• Overview
  • What's New in Splunk 2.1
    • Home Page
    • Search Results
    • Tags
    • Admin Panels
    • Splunk-2-Splunk
    • Saved Splunks & Live Splunks
    • Time Range Selection
• Changelogs by Version
  • Release Notes 2.2.6
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.2.3
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.2.1
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.2
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.1.3
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.1.2
    • Warning - Updating from 2.1.x
    • New Features
    • Resolved Issues
    • Known Issues
  • 2.1.1 Release Notes
    • New Features
    • Resolved issues
    • Known Issues
  • 2.1 GA Release
    • New Features since 2.0
    • Resolved Issues since 2.1b2
  • 2.1 Beta 2 Release Notes
    • WARNING: Don't Upgrade 2.0 Servers Yet
    • New Features
    • Known Issues
    • Resolved issues
  • 2.1 Beta 1 Release Notes
    • WARNING: Don't Upgrade 2.0 Servers Yet
    • New Features
    • Known Issues
  • Release Notes Archive

Release Notes 2.1.3

Splunk 2.1.3 fixes a problem in the installer for 2.1.2 that did not place the correct version of splunkd.xml and multiIndexer.xml into place. There are no other changes from 2.1.2 -- the release notes below are 2.1.2 notes reprinted here for your convenience.

To install Splunk 2.1.3, see the Installation Manual for full instructions.

New Features

• Limited internationalization support

The Splunk Server now converts all incoming log data to UTF-8 prior to indexing. All characters are stored and displayed correctly in results, but search terms with non-ASCII characters are ignored. The specification for the incoming data's character set may vary by source, source type, or host (see the CHARSET property in props.conf.spec). We consider this release suitable for use with log data in any character set so long as the majority of characters convert to the ASCII subset of UTF-8. If you are interested in full internationalization support, please see our roadmap to help you decide which upcoming version of Splunk might be most appropriate for your needs. If you're using the international features of Splunk and run into unexpected behavior, please contact us at support@splunk.com. We're expanding our suite of tests for internationalization and would love your input.

• Positional timestamp extraction

If your event contains more than one timestamp you have the option of telling which one the Splunk Server should extract when setting its timestamp. The directive in props.conf to configure this is:

    TIME_PREFIX = <regex> 

• If the Splunk Server pauses indexing due to a lack of minimum free disk space, it will now post a persistent message at the top of the Web interface.

• Multiple improvements to Splunk's search engine increase the efficiency of search and return more accurate results when using complex NOT searches.

Resolved Issues

• Some users were not able to submit sample events to Splunk Base.

• Splunk did not always respect the removal of events from the index based on the size of the index or the age of events.

• If you configure your Live Splunks to call a script, Splunk will now pass 5 variables to your script:
  • $1 - A results summary in XML.
  • $2 - The search terms for the Live Splunk.
  • $3 - The fully qualified query string for the Live Splunk.
  • $4 - The name of the Live Splunk.
  • $5 - The reason the Live Splunk triggered an alert.

Known Issues

• Pagination is not supported in a distributed search across more than one server. The Web GUI has been updated to alert the user of this if the user tries to navigate to a specific results page.
• Some upgrades from 2.1.x 2.1.3 are not moving the splunk.secret file to $SPLUNK_HOME/etc/auth/ resulting in Splunk not being able to start. Prior to upgrade make a copy of the splunk.secret file
• Live Splunk next run is not being updated correctly
• Live Splunks triggering off a Saved Splunk that contains spaces send a malformed URL in the email results
• Live Splunks will not execute a script that is not contained in the $SPLUNK_HOME/bin/scripts bin directory.
• Editing a Live Splunk via the web interface results in a duplicate entry in your $SPLUNK_HOME/etc/bundles/local/livesplunks.conf file
• In distributed mode searching for eventtype::?servername_3 will cause the host splunkd process to terminate abruptly
• Sending any traffic outside of distributed search requests to Splunk's management port (by default 8089) will cause the host splunkd process to terminate abruptly
• You cannot use an ampersand "&" in the naming of Saved Splunks
• Using the savedsplunk:: search operator will not work correctly if the Saved Splunk has the report:: operator as one of it search terms
• You cannot query for raw or * in full SQL
• Uploading files to your Splunk index via the Web interface will cause your /tmp directory to fill up
• VXFS, ZFS, JFFS, XFS, SSHFS, and GFS filesystems are not supported. For a complete list of supported filesystems please check here