Splunk® Enterprise
Release Notes
- Documentation
- Splunk® Enterprise
- Release Notes
- Known issues
What's new
- Welcome to Splunk Enterprise 9.2
Known issues for this release
- Known issues
- Increased skipped search rate after upgrade to 9.0
- Splunk Enterprise and anti-virus products
- Workaround for network accessibility issues on Splunk Windows systems under certain conditions
- Performance Monitor inputs show maximum values of 100 percent usage for a process on multicore Microsoft Windows machines
- Transparent huge memory pages and Splunk performance
- Linux kernel memory overcommitting and Splunk crashes
- Splunk Enterprise and NUMA architectures
- Field alias behavior change
Fixed issues
- Fixed issues
Deprecated features
- Deprecated and removed in version 9.2
Third-party software
- Credits
- Known issues with backup systems
- How do I work around known issue ITSI-4387?
- Any known issues when upgrading from 7.0.5 to 7.1....
- Any known issues with upgrading to Splunk version ...
- How to find further documentation on the defect nu...
- Splunk Query issue
- CSV file parsing issue
- charting.data.count worked in Splunk 6.2.x, but wh...
- Issue with transforms.conf
- Known issue
Read more...
The following are issues and workarounds for this version of Splunk Enterprise.
Issues are listed in all relevant sections. Some issues appear more than once.
Refer to System requirements in the Installation Manual for a list of supported platforms and architectures.
For a list of deprecated features and platforms, refer to Deprecated features and removed features in this manual.
Upgrade issues
Date filed | Issue number | Description |
---|---|---|
2024-04-04 | SPL-253690, SPL-247255 | Issue with Splunk Enterprise version 9.1.x and 9.2.0 when connected to proxy server Workaround:
[distributedSearch]useIPAddrAsHost=false |
2024-02-20 | SPL-251301 | Unable to install/upgrade Splunk Enterprise & UF RPM package v9.2.x on the same server. |
2020-08-31 | SPL-194426 | External search command chunked v2 python SDK fails with multibyte result data under python 3. Workaround: App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps. Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available. |
2020-07-10 | SPL-191850 | The .deb installation package will fail if dpkg version doesn't support an .xz compressed control file. Workaround: |
2018-04-13 | SPL-153403 | After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user." Workaround: [user_info] |
Authentication and authorization issues
Date filed | Issue number | Description |
---|---|---|
2022-04-06 | SPL-222105 | When all inherited roles are taken out from admin role, it will cause admin user failed to show other users even though all capabilities is set natively. Workaround: 1. Remove the option grantableRoles = admin from authorize.conf - this is not permanent workaround and will need to be done every time admin role is modified. 2. Add any capabilities that the other user roles have to the "admin" role. |
2020-12-04 | SPL-198284, SPL-231587 | Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default Workaround: For example: [search]max_searches_per_process=1 to [search] |
2018-04-13 | SPL-153403 | After running the "clean userdata" command, admin is unable to login with msg "No users exist. Please set up a new user." Workaround: [user_info] |
2016-07-26 | SPL-125052 | Sole Admin can demote themself to Power without path of recovery in GUI. Workaround: |
Data input issues
Date filed | Issue number | Description |
---|---|---|
2022-08-17 | SPL-228646, SPL-228645 | Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid |
2022-08-09 | SPL-228117, SPL-257140 | "file" is incorrectly listed as a supported scheme for ingest actions in outputs.conf.spec |
2022-04-08 | SPL-222366 | Ingest Actions does not work with Splunk Free, Personalized Devtest, Developer, and Forwarder-only licenses |
Search issues
Date filed | Issue number | Description |
---|---|---|
2024-05-09 | SPL-255514 | "| timechart count" search is causing Splunk to crash with "Crashing thread: searchOrchestrator" Workaround: | timechart count Splunk instance will crash with "Crashing thread: searchOrchestrator". Currently there is no workaround other than not using this search string |
2024-04-12 | SPL-254077, SPL-241370 | CIDR match for tstats with ipv6 addresses isn't supported Workaround: Error in 'TsidxStats': WHERE clause is not an exact query |
2024-04-04 | SPL-253690, SPL-247255 | Issue with Splunk Enterprise version 9.1.x and 9.2.0 when connected to proxy server Workaround:
[distributedSearch]useIPAddrAsHost=false |
2023-06-09 | SPL-240774 | The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value Workaround: |
2023-04-14 | SPL-238738 | Federated Search for Splunk does not support the "Show Source" Field Action |
2023-03-28 | SPL-237902 | Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy Workaround: index=main earliest=-10s latest=now Running the same search without including 'latest=now' might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches. See Specify earliest relative time offset and latest time in ad hoc searches in the Splunk platform Search Manual. |
2022-07-29 | SPL-227633 | Error: Script execution failed for external search command 'runshellscript' Workaround: |
2021-12-21 | SPL-216787 | Searches are cancelled or time out when the user leaves the browser window or switches tabs. Workaround: Details
|
2021-09-22 | SPL-212495, SPL-196040, SPL-219811 | Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles Workaround: |
2020-12-04 | SPL-198284, SPL-231587 | Crash in search process in PrecacheUsersThread when max_searches_per_process is set lower than default Workaround: For example: [search]max_searches_per_process=1 to [search] |
2020-08-31 | SPL-194426 | External search command chunked v2 python SDK fails with multibyte result data under python 3. Workaround: App developers whose apps implement a custom search command using a version of the Splunk Enterprise SDK for Python must update to version 1.6.14 or higher and release new versions of their apps. Splunk Enterprise and Splunk Cloud administrators who are using apps impacted by this issue must update to app versions that use the Splunk Enterprise SDK for Python version 1.6.14 or higher. If this is not possible, administrators are encouraged to either: allow these apps to be executed using Python 2; or cease usage of impacted apps until updated versions are available. |
2020-02-12 | SPL-183259 | When generating LISPY for field values that are numbers (""), the values aren't deduplicated, which can cause slowdowns in certain scenarios Workaround: instead of index="field_test" [search index="field_test" globalCallID_callId=1234* | fields globalCallID_callId] add a stats or dedup in the subsearch: index="field_test" [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ] If that list is still large and you're seeing the slowdown, consider moving the filtering to a | where after the initial search, for example: index="field_test" globalCallID_callId=* | where [search index="field_test" globalCallID_callId=123* | stats values(globalCallID_callId) AS globalCallID_callId | mvexpand globalCallID_callId ] |
2020-01-10 | SPL-181573 | geostats provides incorrect results for lower zoom levels when split BY has a higher cardinality than globallimit. Workaround: "The split by field <field> has a large number of unique values <number>. Chart column set will be trimmed to 10. Use globallimit argument to control column count." - Use very high globallimit in geostats and post process after if needed - Don't use BY in geostats - Use lower cardinality BY and/or higher globallimit in geostats |
2017-07-13 | SPL-143111 | "Splunkd daemon is not responding" when edit local windows event log collection |
2017-04-04 | SPL-140765 | Splunk having problems extracting json file consisting of 68k plus key-value pairs |
2016-11-29 | SPL-133182 | When two datasets have identical names but one is local (private) while the other is global, attempts to view or extend the global dataset use results from the local dataset instead. |
2014-10-02 | SPL-91638, SPL-107375 | For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member. |
Federated search issues
Date filed | Issue number | Description |
---|---|---|
2024-01-18 | SPL-249666, SPL-244551 | FS-StandardMode: Standalone sub-search with HEAD doesn't return any results |
2023-09-20 | SPL-244927, SPL-244124, SPL-247063, SPL-246460, PSRT-7170 | Federated searches that include 'table' or 'rex' commands return 0 events when run in verbose mode |
2023-09-05 | SPL-244248, SPL-239298 | Federated Search, Enterprise --> Cloud configuration: Performance degradation increases when the number of indexers increases in the RSH Workaround:
Use this workaround if you are using your Splunk Enterprise federated search head (FSH) instance only for running federated searches. This workaround might affect non-federated searches. On the Splunk Enterprise FSH, follow these steps:
|
2023-07-20 | SPL-242282, SPL-242864 | Federated Searches fail for union commands when query optimization diverge between FSH x RSH |
2023-05-02 | SPL-239436 | In standard mode federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH Workaround: |
2023-04-14 | SPL-238738 | Federated Search for Splunk does not support the "Show Source" Field Action |
2023-04-10 | SPL-238501 | Federated search "outputlookup" command cannot add data to local lookup table Workaround: |
2022-10-19 | SPL-231712 | Create/Edit Role - In the UI, the "Wildcards" tool cannot be used to specify allowed federated indexes for standard mode federated search |
2022-07-15 | SPL-226877 | Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space Workaround:
|
2022-05-31 | SPL-225037 | Remote dataset dropdown menu resets to "Index" after selecting federated provider |
2022-02-25 | SPL-219793 | Some commands in federated searches return incorrect resultCount values when run in verbose mode Workaround: Search-time field extraction usually requires searches without transforming commands that run in either Verbose or Smart mode. When you run searches in Fast mode, you can ensure that search-time field extraction takes place for federated searches by appending |
2022-02-08 | SPL-218841 | Reporting command in verbose mode returns 0 events despite correct event_count |
2021-10-14 | SPL-213745, SPL-251131 | Standard mode federated search: Unable to set federated index as default index |
Saved search, alerting, scheduling, and job management issues
Date filed | Issue number | Description |
---|---|---|
2023-07-21 | SPL-242301, SPL-231558 | The UI trigger for summary rebuild doesn't work for some accelerated data models that have no root-event dataset and have a reporting command in first root search dataset Workaround: For instance, for the provided `test_internal_audit_logs.json`, edit the JSON file on disk and move `failed_searches` dataset before `fully_completed_searches`. |
2023-07-07 | SPL-241821 | Data Model Accelerations that have Automatic Rebuilds enabled may lead to unbounded memory growth due to search expansion, resulting in Out of Memory errors Workaround:
Furthermore, applying index constraints to restrict the list of indexes searched for building a given DMA summary and applying tags allowlisting would help curtail the memory usage. |
2019-09-20 | SPL-176812 | Multiple SH Clustering with single deployer can't use datamodel summary sharing |
2018-09-19 | SPL-160286 | The data preview for the Add Data workflow does not display for Log to Metrics source types |
2017-11-29 | SPL-146802 | Distributed environment requires index defined on search head for log event alerts |
2017-08-14 | SPL-143947 | Report acceleration is broken for users with a configured role-based access filter |
Charting, reporting, and visualization issues
Date filed | Issue number | Description |
---|---|---|
2023-11-23 | SPL-247466 | Dashboard Studio layers button is not working in Windows 10 Workaround: |
2023-06-14 | SPL-240965 | Dashboard Studio home dashboard flickers on specific viewport resolutions with scrollbar visibility set to always Workaround: |
2023-06-08 | SPL-240750 | Inconsistency in displayed timezone in Dashboard Studio when using time range tokens |
2016-04-27 | SPL-118911 | In SHC, referenced saved real-time searches in a dashboard do not stream results. Workaround: |
Distributed search and search head clustering issues
Date filed | Issue number | Description |
---|---|---|
2021-09-22 | SPL-212495, SPL-196040, SPL-219811 | Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles Workaround: |
2021-03-26 | SPL-203060 | The splunkd process changes the local distsearch.conf on service start Workaround:
|
2017-11-29 | SPL-146802 | Distributed environment requires index defined on search head for log event alerts |
2017-03-13 | SPL-138654 | Splunk searches fail when filepath gets too long on Windows |
2016-07-12 | SPL-124085 | On Search Head Cluster It is not possible to remove an App from the SHs once it has been disabled. |
Data model and pivot issues
Date filed | Issue number | Description |
---|---|---|
2023-07-21 | SPL-242301, SPL-231558 | The UI trigger for summary rebuild doesn't work for some accelerated data models that have no root-event dataset and have a reporting command in first root search dataset Workaround: For instance, for the provided `test_internal_audit_logs.json`, edit the JSON file on disk and move `failed_searches` dataset before `fully_completed_searches`. |
2023-07-07 | SPL-241821 | Data Model Accelerations that have Automatic Rebuilds enabled may lead to unbounded memory growth due to search expansion, resulting in Out of Memory errors Workaround:
Furthermore, applying index constraints to restrict the list of indexes searched for building a given DMA summary and applying tags allowlisting would help curtail the memory usage. |
2019-09-20 | SPL-176812 | Multiple SH Clustering with single deployer can't use datamodel summary sharing |
Indexer and indexer clustering issues
Date filed | Issue number | Description |
---|---|---|
2024-05-29 | SPL-256658, SPL-255517 | Indexer Discovery deadlock during tcpout reload |
2016-08-25 | SPL-127353 | Data rebalance finishes early when one peer is the source for all buckets Workaround: |
Universal forwarder issues
Date filed | Issue number | Description |
---|---|---|
2022-08-17 | SPL-228646, SPL-228645 | Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid |
2022-06-23 | SPL-226019 | Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality. |
2022-03-23 | SPL-221239 | System Introspect App fails when universal forwarder is installed at non-admin user |
Monitoring Console issues
Date filed | Issue number | Description |
---|---|---|
2021-03-29 | SPL-203100 | Summary page on monitoring console doesn't show correct RF/SF when not running on the CM. |
2019-11-13 | SPL-179528 | The splunktcp and splunktcp-ssl stanzas are not reloadable in inputs.conf |
2017-08-14 | SPL-143981 | Uninstall app dialog does not show the app name correctly when the app doesn't have the label |
2017-05-24 | SPL-141982 | Upload modal should use size=large File element |
2017-04-19 | SPL-141274 | Clicking Install multiple times in Install dialog causes error |
2016-11-14 | SPL-132151 | XML error when trying to download uninstalled app |
Splunk Web and interface issues
Date filed | Issue number | Description |
---|---|---|
2022-05-31 | SPL-225037 | Remote dataset dropdown menu resets to "Index" after selecting federated provider |
2021-12-21 | SPL-216787 | Searches are cancelled or time out when the user leaves the browser window or switches tabs. Workaround: Details
|
2017-07-13 | SPL-143111 | "Splunkd daemon is not responding" when edit local windows event log collection |
Windows-specific issues
Date filed | Issue number | Description |
---|---|---|
2024-06-24 | SPL-257961 | On Windows Splunk Enterprise Platform process instrument-resource-usage continuing growing its handles count for handle object Process. Workaround: Alternatively, disable introspection altogether. In the introspection_generator_addon app add the [introspection:generator:resource_usage] stanza in %SPLUNK_HOME%\etc\apps\introspection_generator_addon\local\server.confas follow: [introspection:generator:resource_usage]disabled = trueacquireExtra_i_data = false |
REST, Simple XML, and Advanced XML issues
Date filed | Issue number | Description |
---|---|---|
2020-07-28 | SPL-192792 | tsidxWritingLevel and other fields are set empty after updating index in UI |
2017-07-13 | SPL-143111 | "Splunkd daemon is not responding" when edit local windows event log collection |
2016-10-31 | SPL-131072 | Datamodel backend allows invalid time values |
PDF issues
Date filed | Issue number | Description |
---|---|---|
2016-11-23 | SPL-132925 | Table data rows generated with the addcoltotals command do not show up in PDF Workaround: Remove the label and |
Admin and CLI issues
Date filed | Issue number | Description |
---|---|---|
2021-03-26 | SPL-203060 | The splunkd process changes the local distsearch.conf on service start Workaround:
|
2020-07-28 | SPL-192792 | tsidxWritingLevel and other fields are set empty after updating index in UI |
2020-04-14 | SPL-186365 | Users are able to create/clone knowledge objects into apps where they lack permissions |
2019-08-05 | SPL-174406, SPL-109254 | Root unable to run splunk cli if SPLUNK_OS_USER is set |
2018-08-13 | SPL-158658 | A timeout or slow response when accessing Splunk Web Licensing page Workaround: | rest splunk_server=local /services/licenser/messages If a high value is returned for that end point, you are likely affected. Log a support ticket with Splunk to obtain a license reset key, and apply the key to clear out any historical license warning messages. After the reset license is applied, the license management pages should load normally. |
2017-11-29 | SPL-146820 | Unable to access some settings/manager pages (data model editor) if starting from the setup page of a non-visible app Workaround: |
2017-11-07 | SPL-146255 | limits.conf enable_clipping cloropleth setting is app/user tunable rather than global like the rest of limits.conf |
2017-04-03 | SPL-140747 | SSL connection in Python when using new ciphers may be slow. |
2016-11-09 | SPL-131880 | Reports/Alerts owned by the deleted user cannot be found in the Orphaned filter for the Reassign Knowledge Objects page |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2024-05-21 | SPL-256104 | Maximum daily volume for a pool displayed as Unlimited, when license maximum typed in manually in 'A specific amount' field Workaround: |
2023-09-25 | SPL-245071, SCP-64986 | Splunk Assist causes excessive logging before activation, sometimes on instances that do not run Splunk Assist at all Workaround: Modular inputs can be disabled individually in $SPLUNK_HOME/etc/apps/splunk_assist/local/inputs.conf |
2022-11-14 | SPL-232803 | Job endpoint /services/search/jobs not returning QUEUED jobs Workaround: | rest /services/search/jobs/1668102339.174_23558BC9-6A39-4F4A-9FD2-968C358489B7 splunk_server=local |
2021-04-24 | SPL-204740, SPL-204735 | Deletion of a workload pool is allowed if there is a 'disabled' rule that is related to that workload pool and this can cause errors if the rule is re-enabled later Workaround: To resolve the issue if you encounter this: Disable or delete the workload rule that is associated with a workload pool that does not exist anymore. |
2021-03-19 | SPL-202682 | The license usage report tab name is Previous 60 days, but the reports run over the last 30 days |
2020-08-10 | SPL-193389 | Parallel upload is not supported in gcp-sse-kms encryption mode Workaround: |
2020-07-30 | SPL-192936 | Subsecond search - When you update metric.timestampResolution via the UI, it is not updated on the search head index.conf file. This does not affect search functionality. |
2019-10-03 | SPL-177447 | Bundle replication takes longer than expected time for indexers that have bundleEnforcerBlacklist configured |
2019-09-26 | SPL-177144, SPL-177326 | Under heavy search workload, the search memory usage estimation may be higher than actual usage |
2019-09-25 | SPL-177008, SPL-176710, SPL-177009 | Workload management fails to enable for addition of a pool with 1% cpu and 1% memory |
2019-09-16 | SPL-176514 | Offline rebuild of unsearchable bucket may lead to stale information in dbinspect searches |
2019-09-13 | SPL-176447 | SmartStore: Migration uploads of auto_high_volume buckets can fail indefinitely due to an XFS bug Workaround: After migration, revert the setting to the default of 8. |
2019-07-19 | SPL-173449, SPL-173259 | timezone isn't stored for start_time/end_time of rule schedule every_day/every_week/every_month |
2019-03-26 | SPL-168314 | SmartStore standalone instance + Monitoring Console: Bootstrapping panel needs to reflect the standalone bootstrapping process |
2018-03-20 | SPL-152330, SPL-151992 | After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option (and if generated password ends with backslash) admin is unable to login with msg "No users exist. Please set up a new user." Workaround: [user_info] |
2017-06-29 | SPL-142789, SPL-95144 | Indexed message for Windows security event logs shows "FormatMessage error" Workaround: |
2017-05-09 | SPL-141693 | DataModel Editor - when child object has same name as inherited field, inherited field does not show in the inherited fields list. |
2017-04-27 | SPL-141478, SPL-237563 | $_index_name does not resolve properly when used with the thawedPath pathname |
2017-01-06 | SPL-134707 | Splunk restart does not create missing server.pem certificate on Windows Workaround: |
2016-08-31 | SPL-127800 | Opting in to data sharing on a monitoring console produces duplicate data |
2016-06-21 | SPL-123174 | JSON indexed_extractions doesn't work for TCP inputs |
Splunk Analytics for Hadoop
Date filed | Issue number | Description |
---|---|---|
2017-04-04 | ERP-2040 | Splunk archiving fails for large block sizes (buckets) due to HDFS write crashes for Hadoop version 2.8, 2.7.x Workaround: |
2015-09-09 | ERP-1650 | timestamp data type not properly deserialized. |
2015-08-05 | ERP-1619 | Searching on a newly created archive index before the bucket copy saved search is run causes a filenotfound exception. Workaround: |
2015-07-07 | ERP-1598 | minsplit rampup - splits generation takes too long. Workaround: |
2015-05-12 | ERP-1502 | Non-accelerated pivot search on Pivot UI page waits for a long time to return result. |
2015-01-08 | ERP-1343, SPL-95174 | Splunk Analytics for Hadoop searches fail on corrupted journal.gz files, although Splunk searches run without error. Workaround: |
2014-10-27 | ERP-1216 | Data Explorer preview does not honor existing sourcetypes for big5/sjis files. |
2014-10-03 | ERP-1164 | Report acceleration summary gets deleted when two Splunk Analytics for Hadoop instances point to the same Splunk working directory. Workaround: |
Last modified on 03 July, 2024
Welcome to Splunk Enterprise 9.2 | Increased skipped search rate after upgrade to 9.0 |
This documentation applies to the following versions of Splunk® Enterprise: 9.2.2
Download manual
Download this page
Back To Top
Known issues
- Upgrade issues
- Authentication and authorization issues
- Data input issues
- Search issues
- Federated search issues
- Saved search, alerting, scheduling, and job management issues
- Charting, reporting, and visualization issues
- Distributed search and search head clustering issues
- Data model and pivot issues
- Indexer and indexer clustering issues
- Universal forwarder issues
- Monitoring Console issues
- Splunk Web and interface issues
- Windows-specific issues
- REST, Simple XML, and Advanced XML issues
- PDF issues
- Admin and CLI issues
- Uncategorized issues
- Splunk Analytics for Hadoop
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »
Closing this box indicates that you accept our Cookie Policy.