• What's New
  • What's new in Splunk 3.1
    • Form search
    • Search language simplification
    • Archiving
• Known Issues
  • Known Issues for release 3.1.4
    • General Issues and Recommendations
    • Search & Navigation
    • Administration
    • Toolbar
• Changelogs by Version
  • 3.1.4
    • New features
    • Resolved issues from 3.1.3
    • New issues in this release
  • 3.1.3
    • Resolved issues from 3.1.2
    • New issues in this release
  • 3.1.2
    • Resolved issues from 3.1.1
    • New issues in this release
  • 3.1.1
    • New features
    • Resolved issues from 3.1
    • New issues in this release
  • 3.1
    • New features
    • Resolved issues from 3.0.x
    • New issues in this release
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

3.1.2

Resolved issues from 3.1.1

• Extracted fields are now available for use in distributed searches.

• Distributed search no longer requires that event types, saved searches, or tags be defined on all servers involved in a given search. As long as the object is defined on the server you are using to perform the search, results are returned across all servers included in the search.

• Your local maxresults setting now applies across all servers involved in a distributed search.

• Distributed search now supports using quotes around tags.

• Eventtype tags are searchable when created in a bundle.

• Eventtypes that include quotes are no longer missing from search results.

• Servers that time out during a distributed search no longer require a restart before they rejoin the pool, although the count will still display them as missing until you restart.

• Saved searches that include quotes now function correctly.

• A potential security issue in Splunk Web has been resolved: http://twistedmatrix.com/trac/ticket/2859

• The administrator password is now correctly obfuscated when using the "find logs" utility.

• Internal index data now persists for one month.

• Transforms based on fifo sources now function correctly.

New issues in this release

• Performing multiple searches at once from the Web UI can occasionally return a "search was canceled" error.

• Searches that operate on large events, such as configuration files and tabular data (top/ps ouput, logs containing multi-line events), can stress the memory available on 32-bit systems. Splunk recommends that you reduce the max results setting when you are performing these types of searches. This issue can be compounded in distributed search scenarios, where the pool for results is greater. Additionally, the optimizations Splunk applies when displaying non-distributed search results are not available when performing distributed searches; this will also affect memory consumption.