• What's New
  • What's new in Splunk 3.1
    • Form search
    • Search language simplification
    • Archiving
• Known Issues
  • Known Issues for release 3.1.5
    • General Issues and Recommendations
    • Search & Navigation
    • Administration
    • Toolbar
• Changelogs by Version
  • 3.1.5
    • Resolved issues from 3.1.4
    • New issues in this release
  • 3.1.4
    • New features
    • Resolved issues from 3.1.3
    • New issues in this release
  • 3.1.3
    • Resolved issues from 3.1.2
    • New issues in this release
  • 3.1.2
    • Resolved issues from 3.1.1
    • New issues in this release
  • 3.1.1
    • New features
    • Resolved issues from 3.1
    • New issues in this release
  • 3.1
    • New features
    • Resolved issues from 3.0.x
    • New issues in this release
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

Known Issues for release 3.1.5

General Issues and Recommendations

• If you are using Splunk in a distributed search cluster, Splunk recommends that you upgrade each node to exactly the same version of Splunk.
  • Mixing 3.1.x and 3.0.x nodes in a distributed search cluster is not supported. You must upgrade all 3.0.x nodes to 3.1.x.
• Splunk 3.1.x requires Flash 9. (download). Flash is available for Firefox 1.5 and 2.0, and Internet Explorer 6 and 7. See the Adobe Flash system requirements. You can check which version of Flash you are running here.
• Use props.conf to alter Splunk's settings. The properties.xml file is still included with the product, but its settings have no effect.
• Firefox 3.0b1 will not currently display any data with Splunk. Please use Firefox 2.0.0.10 or older with Splunk.

Search & Navigation

• Performing multiple searches at once from the Web UI can occasionally return a "search was canceled" error.
• Searches that operate on large events, such as configuration files and tabular data (top/ps ouput, logs containing multi-line events), can stress the memory available on 32-bit systems. Splunk recommends that you reduce the max results setting when you are performing these types of searches. This issue can be compounded in distributed search scenarios, where the pool for results is greater. Additionally, the optimizations Splunk applies when displaying non-distributed search results are not available when performing distributed searches; this will also affect memory consumption.
• Searches using a literal equal sign (=) in the search command itself to match a literal equal sign in the indexed data will no longer work due to changes in the search syntax. This may cause some saved searches to fail.
  • You can alter your saved searches to address this by enclosing the search expression in double quotes. For example, "user=foo" .

• SplunkWeb does not support some advanced 3.x search syntax, such as reporting on the results of a subsearch, set operations, etc.
• Some SUSE 10.x users might experience incorrectly displayed dialog boxes and searches may return the message "Unable to get a properly formatted response from the server; canceling the current search." This is a problem with the mime.types configuration. Instructions on how to correct this problem can be found here.
• Some searches may be very slow to return. You can, however, make SplunkWeb search faster with three changes.
• The format command does not accept nil(). The workaround is to append " " "(" "AND" ")" " ".
• Event loss may occur for network inputs when shutting down Splunk.
• Setting too many LDAP roles may cause a slight performance loss when searching.
• SplunkWeb can display a maximum of 499 LDAP groups.
  • To view and configure more than 499 groups: manually configure them by editing auth.conf.
• Using time-based search modifiers in the format: modifier::value in a savedsearch will break links that are sent in alerts via RSS or email.
  • Fix this by changing all custom time-based modifiers used in savedsearches.conf to: timebasedmodifier=value or timebasedmodifier="value" format.
• When using any time-based search modifier (exceptions listed below) in a saved search, links sent via RSS and email will work correctly, but the time range of events returned will be relative to when you view the alert rather than when the alert was triggered. The following time-based search modifiers are exceptions to this issue:
  • startminutesago
  • starthoursago
  • startdaysago
  • startmonthsago
  • starttime
  • endtime

• Reconstituting logs from a specific source/host/sourcetype currently does not work. Administrators must use the CLI search option in the interim.
• If you are using distributed search you can be logged into 3.0.x instance and distribute requests to a 3.1 instance but you cannot do the inverse.

• An issue from 3.1.4 resulting in dashboards not being displayed has been resolved. However, in some instances dashboards may still not display properly. If you upgrade to 3.1.5 and your dashboards still do not display properly, work around this issue by deleting, recreating, and re-adding your searches to the dashboards.
• Users who are not members of the admin role cannot save a report search and add it to a dashboard. To work around this, a user who is a member of the admin role can create the search and share it. Non-admin users can then add that search to their dashboards.
• Event with Epoch time might be incorrectly indexed. Replace $SPLUNK_HOME/etc/datetime.xml with the following to resolve the issue.

Administration

• 2.0.x licenses will NEVER work with 3.x+. If you have a current Plus Support contract you are entitled to upgrade your license to 3.x. If you do not have a current support agreement in place please contact sales@splunk.com.
• Export and import of user data may not work properly.
• In the deployment server, the 'default' class is supposed to target all deployment clients; however, configuration files placed in the default directory on the deployment server do not get pushed properly.
• Splunk's authentication module does not work with Domino LDAP.
• The following admin searches currently do not work:
  • admin deployment
  • admin eventdiscoverer
  • admin fieldactions
  • admin metaevents
  • admin metrics
  • admin modules
  • admin outputs
  • admin user-seed
  • admin breakers
• Log file rotation does not currently work while tailing SMB mounts. Mounting as CIFS resolves this issue.
• Upgrading using rpm does not create a etc.bak
• Upgrading using rpm does not preserve a modified $SPLUNK_HOME/bin/setSplunkEnv. If you have changed your $SPLUNK_DB path or other variable you should make a backup of this file prior to upgrade.

Toolbar

• The toolbar sometimes incorrectly displays two drop-down arrows in the search box. This is has no effect on functionality.
• When running a free Splunk license, or an unlicensed copy of Splunk, the toolbar may not get past the "Welcome to Splunk" start page.
• Occasionally a search done in the toolbar will not return results. This may cause the browser to hang. The searches will work correctly if run directly in SplunkWeb or the command line (CLI).
• In some cases, the toolbar will prevent "Find in this page" functionality from running multiple times on the same page. These reports have been limited to users running multiple browser add-ons (e.g. colorful tabs, dom inspector, user agent switcher).
• Autologin does not work if the Autologin is set to off prior to configuring a Splunk server in the toolbar.
  • To login automatically set Autologin to on prior to configuring the server.
• The toolbar does not have a mechanism for alerting if its credentials are invalid.
  • When a Splunk server is configured to talk to an LDAP server that locks accounts after N failed login attempts, users should verify that their credentials are correct.
• There are some cases where the toolbar may take over the current user session if the toolbar is configured to talk to a Splunk instance that is different than the one a user is currently logged into.
• There may be conflicts if a user is logged into one Splunk instance and runs a toolbar search on a different Splunk instance.