Documentation: 3.1.2
Print Version Contents
This page last updated: 11/13/07 11:11am

Known Issues for release 3.1.2

General Issues and Recommendations

  • If you are using Splunk in a distributed search cluster, Splunk recommends that you upgrade each node to exactly the same version of Splunk.
    • Mixing 3.1.x and 3.0.x nodes in a distributed search cluster is not supported. You must upgrade all 3.0.x nodes to 3.1.x.
  • Splunk 3.1.x requires Flash 9. (download). Flash is available for Firefox 1.5 and 2.0, and Internet Explorer 6 and 7. See the Adobe Flash system requirements. You can check which version of Flash you are running here.
  • Use props.conf to alter Splunk's settings. The properties.xml file is still included with the product, but its settings have no effect.

Search & Navigation

  • Searches using a literal equal sign (=) in the search command itself to match a literal equal sign in the indexed data will no longer work due to changes in the search syntax. This may cause some saved searches to fail.
    • You can alter your saved searches to address this by enclosing the search expression in double quotes. For example, "user=foo" .
  • SplunkWeb does not support some advanced 3.x search syntax, such as reporting on the results of a subsearch, set operations, etc.
  • Some SUSE 10.x users might experience incorrectly displayed dialog boxes and searches may return the message "Unable to get a properly formatted response from the server; canceling the current search." This is a problem with the mime.types configuration. Instructions on how to correct this problem can be found here.
  • Some searches may be very slow to return. You can, however, make SplunkWeb search faster with three changes.
  • The format command does not accept nil(). The workaround is to append " " "(" "AND" ")" " ".
  • Event loss may occur for network inputs when shutting down Splunk.
  • Setting too many LDAP roles may cause a slight performance loss when searching.
  • SplunkWeb can display a maximum of 499 LDAP groups.
    • To view and configure more than 499 groups: manually configure them by editing auth.conf.
  • Using time-based search modifiers in the format: modifier::value in a savedsearch will break links that are sent in alerts via RSS or email.
    • Fix this by changing all custom time-based modifiers used in savedsearches.conf to: timebasedmodifier=value or timebasedmodifier="value" format.
  • When using any time-based search modifier (exceptions listed below) in a saved search, links sent via RSS and email will work correctly, but the time range of events returned will be relative to when you view the alert rather than when the alert was triggered. The following time-based search modifiers are exceptions to this issue:
  • Reconstituting logs from a specific source/host/sourcetype currently does not work. Administrators need to use the CLI search option in the interim.
  • If you are using distributed search you can be logged into 3.0.x instance and distribute requests to a 3.1 instance but you cannot do the inverse.
  • If you create a saved search with punctuation characters in its name, the punctuation characters will be displayed as HTML-escaped characters in the savedsearch box.

Administration

  • 2.0.x licenses will NEVER work with 3.x+. If you have a current Plus Support contract you are entitled to upgrade your license to 3.x. If you do not have a current support agreement in place please contact sales@splunk.com.
  • Export and import of user data may not work properly.
  • In the deployment server, the 'default' class is supposed to target all deployment clients; however, configuration files placed in the default directory on the deployment server do not get pushed properly.
  • Splunk's authentication module does not work with Domino LDAP.
  • The following admin searches currently do not work:
    • admin deployment
    • admin eventdiscoverer
    • admin fieldactions
    • admin metaevents
    • admin metrics
    • admin modules
    • admin outputs
    • admin user-seed
    • admin breakers
  • Specifying a wildcard at the end of a tail configuration does not properly anchor the underlying whitelist rule. In the interim you should explicitly define your whitelist rule in your inputs.conf.
  • Log file rotation does not currently work while tailing SMB mounts.

Toolbar

  • The toolbar sometimes incorrectly displays two drop-down arrows in the search box. This is has no effect on functionality.
  • When running a free Splunk license, or an unlicensed copy of Splunk, the toolbar may not get past the "Welcome to Splunk" start page.
  • Occasionally a search done in the toolbar will not return results. This may cause the browser to hang. The searches will work correctly if run directly in SplunkWeb or the command line (CLI).
  • In some cases, the toolbar will prevent "Find in this page" functionality from running multiple times on the same page. These reports have been limited to users running multiple browser add-ons (e.g. colorful tabs, dom inspector, user agent switcher).
  • Autologin does not work if the Autologin is set to off prior to configuring a Splunk server in the toolbar.
    • To login automatically set Autologin to on prior to configuring the server.
  • The toolbar does not have a mechanism for alerting if its credentials are invalid.
    • When a Splunk server is configured to talk to an LDAP server that locks accounts after N failed login attempts, users should verify that their credentials are correct.
  • There are some cases where the toolbar may take over the current user session if the toolbar is configured to talk to a Splunk instance that is different than the one a user is currently logged into.
  • There may be conflicts if a user is logged into one Splunk instance and runs a toolbar search on a different Splunk instance.
Previous: What's new in Splunk 3.1    |    Next: 3.1.2

Comments

No comments have been submitted.

Log in to comment.