• What's New
  • What's new in Splunk 3.1
    • Form search
    • Search language simplification
    • Archiving
• Known Issues
  • Known Issues
    • General
    • Search & Navigation
    • Administration
    • Toolbar
    • Platforms
• Changelogs by Version
  • 3.1
    • New features
    • Resolved issues from 3.0.x
    • New issues in this release
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

Known Issues

For release 3.1.

General

• In a distributed search cluster, it is recommended that you have every node upgraded to an identical version of Splunk.
  • You can never mix 3.1.x and 3.0.x nodes in a distributed search cluster. You must upgrade all 3.0.x nodes to 3.1.x.
• Splunk 3.1 requires Flash 9. You can verify what version of Flash you are running here.
• Automated migration from 2.x to 3.1 is currently not supported. For instructions on manual migration see Upgrading from 2.x versions in the Installation manual. These instructions to migrate to 3.0.x work for migration to 3.1.x also.
• The file properties.xml ships with the product, but its settings have no effect. Use props.conf to alter Splunk's settings.
• The OSX DMG install incorrectly sets the file permissions of the default license file. This results in the webserver throwing an exception when you try to apply an enterprise license. The current options are to change the file by hand or chmod o+w $SPLUNK_HOME/etc/splunk.license prior to applying the license via the GUI.
• The 64-bit RPM install sets incorrect file permissions for /opt/splunk/share. They are currently 555 and should be 755. After installing please chmod -R 755 /opt/splunk/share/splunk

Search & Navigation

• Reports require Adobe Flash, and run best in the latest version, currently Flash 9 (download). Flash is available for Firefox 1.5 and 2.0, and Internet Explorer 6 and 7. See the Adobe Flash system requirements.
• Searches using a literal equal sign (=) will no longer work due to changes in the search syntax. This may cause some saved searches to fail.
  • Fix this by enclosing the search expression in double quotes. For example, "user=foo" .
• SplunkWeb does not support some advanced 3.x search syntax, such as reporting on the results of a subsearch, set operations, etc.
• Some SUSE 10.x users might experience incorrectly displayed dialog boxes and searches may return the message "Unable to get a properly formatted response from the server; canceling the current search." This is a problem with the mime.types configuration. Instructions on how to correct this problem can be found here.
• Some searches may be very slow to return. You can, however, make SplunkWeb search faster with three changes.
• The format command does not accept nil(). The workaround is to append " " "(" "AND" ")" " ".
• There is a risk that event loss can occur for network inputs when shutting down Splunk.
• Setting too many LDAP roles might cause a slight performance loss when searching.
• SplunkWeb is only capable of displaying 499 LDAP groups.
  • To view and configure more than 499 groups: manually configure them by editing auth.conf.
• Using time-based search modifiers in the format: modifier::value in a savedsearch will break links that are sent in alerts via RSS or email.
  • Fix this by changing all custom time-based modifiers used in savedsearches.conf to: timebasedmodifier=value or timebasedmodifier="value" format.
• When using any time-based search modifier (exceptions listed below) in a saved search, links sent via RSS and email will work correctly, but the time range of events returned will be relative to when you view the alert rather than when the alert was triggered. The following time-based search modifiers are exceptions to this issue:
  • startminutesago
  • starthoursago
  • startdaysago
  • startmonthsago
  • starttime
  • endtime
  • alltimes
• Power users cannot create savedsearches that are globally shared.
• Defining properties for fifo does not work based on source.
• Reconstituting logs from a specific source/host/sourcetype currently does not work. Administrators need to use the CLI search option in the interim.
• If you are using distributed search you can be logged into 3.0.x instance and distribute requests to a 3.1 instance but you cannot do the inverse.
• If you create a saved search with punctuation characters in its name, the punctuation characters will be displayed as HTML-escaped characters in the savedsearch box.
• Alerts do not work correctly in distributed search mode.
• Sharing a dashboard report to other users currently doesn't work.

Administration

• Adding a forwarding server via SplunkWeb sometimes displays an error message.
• 2.0.x licenses will NEVER work with 3.x+. If you have a current Plus Support contract you are entitled to upgrade your license to 3.x. If you do not have a current support agreement in place please contact sales@splunk.com.
• Export and import of user data may not work properly.
• In the deployment server, the 'default' class is supposed to target all deployment clients; however, configuration files placed in the default directory on the deployment server do not get pushed properly.
• Attempting to move from a free license to an evaluation license via SplunkWeb may result in a webserver exception being displayed on screen. If you encounter this error you can apply the license through the CLI. Instructions on how to perform this operation can be found here.
• Splunk's authentication module does not work with Domino LDAP.
• The following admin searches currently do not work:
  • admin deployment
  • admin eventdiscoverer
  • admin fieldactions
  • admin metaevents
  • admin metrics
  • admin modules
  • admin outputs
  • admin user-seed
  • admin breakers
• Specifying a wildcard at the end of a tail configuration does not properly anchor the underlying whitelist rule. In the interim you should explicitly define your whitelist rule in your inputs.conf.
• Log file rotation does not currently work while tailing SMB mounts.

Toolbar

• The toolbar sometimes incorrectly displays two drop-down arrows in the search box. This is has no effect on functionality.
• When running a free Splunk license, or an unlicensed copy of Splunk, the toolbar may not get past the "Welcome to Splunk" start page.
• Occasionally a search done in the toolbar will not return results. This may cause the browser to hang. The searches will work correctly if run directly in SplunkWeb or the command line (CLI).
• In some cases, the toolbar will prevent "Find in this page" functionality from running multiple times on the same page. These reports have been limited to users running multiple browser add-ons (e.g. colorful tabs, dom inspector, user agent switcher).
• Autologin does not work if the Autologin is set to off prior to configuring a Splunk server in the toolbar.
  • To login automatically set Autologin to on prior to configuring the server.
• The toolbar does not have a mechanism for alerting if its credentials are invalid.
  • When a Splunk server is configured to talk to an LDAP server that locks accounts after N failed login attempts, users should verify that their credentials are correct.
• There are some cases where the toolbar may take over the current user session if the toolbar is configured to talk to a Splunk instance that is different than the one a user is currently logged into.
• There may be conflicts if a user is logged into one Splunk instance and runs a toolbar search on a different Splunk instance.

Platforms