaround:
For a data model that is experiencing high memory usage, perform the following steps:

  1. On your Splunk platform deployment, in Splunk Web, select Settings and then Data Models.
  2. Select Edit for the data model that is experiencing high memory usage, and then select Edit Acceleration.
  3. Open Advanced Settings.
  4. Disable Automatic Rebuilds.

Furthermore, applying index constraints to restrict the list of indexes searched for building a given DMA summary and applying tags allowlisting would help curtail the memory usage.

2019-09-20SPL-176812Multiple SH Clustering with single deployer can't use datamodel summary sharing

Indexer and indexer clustering issues

Date filedIssue numberDescription
2024-05-29SPL-256658, SPL-255517Indexer Discovery deadlock during tcpout reload
2016-08-25SPL-127353Data rebalance finishes early when one peer is the source for all buckets

Workaround:
when only one indexer in a cluster indexed data (has all the searchable copies), rebalance once before adding the new indexer, and then rebalance a second time

Universal forwarder issues

Date filedIssue numberDescription
2022-08-17SPL-228646, SPL-228645Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid
2022-06-23SPL-226019Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
2022-03-23SPL-221239System Introspect App fails when universal forwarder is installed at non-admin user

Monitoring Console issues

Date filedIssue numberDescription
2021-03-29SPL-203100Summary page on monitoring console doesn't show correct RF/SF when not running on the CM.
2019-11-13SPL-179528The splunktcp and splunktcp-ssl stanzas are not reloadable in inputs.conf
2017-08-14SPL-143981Uninstall app dialog does not show the app name correctly when the app doesn't have the label
2017-05-24SPL-141982Upload modal should use size=large File element
2017-04-19SPL-141274Clicking Install multiple times in Install dialog causes error
2016-11-14SPL-132151XML error when trying to download uninstalled app

Splunk Web and interface issues

Date filedIssue numberDescription
2022-05-31SPL-225037Remote dataset dropdown menu resets to "Index" after selecting federated provider
2021-12-21SPL-216787Searches are cancelled or time out when the user leaves the browser window or switches tabs.

Workaround:
In Splunk Enterprise 8.1.7, 8.2.4, and higher change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62.

Details
This issue is caused by power saving settings in recent browser versions, where Javascript timers may be throttled. The user typically sees the following message in the search window on foreground searches:

DAG Execution Exception: Search has been cancelled
Search auto-canceled
The search job has failed due to an error. You may be able to view the job in the Job Inspector

2017-07-13SPL-143111"Splunkd daemon is not responding" when edit local windows event log collection

Windows-specific issues

Date filedIssue numberDescription
2024-06-24SPL-257961On Windows Splunk Enterprise Platform process instrument-resource-usage continuing growing its handles count for handle object Process.

Workaround:
Either proactively monitor and restart Splunk or kill splunkd process "instrument-resource-usage".

Alternatively, disable introspection altogether. In the introspection_generator_addon app

add the [introspection:generator:resource_usage] stanza in %SPLUNK_HOME%\etc\apps\introspection_generator_addon\local\server.confas follow: [introspection:generator:resource_usage]disabled = trueacquireExtra_i_data = false

REST, Simple XML, and Advanced XML issues

Date filedIssue numberDescription
2020-07-28SPL-192792tsidxWritingLevel and other fields are set empty after updating index in UI
2017-07-13SPL-143111"Splunkd daemon is not responding" when edit local windows event log collection
2016-10-31SPL-131072Datamodel backend allows invalid time values

PDF issues

Date filedIssue numberDescription
2016-11-23SPL-132925Table data rows generated with the addcoltotals command do not show up in PDF

Workaround:
If you are using addcoltotals to generate a totals data row, renaming the _time field can cause PDF generation issues.

Remove the label and labelfield or change the label to a number to generate the PDF as expected.

Admin and CLI issues

Date filedIssue numberDescription
2021-03-26SPL-203060The splunkd process changes the local distsearch.conf on service start

Workaround:
There is no workaround. After upgrading to Splunk Enterprise 8.x, the splunkd process checks and modifies the local/distsearch.conf on each service start. The process will:

  • Remove any settings that define default values already set in the /default/distsearch.conf file.
  • Removes comments preceded by a hash.
  • Reorders the KV pairs alphanumerically within a stanza.
  • Reorders stanzas within the file.
2020-07-28SPL-192792tsidxWritingLevel and other fields are set empty after updating index in UI
2020-04-14SPL-186365Users are able to create/clone knowledge objects into apps where they lack permissions
2019-08-05SPL-174406, SPL-109254Root unable to run splunk cli if SPLUNK_OS_USER is set
2018-08-13SPL-158658A timeout or slow response when accessing Splunk Web Licensing page

Workaround:
A timeout or slow performance of the license management page is caused by a build-up of historical license warning messages, which are processed every time the page is accessed. Can be verified by running this search on the License Manager:

| rest splunk_server=local /services/licenser/messages

If a high value is returned for that end point, you are likely affected. Log a support ticket with Splunk to obtain a license reset key, and apply the key to clear out any historical license warning messages. After the reset license is applied, the license management pages should load normally.

2017-11-29SPL-146820Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app

Workaround:
Navigate to a visible app, such as the search and reporting app, and access the Splunk settings pages from that app context.

2017-11-07SPL-146255limits.conf enable_clipping cloropleth setting is app/user tunable rather than global like the rest of limits.conf
2017-04-03SPL-140747SSL connection in Python when using new ciphers may be slow.
2016-11-09SPL-131880Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page

Uncategorized issues

Date filedIssue numberDescription
2024-05-21SPL-256104Maximum daily volume for a pool displayed as Unlimited, when license maximum typed in manually in 'A specific amount' field

Workaround:
When setting up maximum daily volume for this pool, choose 'The license maximum' option.

2023-09-25SPL-245071, SCP-64986Splunk Assist causes excessive logging before activation, sometimes on instances that do not run Splunk Assist at all

Workaround:
Disable Splunk Assist fully on those instances, see "Turn off Splunk Assist" in the Splunk Documentation for the procedure: https://docs.splunk.com/Documentation/Splunk/9.1.1/DMC/ActivateAssist#Turn_off_Splunk_Assist

Modular inputs can be disabled individually in $SPLUNK_HOME/etc/apps/splunk_assist/local/inputs.conf

2022-11-14SPL-232803Job endpoint /services/search/jobs not returning QUEUED jobs

Workaround:
Queued job displays using job endpoint with SID:

| rest /services/search/jobs/1668102339.174_23558BC9-6A39-4F4A-9FD2-968C358489B7 splunk_server=local

2021-04-24SPL-204740, SPL-204735Deletion of a workload pool is allowed if there is a 'disabled' rule that is related to that workload pool and this can cause errors if the rule is re-enabled later

Workaround:
To prevent this issue: When you delete a workload pool, please make sure that you delete any disabled workload rules that are associated with that workload pool.

To resolve the issue if you encounter this: Disable or delete the workload rule that is associated with a workload pool that does not exist anymore.

2021-03-19SPL-202682The license usage report tab name is Previous 60 days, but the reports run over the last 30 days
2020-08-10SPL-193389Parallel upload is not supported in gcp-sse-kms encryption mode

Workaround:
In the volumes using gcp-sse-kms encryption mode, specify "remote.gs.upload_chunk_size = 0" to disable parallel upload.

2020-07-30SPL-192936Subsecond search - When you update metric.timestampResolution via the UI, it is not updated on the search head index.conf file. This does not affect search functionality.
2019-10-03SPL-177447Bundle replication takes longer than expected time for indexers that have bundleEnforcerBlacklist configured
2019-09-26SPL-177144, SPL-177326Under heavy search workload, the search memory usage estimation may be higher than actual usage
2019-09-25SPL-177008, SPL-176710, SPL-177009Workload management fails to enable for addition of a pool with 1% cpu and 1% memory
2019-09-16SPL-176514Offline rebuild of unsearchable bucket may lead to stale information in dbinspect searches
2019-09-13SPL-176447SmartStore: Migration uploads of auto_high_volume buckets can fail indefinitely due to an XFS bug

Workaround:
Before migration, lower the max_concurrent_uploads setting in server.conf to 2.

After migration, revert the setting to the default of 8.

2019-07-19SPL-173449, SPL-173259timezone isn't stored for start_time/end_time of rule schedule every_day/every_week/every_month
2019-03-26SPL-168314SmartStore standalone instance + Monitoring Console: Bootstrapping panel needs to reflect the standalone bootstrapping process
2018-03-20SPL-152330, SPL-151992After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user."

Workaround:
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk

[user_info]
PASSWORD = <yourpassword>


2017-06-29SPL-142789, SPL-95144Indexed message for Windows security event logs shows "FormatMessage error"

Workaround:
Splunk believes this was introduced in a Microsoft Windows patch. The workaround is to configure a delayed start of the Splunk service(s) so that it starts after the Windows Event Log service.

2017-05-09SPL-141693DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list.
2017-04-27SPL-141478, SPL-237563$_index_name does not resolve properly when used with the thawedPath pathname
2017-01-06SPL-134707Splunk restart does not create missing server.pem certificate on Windows

Workaround:
Use bin/splunk createssl server-cert -d etc/auth/ -n server to generate a new certificate.

2016-08-31SPL-127800Opting in to data sharing on a monitoring console produces duplicate data
2016-06-21SPL-123174JSON indexed_extractions doesn't work for TCP inputs

Splunk Analytics for Hadoop

Date filedIssue numberDescription
2017-04-04ERP-2040Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x

Workaround:
Upgrade Hadoop to 2.8.2 or higher.

2015-09-09ERP-1650timestamp data type not properly deserialized.
2015-08-05ERP-1619Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception.

Workaround:
Reenable the bucket copy saved search and let it run, or force the archiving to happen via | archivebuckets force=1 and then rerun the search.

2015-07-07ERP-1598minsplit rampup - splits generation takes too long.

Workaround:
Set minsplits=maxsplits

2015-05-12ERP-1502Non-accelerated pivot search on Pivot UI page waits for a long time to return result.
2015-01-08ERP-1343, SPL-95174Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error.

Workaround:
Add the journal.gz to the input path's blacklist (vix.input.1.ignore = ....)

2014-10-27ERP-1216Data Explorer preview does not honor existing sourcetypes for big5/sjis files.
2014-10-03ERP-1164Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory.

Workaround:
To mitigate this issue, make sure that vix.splunk.home.hdfs (or Working directory in the UI) is unique on both search heads that are not in a pool. To keep your instances in the same working directory, configure vix.splunk.search.cache.path to be unique on both search heads.

Last modified on 03 July, 2024

Welcome to Splunk Enterprise 9.2Increased skipped search rate after upgrade to 9.0

This documentation applies to the following versions of Splunk® Enterprise: 9.2.2

Download manual

Download this page

Back To Top

Known issues

  • Upgrade issues
  • Authentication and authorization issues
  • Data input issues
  • Search issues
  • Federated search issues
  • Saved search, alerting, scheduling, and job management issues
  • Charting, reporting, and visualization issues
  • Distributed search and search head clustering issues
  • Data model and pivot issues
  • Indexer and indexer clustering issues
  • Universal forwarder issues
  • Monitoring Console issues
  • Splunk Web and interface issues
  • Windows-specific issues
  • REST, Simple XML, and Advanced XML issues
  • PDF issues
  • Admin and CLI issues
  • Uncategorized issues
  • Splunk Analytics for Hadoop

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

Known issues - Splunk Documentation (15)

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »

Closing this box indicates that you accept our Cookie Policy.

Known issues - Splunk Documentation (2024)

FAQs

What are two of the most common types of errors in Splunk? ›

Three Common Errors Customers Face in Splunk
  • Data not coming in from a Universal Forwarder or other data input type. ...
  • “Orphaned” knowledge objects. ...
  • Compatibility Issues.
Feb 28, 2023

What problems does Splunk solve? ›

Splunk Enterprise Security is our SIEM that helps you do all sorts of things, including security monitoring, incident response and management, compliance and threat hunting. Our SOAR, user behavior analytics (UBA) and observability solutions.

Where are Splunk error logs? ›

Logging locations

The Splunk software internal logs are located in: $SPLUNK_HOME/var/log/splunk . This path is monitored by default, and the contents are sent to the _internal index. If the Splunk software is configured as a Forwarder, a subset of the logs are monitored and sent to the indexing tier.

What log file do I check first if there is a problem with Splunk? ›

Check %SPLUNK_HOME%\var\log\splunk\metrics. log for information about the status of Splunk's processing queue.

What are the 3 major types of error in error analysis? ›

Types of Errors
  • Gross Errors.
  • Random Errors.
  • Systematic Errors.

What are the 3 types of errors we often need to debug? ›

For whimsical reasons, programming errors are called bugs and the process of tracking them down is called debugging. Three kinds of errors can occur in a program: syntax errors, runtime errors, and semantic errors. It is useful to distinguish between them in order to track them down more quickly.

What is the disadvantage of Splunk? ›

Common disadvantages of the technology include:

Deploying Splunk can become expensive when managing large volumes of data. Optimizing searches to improve speed can be tricky and impractical. The tool's dashboards are not as reliable as other tools such as Tableau.

How to improve Splunk performance? ›

If you specify TERM(192.0. 2.255) , the Splunk software treats the IP address as a single term, instead of individual numbers. Using the TERM directive to search for terms that contain minor breakers improves search performance.

What are the three main components of Splunk? ›

Splunk Components. The primary components in the Splunk architecture are the forwarder, the indexer, and the search head.

How to check errors in Splunk? ›

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main . Use the OR operator to specify one or multiple indexes to search.

How do I monitor logs in Splunk? ›

You can do this by going to the Splunk web interface and entering a search string. This will bring up a list of all the events that match your search. You can then use the Splunk filters to further refine your results and get the specific data that you require.

How to filter error logs in Splunk? ›

Filter ESXi logs example
  1. To filter ESXi logs, locate and open the props. conf file for Splunk_TA_esxilogs on the intermediate forwarder for syslog data. ...
  2. In the props.conf file, create an entry as per the following: ...
  3. Locate and open the transforms. ...
  4. Splunk Enterprise filters data based on sourcetype at index time.
Apr 13, 2022

How to troubleshoot Splunk issues? ›

log | grep ERROR”. Another way to examine the log files is through the Splunk Search and Reporting app. You can search against the internal Splunk indexes as follows: “index=_internal sourcetype=splunkd ERROR”. This should yield similar results.

How to query logs in Splunk? ›

To search your logs, follow these steps: Navigate to Log Observer. In the content control bar, enter a time range in the time picker if you know it. Select Index next to Saved Queries, then select the indexes you want to query.

How do I check error logs? ›

Click Start > Control Panel > System and Security > Administrative Tools. Double-click Event Viewer. Select the type of logs that you wish to review (ex: Windows Logs)

What are the two types of error? ›

This uncertainty can be of 2 types: Type I error (falsely rejecting a null hypothesis) and type II error (falsely accepting a null hypothesis). The acceptable magnitudes of type I and type II errors are set in advance and are important for sample size calculations.

What are the two major sources of error? ›

There are two types of errors: random and systematic. Random error occurs due to chance. There is always some variability when a measurement is made. Random error may be caused by slight fluctuations in an instrument, the environment, or the way a measurement is read, that do not cause the same error every time.

What are the two types of common errors in programming? ›

The 7 Most Common Types of Errors in Programming and How to Avoid Them
  • Syntax Errors.
  • Logic Errors.
  • Compilation Errors.
  • Runtime Errors.
  • Arithmetic Errors.
  • Resource Errors.
  • Interface Errors.
Sep 27, 2023

What are the two common types of errors found when debugging code? ›

5 types of programming errors that need debugging
  • Syntax errors.
  • Logical errors.
  • Runtime errors.
  • Compilation errors.
  • Memory leaks.
  • Conclusion.
Jun 6, 2023

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Foster Heidenreich CPA

Last Updated:

Views: 6057

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.