• What's New
  • What's new in Splunk 3.3
    • Summary Indexing
    • Application browser and manager
    • Continuous crawling
    • Windows Registry input
    • WMI input
    • New directory structure and nomenclature for custom bundles/applications
    • New developer tools
• Known Issues
  • Known Issues for release 3.3.4
    • General issues and considerations
    • Search issues, including deprecated commands
    • Splunk Web issues and considerations
    • Windows-specific considerations and known issues
    • Distributed search issues and considerations
    • Configuration considerations and issues
    • Splunk Toolbar considerations and issues
    • API considerations and issues
  • Workaround for SSL configuration for users of Firefox 3
    • Background
    • Symptoms
    • Workaround
• Changelogs by Version
  • 3.3
  • 3.3.1
    • Windows-specific issues
  • 3.3.2
  • 3.3.3
    • Windows-specific issues
  • 3.3.4
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

Known Issues for release 3.3.4

This page contains known issues and workarounds for this release of Splunk.

General issues and considerations

This section contains general considerations, issues and workarounds for this release of Splunk.

• If you have configured timestamp offsets using pre-Splunk 3.2 POSIX instructions, you must reconfigure them using this information. If you do not do this, your timestamp information will be incorrect. If you have not configured timezone offsets, you can ignore this note.
• Live tail is a powerful feature, and as such can tax system resources. For this reason, Splunk defaults to only allowing you to run one Live Tail at a time. However, you can edit web.conf to allow for multiple Live Tails. You must enable HTTP pipelining for this to function correctly. Refer to web.conf for more details. (SPL-11839)
• Live tail does not work through a proxy at this time. (SPL-13095)
• If you are using Splunk Deployment server, version 3.2 and earlier will only work with other deployed servers of exactly the same version, but 3.3.x will work with 3.2.x and 3.3.x.
• If you are running two different instances of Splunk on one machine, you cannot log into both instances at once, even with different shell sessions. However, you can use the -auth option in your search string to provide credentials for a different user on the fly. (SPL-11924)
• Splunk's authentication module does not work with Domino LDAP.
• 2.0.x licenses will NEVER work with 3.x+. If you have a current Plus Support contract you are entitled to upgrade your license to 3.x. If you do not have a current support agreement in place, contact sales@splunk.com.
• The File System Change Monitor does not monitor directories, only the contents of those directories. If an empty directory is deleted, renamed, or otherwise changed, you will not receive an alert. However, if any file in the directory is changed, you will receive an alert.
• If you switch from LDAP authentication to Splunk's built-in authentication, you must restart from the command line before you can log in again. (SPL-11737)
• You cannot specify a relative path when setting $SPLUNK_DB. (SPL-11867)
• Export and import of user data may not work properly.
• Log file rotation does not currently work while tailing SMB mounts. Work around this by mounting as CIFS.
• Upgrading using rpm does not create a etc.bak file.
• Some SUSE 10.x users might experience incorrectly displayed dialog boxes and searches may return the message "Unable to get a properly formatted response from the server; canceling the current search." This is a problem with the mime.types configuration. Instructions on how to correct this problem can be found here.
• Live tail does not currently respect the use of srchfilter within a role. To prevent users from accessing restricted information, explicitly disable Live tail in their user role. (SPL-13534)
• When enabling LDAP authentication, saved searches running as the admin user no longer function. To work around this, change the user the search runs as to a different user. (SPL-13870)
• Intermediary CAs are not yet supported in SSL certificates. (SPL-14463)
• LDAP authentication does not work when LDAP has no groups. (SPL-14439)
• Server-class CLI commands fail authentication. (SPL-14059)
• Wildcards in file system change monitor stanzas are ignored. (SPL-14487)
• Using the interactive field extractor can cause Splunk to crash. Write regular expressions manually to work around this issue; contact support if you need assistance. (SPL-15862, SPL-16017)
• The heartbeat message from forwarders is missing (SPL-16595).
• If another process attempts an HTTP connection on a port configured for SSL (like the management port), splunkd will leak a file descriptor. To avoid this, disable the monitoring process or force it to HTTPS. (SPL-16976)

Search issues, including deprecated commands

• The readlevel and readlimit modifiers are deprecated as of version 3.2. Splunk now handles the verbosity of events intelligently with no need for specification.
• The maxresults and maxtime modifiers have been deprecated. If you have saved searches that use maxresults, they will no longer function starting with version 3.2.
  • Use the Preferences menu in Splunk Web to configure these values.
  • From within the CLI, use of maxresults has changed from being inside your query (for example, splunk search "search foo maxresults::100") to being outside your query (for example, splunk search "foo" -maxresults 100).
• The remote command is deprecated.
  • In Splunk Web, perform remote functionality in the Distributed tab of the Admin interface.
    • Click Admin in the upper-right corner of Splunk Web.
    • Click Distributed from the Distributed tab to turn on Distributed searching and then restart the server.
    • Add the servers you want search requests to be distributed to.
    • Restart Splunk. Once you restart Splunk, all search requests are sent to the servers you specify in the list.
  • In the CLI, use the dispatch command to execute remote functionality. You must have distributed search configured prior to running dispatch.
• The header argument for the diff command has no effect; the header data is always displayed.
• Performing multiple searches at once from the Web UI can occasionally return a "search was canceled" error.
• Searches that operate on large events, such as configuration files and tabular data (top/ps ouput, logs containing multi-line events), can stress the memory available on 32-bit systems. Splunk recommends that you reduce the maximum number of results from the Preferences menu in Splunk Web or consider searching asynchronously using the command line interface when you are performing these types of searches. This issue can be compounded in distributed search scenarios, where the pool for results is greater. Additionally, the optimizations Splunk applies when displaying non-distributed search results are not available when performing distributed searches; this will also affect memory consumption.
• The date is not extracted from log file names if the source type is not a single line source type. (SPL-12594)
• The CLI delete command has been inadvertently disabled in this release. (SPL-16896) To reinstate it, add the following XML snippet after the domain finder module (at around line 364) in $SPLUNK_HOME/etc/searchLanguage.xml:

                     <module>
                          <name>delete</name>
                          <requiredArgs>
                             <arg>delete</arg>
                          </requiredArgs>
                          <optionalArgs>
                             <arg>deleterestrict</arg>
                          </optionalArgs>
                         <defaults>
                            <delete>typeahead_suppress</delete>
                            <deleterestrict>typeahead_suppress</deleterestrict>
                         </defaults>
                     </module>

Splunk Web issues and considerations

• Due to a change in Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
• Splunk 3.2 and later requires Flash 9. (download). Flash is available for Firefox 1.5 and 2.0, and Internet Explorer 6 and 7. See the Adobe Flash system requirements. You can check which version of Flash you are running here.
• Firefox 3.0b1 will not currently display any data with Splunk Web. Use Firefox 2.0.0.10 or earlier.
• If you create an event type that contains a space in the name and also specify tags for the event type at the same time, you cannot search on the tags.
• If you pipe into a saved search, time range specifications are ignored in Splunk Web. (SPL-12017)
• Section headers may sometimes display incorrectly in Splunk Web. (SPL-10138)
• If you are using IE7, you may experience inconsistent results in the timeline display. (SPL-11052)
• Time ranges are not retained in snapshots.
• To specify a label for a report column that includes spaces (with quotes surrounding the label name), do not use eval. Use rename and specify it as the last search processor in your string. (SPL-12200)
• Values for starttimeu or endtimeu are not recognized in Splunk Web, but do function correctly in the CLI. (SPL-13141)
• CSV export of searches that make use of field + will include all fields not those limited to the search results displayed in Splunk Web. (SPL-16562)
• In Splunk Web, you cannot filter searches on fields extracted by the REX command (SPL-15699), or based on eventtype::foobar in $SPLUNK_HOME/etc/system/local/props.conf. (SPL-15700)
• Decreasing the number of events shown in Splunk Web (by editing the number of cards and decks) to a low number causes Splunk Web to keep reloading. (SPL-14267)
• Updating the time range within the chart/report page of splunkweb will not cause the chart to update. It is necessary to go back to the results to update the timerange -- inserting timerange directives into the search command eg. startdaysago= and refreshing by clicking the splunk logo may also be effective. (SPL-16864)
• Increasing the 'twistedLoginTimeout' setting in web.conf beyond 1 hour (3600 seconds) can result in python script errors, if the session is open & idle long enough for the API session to expire Clicking on UI functions that run python scripts will give XML errors. Logging out & logging back in will resolve this. (SPL-17164)

Windows-specific considerations and known issues

As a result of porting Splunk to the Windows platform, some functionality is not available or works differently due to platform differences or limitations:

• FIFO data inputs are not supported
• 'Watch and symlink' operation is not supported with file-based data inputs.
• Mapped paths that include drive letters (such as C:\) are not supported. To work around this, use a full UNC path to the network resource (in the form \\servername\full\path\to\resource). Splunk must be running as a user with Admin privileges on the network. (SPL-11690)
• The exporttool function does not support exporting to the original source, but does support export to csv. (SPL-12313)
• You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf. (SPL-7270)
• The Windows installation package does not include the sample data (referred to in the tutorial portion of the User Guide) that is included on other platforms.
• The Windows release has been tested on English versions of the operating system only. Foreign language versions are unsupported.
• Changing the service login credentials of splunkd after installation is not supported. (SPL-14631)
• Regular expressions do not currently work in the Registry baselining feature. (SPL-14743)
• Registry Monitoring is not currently supported on Windows 2000 due to an issue with a Windows 2000 dll, PSAPI.DLL. (SPL-16000).
• Some applications, such as IIS, will pre-allocate disk space for log files by padding them with binary null characters. (SPL-14682)
• If you have made manual changes to the etc/system/local/inputs.conf file they may not be correctly preserved on upgrade. Make a backup copy of this file before upgrading. If Windows data input items do not exist, they will be added at the beginning of the file rather than the bottom, incorrectly including some conf items in the wrong stanza. This primarily applies to global "host = foohost" settings at the top of the file.
• There is an issue with stopping and restarting Splunk currently affecting users of remote WMI polling. If one or more of your WMI sources is unavailable at the time that you stop Splunk, Splunk will not come back up unless you wait for the splunk-wmi.exe process to exit, or kill it manually. To avoid this issue, do not unnecessarily list non-existent/non-functioning machines in wmi.conf. (SPL-16612)
• Issues with date/timestamping of data collected before 2007 may be the result of an OS-level issue on all pre-Vista systems. All Windows systems prior to Vista did not recognize that recognition of Daylight Savings Time (DST) can vary by location. A patch was issued by Microsoft in 2007, which, when applied, can cause the parsing of timestamps in Splunk to fail for data collected before 2007. (SPL-12503)
• Windows as a client in the Configuration Server, fails with mismatched checksum error. (SPL-16899)
• WMI and registry index is accidentally disabled in Lightweight forwarder configuration. (SPL-17079)
• Incorrect error message in splunkd.log - ERROR WinEventLog - processSid: Failed to allocate required buffer sizes for sid account and domain name: 'No mapping between account names and security IDs was done - This message can be ignored, it indicates a memory issue but is not related to memory. Splunk is simply saying it can't resolve a security ID to a specific user, most likely because that User no longer exists. (SPL-17281)
• WinEventLog input processor doesn't pick up the last event in the log file until a new event is written (SPL-17283)
• WMI: Parse-time matching for WMI events (those intending to specify a TRANSFORMS-class) cannot match the host, source, or sourcetype as they appear on events in the splunk interface, since these do not exist until after parse time. To perform parse-time TRANSFORMS on these events, match the sourcetype [wmi].

Distributed search issues and considerations

• If you are adding or changing a license on any server in your distributed cluster, restart all of them to ensure that they display correctly on each others' dashboards. (SPL-12122)
• Autodiscovery of hosts for distributed search is unreliable.
• If you are using Splunk in a distributed search cluster you can mix 3.3.x with 3.2.x, but mixing 3.1.x and 3.2.x nodes in a distributed search cluster is not supported. In the deployment server, the 'default' class is supposed to target all deployment clients; however, configuration files placed in the default directory on the deployment server do not get pushed properly. (SPL-12350)

Configuration considerations and issues

• Entries in indexes.conf are case sensitive, including the stanza name itself. (SPL-12063)
• Reusing a field name in fields.conf results in the field being undefined. (SPL-12008)
• Use props.conf to alter Splunk's settings. The properties.xml file is still included with the product, but its settings have no effect.
• Having fschange monitor the same thing in two different application with differing settings causes conflicts which results in those differences being ignored (SPL-15680)
• fschange sendEventMaxSize values are not being honored, so not restricting the maximum size of an event when fullEvent=true is used. Ensure the files monitored with fullEvent=true do not exceed 10k in size. Larger files may cause splunkd to crash.
• Configuring results to be included plain/inline in alert_actions.conf will result in emails containing multiple events all in one line. (SPL-17372) To workaround this, you can edit the /opt/splunk/lib/python2.5/site-packages/splunk/Intersplunk.py file. Add the following text after line 138 in Intersplunk.py: rawresults.append("\n")

Splunk Toolbar considerations and issues

• The Internet Explorer version of the toolbar does not work instances of Splunk running over https (SPL-12821)
• The Splunk Toolbar sometimes incorrectly displays two drop-down arrows in the search box. This is has no effect on functionality.
• When running a free Splunk license, or an unlicensed copy of Splunk, the toolbar may not get past the "Welcome to Splunk" start page.
• Occasionally a search done in the toolbar will not return results. This may cause the browser to hang. The searches will work correctly if run directly in Splunk Web or the command line (CLI).
• In some cases, the toolbar will prevent "Find in this page" functionality from running multiple times on the same page. These reports have been limited to users running multiple browser add-ons (e.g. colorful tabs, dom inspector, user agent switcher).
• Autologin does not work if the Autologin is set to off prior to configuring a Splunk server in the toolbar.
  • To login automatically set Autologin to on prior to configuring the server.
• The toolbar does not have a mechanism for alerting if its credentials are invalid.
  • When a Splunk server is configured to talk to an LDAP server that locks accounts after N failed login attempts, users should verify that their credentials are correct.
• There are some cases where the toolbar may take over the current user session if the toolbar is configured to talk to a Splunk instance that is different than the one a user is currently logged into.
• There may be conflicts if a user is logged into one Splunk instance and runs a toolbar search on a different Splunk instance.

API considerations and issues

• REST calls cannot authenticate as an LDAP user, only the failsafe user. (SPL-16512)