• What's New
  • What's new in Splunk 3.3
    • Summary Indexing
    • Application browser and manager
    • Continuous crawling
    • Windows Registry input
    • WMI input
    • New directory structure and nomenclature for custom bundles/applications
    • New developer tools
• Known Issues
  • Known Issues for release 3.3
    • General issues and considerations
    • Windows-specific considerations and known issues
    • Search issues, including deprecated commands
    • Distributed search issues and considerations
    • Splunk Web issues and considerations
    • Configuration considerations and issues
    • Splunk Toolbar considerations and issues
  • Workaround for SSL configuration for users of Firefox 3
    • Background
    • Symptoms
    • Workaround
• Changelogs by Version
  • 3.3
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

Known Issues for release 3.3

This page contains known issues and workarounds for this release of Splunk.

General issues and considerations

This section contains general considerations, issues and workarounds for this release of Splunk.

• If you have configured timestamp offsets using pre-Splunk 3.2 POSIX instructions, you must reconfigure them using this information. If you do not do this, your timestamp information will be incorrect. If you have not configured timezone offsets, you can ignore this note.
• Live tail is a powerful feature, and as such can tax system resources. For this reason, Splunk defaults to only allowing you to run one Live Tail at a time. However, you can edit web.conf to allow for multiple Live Tails. You must enable HTTP pipelining for this to function correctly. Refer to web.conf for more details. (SPL-11839)
• If you are using Splunk Deployment server, version 3.2 and earlier will only work with other deployed servers of exactly the same version, but 3.3.x will work with 3.2.x and 3.3.x.
• If you are running two different instances of Splunk on one machine, you cannot log into both instances at once, even with different shell sessions. However, you can use the -auth option in your search string to provide credentials for a different user on the fly. (SPL-11924)
• Splunk's authentication module does not work with Domino LDAP.
• 2.0.x licenses will NEVER work with 3.x+. If you have a current Plus Support contract you are entitled to upgrade your license to 3.x. If you do not have a current support agreement in place, contact sales@splunk.com.
• The File System Change Monitor does not monitor directories, only the contents of those directories. If an empty directory is deleted, renamed, or otherwise changed, you will not receive an alert. However, if any file in the directory is changed, you will receive an alert.
• If you switch from LDAP authentication to Splunk's built-in authentication, you must restart from the command line before you can log in again. (SPL-11737)
• The $SPLUNK_HOME/share/splunk/search_oxiclean/rss directory is installed with incorrect permissions. You must enable write permissions for this directory so that RSS feed pages can be created. (SPL-10695)
• You cannot specify a relative path when setting $SPLUNK_DB. (SPL-11867)
• Export and import of user data may not work properly.
• Log file rotation does not currently work while tailing SMB mounts. Work around this by mounting as CIFS.
• Upgrading using rpm does not create a etc.bak file.
• Some SUSE 10.x users might experience incorrectly displayed dialog boxes and searches may return the message "Unable to get a properly formatted response from the server; canceling the current search." This is a problem with the mime.types configuration. Instructions on how to correct this problem can be found here.
• Live tail does not currently respect the use of srchfilter within a role. To prevent users from accessing restricted information, explicitly disable Live tail in their user role. (SPL-13534)
• When configuring an LDAP server, you must specify a valid value for groupNameAttribute ( = cn) in authentication.conf or splunkd will crash. (SPL-13562)
• When enabling LDAP authentication, saved searches running as the admin user no longer function. To work around this, change the user the search runs as to a different user. (SPL-13870)
• Decreasing the number of events show in the GUI (by editing the number of cards and decks) to a low number causes the GUI to keep reloading. (SPL-14267)
• Intermediary CAs are not yet supported in SSL certificates. (SPL-14463)
• LDAP authentication does not work when LDAP has no groups. (SPL-14439)
• Server-class CLI commands fail authentication. (SPL-14059)
• Wildcards in File system change monitor stanzas are ignored. (SPL-14487)
• Debian package fails to complete installation. To work around this issue, once you've run the installer, edit /var/lib/dpkg/info/splunk.postinst and modify line 13 by adding a / before opt (SPLUNK_HOME="/opt/$PRODUCT". Then run the script: sh /var/lib/dpkg/info/splunk.postinst . This completes the installation and you can then start Splunk. (SPL-14934)
• Splunk currently only logs the first successful login attempt. All logout and login failure are logged correctly. (SPL-14960)

Windows-specific considerations and known issues

As a result of porting Splunk to the Windows platform, some functionality is not available or works differently due to platform differences or limitations:

• FIFO data inputs are not supported
• 'Watch and symlink' operation is not supported with file-based data inputs.
• Specifying mapped paths that include drive letters (such as C:\) are not supported. To work around this, use a full UNC path to the network resource (in the form \\servername\full\path\to\resource). Splunk must be running as a user with Admin privileges on the network. (SPL-11690)
• The exporttool function does not support exporting to the original source, but does support export to csv.
• You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf. (SPL-7270)
• The Windows installation package does not include the sample data (referred to in the tutorial portion of the User Guide) that is included on other platforms.
• The Windows release has only be tested on English versions of the operating system. Foreign language versions are currently unsupported.
• Saving a search using the dropdown menu does not save the alert properties for the alert. (SPL-14753)
• Changing the service login credentials of splunkd after installation is not supported. (SPL-14631)
• Regular expressions do not currently work in the Registry baselining feature. (SPL-14743)
• Changing the user that Splunk will run as during installation currently does not work. (SPL-14871)
  • To work around this issue, follow the steps below for your particular situation:
    • Fresh install of 3.3:
      • Install Splunk via the MSI.
      • Uncheck the box to start Splunk. This step is critical!
      • Navigate to the Splunk bin directory and run the splunk clean all command.
      • Launch the Service Control Manager.
      • Open the Properties dialog box for splunkd.
      • Select the Log On tab and specify the user that splunkd should run as.
      • Open the Properties dialog box for Splunk Web.
      • Select the Log On tab and specify the user that Splunk Web should run as.
      • Start splunkd and splunkweb from the Service Control Manager.
    • Upgrade from 3.2.x to 3.3
      • Install Splunk via the MSI.
      • Uncheck the box to start Splunk. This step is critical!
      • Launch the Service Control Manager.
      • Open the Properties dialog box for splunkd.
      • Select the Log On tab and specify the user that splunkd was previously configured to run under.
      • Open the Properties dialog box for Splunk Web.
      • Select the Log On tab and specify the user that Splunk Web was previously configured to run under.
      • Start Splunkd and Splunkweb from the Service Control Manager.

Search issues, including deprecated commands

• The readlevel and readlimit modifiers are deprecated as of version 3.2. Splunk now handles the verbosity of events intelligently with no need for specification.
• The maxresults and maxtime modifiers have been deprecated. If you have saved searches that use maxresults, they will no longer function starting with version 3.2.
  • Use the Preferences menu in Splunk Web to configure these values.
  • From within the CLI, use of maxresults has changed from being inside your query (for example, splunk search "search foo maxresults::100") to being outside your query (for example, splunk search "foo" -maxresults 100).
• The remote command is deprecated.
  • In Splunk Web, perform remote functionality in the Distributed tab of the Admin interface.
    • Click Admin in the upper-right corner of Splunk Web.
    • Click Distributed from the Distributed tab to turn on Distributed searching and then restart the server.
    • Add the servers you want search requests to be distributed to.
    • Restart Splunk. Once you restart Splunk, all search requests are sent to the servers you specify in the list.
  • In the CLI, use the dispatch command to execute remote functionality. You must have distributed search configured prior to running dispatch.
• The header argument for the diff command has no effect; the header data is always displayed.
• Performing multiple searches at once from the Web UI can occasionally return a "search was canceled" error.
• Searches that operate on large events, such as configuration files and tabular data (top/ps ouput, logs containing multi-line events), can stress the memory available on 32-bit systems. Splunk recommends that you reduce the maximum number of results from the Preferences menu in Splunk Web or consider searching asynchronously using the command line interface when you are performing these types of searches. This issue can be compounded in distributed search scenarios, where the pool for results is greater. Additionally, the optimizations Splunk applies when displaying non-distributed search results are not available when performing distributed searches; this will also affect memory consumption.
• The savedsearch modifier does not work if search terms contains a | (pipe). (SPL-13198)
• Transaction search may not display all matching lines in Splunk Web (SPL-13151)
• The date is not extracted from log filenames if the source type is not a single line source type. (SPL-12594)

Distributed search issues and considerations

• If you are adding or changing a license on any server in your distributed cluster, restart all of them to ensure that they display correctly on each others' dashboards. (SPL-12122)
• Autodiscovery of hosts for distributed search is unreliable.
• If you are using Splunk in a distributed search cluster you can mix 3.3.x with 3.2.x, but mixing 3.1.x and 3.2.x nodes in a distributed search cluster is not supported. In the deployment server, the 'default' class is supposed to target all deployment clients; however, configuration files placed in the default directory on the deployment server do not get pushed properly. (SPL-12350)

Splunk Web issues and considerations

• Due to a change in Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
• Splunk 3.2 and later requires Flash 9. (download). Flash is available for Firefox 1.5 and 2.0, and Internet Explorer 6 and 7. See the Adobe Flash system requirements. You can check which version of Flash you are running here.
• Firefox 3.0b1 will not currently display any data with Splunk Web. Use Firefox 2.0.0.10 or earlier.
• If you create an event type that contains a space in the name and also specify tags for the event type at the same time, you cannot search on the tags.
• If you pipe into a saved search, time range specifications are ignored in Splunk Web. (SPL-12017)
• Section headers may sometimes display incorrectly in Splunk Web. (SPL-10138)
• If you are using IE7, you may experience inconsistent results in the timeline display. (SPL-11052)
• Time ranges are not retained in snapshots.
• To specify a label for a report column that includes spaces (with quotes surrounding the label name), do not use eval. Use rename and specify it as the last search processor in your string. (SPL-12200)
• Some users have reported browser crashes with Firefox. Mac users who experience this are encouraged to submit CrashReporter logs from the Firefox crash. These can be found in ~/Library/Logs/CrashReporter.
• If you upgrade from Splunk 3.1.x and have saved searches which you subsequently add to your dashboard, the chart type display option will be reset to the default, which is a bar chart. (24015)
• Values for starttimeu or endtimeu are not recognized in Splunk Web, but do function correctly in the CLI. (SPL-13141)
• The Back button does not work correctly when viewing reports. (SPL-14283)

Configuration considerations and issues

• Entries in indexes.conf are case sensitive, including the stanza name itself. (SPL-12063)
• Reusing a field name in fields.conf results in the field being undefined. (SPL-12008)
• Use props.conf to alter Splunk's settings. The properties.xml file is still included with the product, but its settings have no effect.

Splunk Toolbar considerations and issues

• The Splunk Toolbar sometimes incorrectly displays two drop-down arrows in the search box. This is has no effect on functionality.
• When running a free Splunk license, or an unlicensed copy of Splunk, the toolbar may not get past the "Welcome to Splunk" start page.
• Occasionally a search done in the toolbar will not return results. This may cause the browser to hang. The searches will work correctly if run directly in Splunk Web or the command line (CLI).
• In some cases, the toolbar will prevent "Find in this page" functionality from running multiple times on the same page. These reports have been limited to users running multiple browser add-ons (e.g. colorful tabs, dom inspector, user agent switcher).
• Autologin does not work if the Autologin is set to off prior to configuring a Splunk server in the toolbar.
  • To login automatically set Autologin to on prior to configuring the server.
• The toolbar does not have a mechanism for alerting if its credentials are invalid.
  • When a Splunk server is configured to talk to an LDAP server that locks accounts after N failed login attempts, users should verify that their credentials are correct.
• There are some cases where the toolbar may take over the current user session if the toolbar is configured to talk to a Splunk instance that is different than the one a user is currently logged into.
• There may be conflicts if a user is logged into one Splunk instance and runs a toolbar search on a different Splunk instance.