Splunk Changelog

What's new in Splunk 6.4.3

Aug 23, 2016

Data input issues:
Sinkhole inputs fail to index file if file is still being written to on first attempt to read
Workaround: later manually touching all the orphaned files in the sinkhole dir will trigger Splunk to come back for another look.
Likewise moving the files away and then back again will trigger splunk to try again.
Archive Processor cannot handle zip files containing entries with non-ascii utf8 chars in their filenames
Search issues:
(Galaxy) - SortProcessor::getStreamingOp crashes in appendpipe subsearch due to inserting streaming operators into report search
Workaround: If the search is something like the following:
{code} | | appendpipe [ |eval search="stat1"] | appendpipe [ |eval search="stat2"] | appendpipe [ |eval search="stat3"] | where isnotnull(search) | collect {code}
Convert it into _n_ separate searches each like: {code} | | {code} {code} | | {code} {code} | | {code}
Missing Event Type Color for transaction search results including multiple Event Types.
Workaround: This problem does not exist in 6.3.3
Increase default value for max_chunk_queue_size from 1MB to 10MB
Saved search, alerting, scheduling, and job management issues:
Missing Event Type Color for transaction search results including multiple Event Types.
Workaround: This problem does not exist in 6.3.3
Indexer and indexer clustering issues:
Crashing thread: indexerPipe on failing to write raw data to a hot bucket due to no space on disk
Distributed search and search head clustering issues:
Configuration bundles corrupted during creation might be replicated, causing issues in other servers.
(6.4.x) - Error messaging unclear when there are failures creating replication bundles.
Workaround: Use smaller file names.
Artifact replication failing due to origin node trying to replicate itself and causing the original artifact to never reap.
Distributed deployment, forwarder, deployment server issues:
dropped events messages in splunkd are INFO; should be WARN
Data Management Console Issues:
DMC doesn't support Cluster Label with space in it
Splunk Web and interface issues:
Missing Event Type Color for transaction search results including multiple Event Types.
Workaround: This problem does not exist in 6.3.3
Windows-specific issues:
Windows local user added to domain group does not properly translate SID/GUIDs.
Security issues:
For a list of security issues, please see the Security Advisory. A list of all recent advisories can be found in the Security Portal.
(6.4.3) - Open Redirect in license management pages
Unsorted issues:
Clarification on where to make squash_threshold changes
When splunk is configured as license slave, the "show all messages" link on the licensing page returns 404 not found
After upgrading 6.3.x/6.2.x HWFs to 6.4.x, queues block and data is heavily delayed.
Workaround: Increase size tcpout queue so that prior queues don't block:
In outputs.conf [tcpout] maxQueueSize = 5120000 tcpSendBufSz = 196608
Forwarder RPM package failing to install due to missing useradd and groupadd binaries.
Clustered indexers frequently crashing in TimeoutHeap::checkClockSkew
(6.4.x) - When "useDeploymentServer = 1", HttpInputConf does not properly load tokens into memory
(6.4.3) - Open Redirect in license management pages
Uncategorized issues:
Embedded report uses oldest search artifact from the history endpoint
Workaround: cron job to delete the old artifacts.

New in Splunk 6.4.2 (Jul 13, 2016)

New in Splunk 6.3.3 (Feb 6, 2016)

Data input issues:
2016-2-2 SPL-109903, SPL-96886 MAX_DIFF_SECS_AGO and MAX_DIFF_SECS_HENCE accept events outside the expected time range
Search, saved search, alerting, scheduling, and job management issues:
2016-2-2 SPL-111500, SPL-109489 ParseNodeGROUP::associate shows poor performance.
2016-2-2 SPL-111364 Search to specific field of lookup crashes.
2016-2-2 SPL-111343 ConfReplicationThread log fields incorrectly parsed due to log format.
2016-2-2 SPL-109929 Space and double quote is reported in broken cookie handling.
2016-2-2 SPL-109918 Missing app icons and settings menu due to cookie parsing fail.
2016-2-2 SPL-112730, SPL-111621 BatchSearch (in Parallel Pipelines mode) SegFaults with invalid DatabaseDirectoryManager object because of Multithreading concurrency issues in updating IndexerGlobals::instance()
Splunk Web, DMC, and Home interface issues:
2016-2-2 SPL-111179 When max bucket size is set to anything less than 1024 with unit MB while creating an index, the unit will be shown as GB when you open the index next time.
2016-2-2 SPL-109809, SPL-109219 After upgrading to 6.3.x, the DMC overview page shows a total license stack size several times larger than the actual one
2016-2-2 SPL-107915 Overlay (right) Y-Axis label changes to match left Y-Axis label after resizing a panel inside dashboard.
2016-2-2 SPL-107484 When results are sorted by a column in dashboard's events viewer, the wrong event details appear upon expanding an event row.
2016-2-2 SPL-106277 When user performs a fetch from eventtypes/_new then creates a post with the same attributes from the fetch, a color attribute is added and causes an error.
Distributed deployment, forwarder, and deployment server issues:
2016-2-2 SPL-111343 ConfReplicationThread log fields incorrectly parsed due to log format.
Distributed search and search head clustering issues:
2016-2-2 SPL-111515 Bundles in lookup_tmp not reaped in SHC peers.
2016-2-2 SPL-109555 Skipped scheduled searches are not properly accounted for in scheduler.log and metrics.log / group=searchscheduler.
Unsorted issues:
2016-2-2 SPL-110878, SPL-104699 Splunk does not start on OSX 10.11 (El Capitan).
2016-2-2 SPL-109238 cherrypy IOError: Port 8065 not free on '127.0.0.1' when installing apps with web.conf

New in Splunk 6.3.2 (Dec 17, 2015)

Upgrade issues:
2015-12-16 SPL-109050 Crash during upgrade of Enterprise Security app from 3.3.2 to 4.0 on Windows search head.
2015-12-16 SPL-108911, SPL-104384 Splunk startup after an upgrade takes a very long time to complete in NFS environments.
2015-12-16 SPL-108053 After upgrade to 6.3 scheduler.log shows empty skip reason for scenarios where the admin is not allowed to run historical scheduled search
2015-12-16 SPL-107449 After upgrade to 6.3 some Splunk web elements are missing due to cookie arrays failing to be parsed.
Data input issues:
2015-12-16 SPL-109016, SPL-105359 Oneshot does not use file modtime when indexing data with no timestamps
2015-12-16 SPL-97119, SPL-93979 Incorrect parent name reported for a given file in the tailing processor file status endpoint
Distributed deployment, forwarder, and deployment server issues:
2015-12-16 SPL-109499, SPL-109473, SQA-2883 On data inputs page, the available hosts and server class list shows only 30 items
2015-12-16 SPL-108920 Universal Forwarder - crashing thread: Tcplistener.
2015-12-16 SPL-108226 Windows universal forwarder wraps JSON output of Powershell modular input in double quotes.
2015-12-16 SPL-108220 Cannot update apps installed from deployment server if app was deployed with an install_source_checksum
2015-12-16 SPL-106003, SPL-105533 The number of deployed client does not count up on the apps tab on forwarder management page
Distributed search and search head clustering issues:
2015-12-16 SPL-108993, SPL-104439 Deleting a global saved search after cloning also deletes the cloned search.
2015-12-16 SPL-108633, SPL-104204 Some REST-based searches that target the whole SHC group cause the deployer instance to return an error.
Indexers and indexer clustering issues:
2015-12-16 SPL-109080, SPL-105360 Fixup Tasks in clustering_bucket_details includes tasks that should not and will not be fixed.
2015-12-16 SPL-108584, SPL-107322 Indexer fails to start, with crashing thread: SplunkdSpecificInitThread.
2015-12-16 SPL-108244, SPL-107657 Converting a multisite indexer cluster to single-site breaks clustering due to unmet Replication Factor and Search Factor.
Integrated PDF generation and PDF Report Server issues:
2015-12-16 SPL-108612, SPL-107168 Values set for reportPaper and reportPaperOrientation in alert_actions conf in the app context are ignored.
2015-12-16 SPL-105853, SPL-105388 Unable to render PDF for a table with sparklines that have empty values.
REST, Simple XML, and Advanced XML issues:
2015-12-16 SPL-108113, SPL-108083 Dropdown form input fails to render with values when token is used.
2015-12-16 SPL-107326, SPL-103621 Some DB Connect pages fail to load when root_endpoint value starts with splunkd.
2015-12-16 SPL-107325, SPL-104988 Real-time dashboard panel is not updated when there is no matching search result.
Search, saved search, alerting, scheduling, and job management issues:
2015-12-16 SPL-109562, SPL-103417 When limits are enforced and a new search request would be over the limit, the server returns the wrong HTTP response code of 500 instead of 503.
2015-12-16 SPL-109346, SPL-105638 Performance issue due to realtime_schedule being enabled unexpectedly.
2015-12-16 SPL-109305, SPL-105642 tstat queries using prestats and append do not work when using earliest and latest
2015-12-16 SPL-109132, SPL-107402 Scheduled search skipped with reason message "Out of search disk space" or "maxsearches limit reached".
2015-12-16 SPL-108771, SPL-97756 Searching JSON silently fails to produce complete results
2015-12-16 SPL-108433 Power user having read and write permissions for a saved search owned by an admin user is unable to view results from scheduled email
2015-12-16 SPL-108228, SPL-104263 When an eventtype name contains a space, its labels are removed if its permissions are changed to Global.
2015-12-16 SPL-108156, SPL-106212 Unable to send CSV files through email from Splunk for some transfer protocols
2015-12-16 SPL-108053 After upgrade to 6.3 scheduler.log shows empty skip reason for scenarios where the admin is not allowed to run historical scheduled search
2015-12-16 SPL-107742 Transaction and stats command returns 0 results
2015-12-16 SPL-107582, SPL-107423 Incomplete event detail is rendered on clicking "show all lines" link for a realtime search
2015-12-16 SPL-107449 After upgrade to 6.3 some Splunk web elements are missing due to cookie arrays failing to be parsed.
2015-12-16 SPL-107223 A real-time (all time) search for "index=*" does not return expected results when indexed_realtime_use_by_default is set to 1
2015-12-16 SPL-106687, SPL-105639 WHERE clause of timechart changes last Column header to "OTHER" even if top and bottom criteria is not present
2015-12-16 SPL-106659, SPL-103860 Splunk denial of service when search-time bundles are larger than maxBundleSize in distsearch.conf.
2015-12-16 SPL-106296, SPL-102937 "is_scheduled" parameter does not work when adding saved-search with CLI.
2015-12-16 SPL-106298, SPL-101452 Timechart search return only OTHER and/or NULL columns when the index data sets is large and the split-by field has large distinct values.
2015-12-16 SPL-106279, SPL-104536 As a user I want to know the latest/earliest value of the a string field in pivot editor
Splunk Web and Home interface issues:
2015-12-16 SPL-108034 Blank Page when loading Field extraction
2015-12-16 SPL-105476, SPL-104482 "Build Event Type" fails in Splunk web when truncating indexed Russian event strings
Unsorted issues:
2015-12-16 SPL-108651, SPL-105946 Proper day is not extracted when time format includes only day, hour, minute, and second.
2015-12-16 SPL-108369, SPL-96466 UI behavior has changed for SSO authentication login failure
2015-12-16 SPL-107532, SPL-72052 Stats outputs multiple columns for the same field when renaming several different calculations to that field name
2015-12-16 SPL-106327, SPL-103715 Simultaneous "splunk restart splunkweb" and "splunk stop" cause crashing race condition in HTTPDispatch Thread
2015-12-16 SPL-105661, SPL-105660 Include support for TLS 1.2 by default in server.conf and web.conf.
2015-12-16 SPL-105271, SPL-102526 Splunkd fails to load due to symbol gzdirect not exported from libz on AIX

New in Splunk 6.3.1 (Nov 21, 2015)

Distributed deployment, forwarder, and deployment server issues:
2015-11-04 - SPL-102412, SPL-83461 - UFs receive ACKs out of order causing huge memory growth.
2015-11-04 - SPL-103257, SPL-100887 - 20k+/hr forwarder connections cause deployment server to become unresponsive
2015-11-04 - SPL-104953, SPL-99702 - UI: Data Inputs > Forwarded Inputs serverclass name is truncated / incomplete
2015-11-04 - SPL-104976, SPL-104626 - outputs.conf comments are stripped from file when encrypting SSL password
2015-11-04 - SPL-106305, SPL-100624 - Very large serverclass.conf causes the Forwarder Management page to stay blank
2015-11-04 - SPL-106972 - Installing Apps on a Universal Forwarder using the CLI results in the forwarder crashing
2015-11-04 - SPL-107738 - Forwarder management page displays with incorrect formatting
Distributed search and search head clustering issues:
2015-11-04 - SPL-104474, SPL-103056 - Scheduled searches after upgrading from 5.0.6 to 6.2.3 are delayed significantly leading to reports of "skipped" searches due to search processes making additional calls to the /admin/summarization endpoint
2015-11-04 - SPL-104672 - GenerationGrabberThread asserts on "ita_thread == ThreadToken::self" due to shutdown race condition
2015-11-04 - SPL-104885, SPL-103012 - Undefined props.acl causes JavaScript SDK to error and stop executing script
2015-11-04 - SPL-107053 - Unable to start the Web Server under Windows when search head pool is enabled
2015-11-04 - SPL-107106 - When SAML is enabled, SHC captain becomes unresponsive during periods with high scheduled search activity
2015-11-04 - SPL-107524, SPL-106842 - SHC Captain crash due to seg fault in CallbackRunnerThread
Indexers and indexer clustering issues:
2015-11-04 - SPL-103900, SPL-103464 - Buckets with invalid timebounds cause cluster peer to crash
2015-11-04 - SPL-104701, SPL-102940 - Assertion raised by archivereader thread while indexing tar log files
2015-11-04 - SPL-104835, SPL-104735 - Error message thrown in retrieving filesystem for UNC path
2015-11-04 - SPL-104955, SPL-104738 - Indexer incorrectly stops indexing due to out of disk or too many tsidx files
Integrated PDF generation and PDF Report Server issues:
2015-11-04 - SPL-105152, SPL-104867 - Scheduled PDF generation fails when XML encoding does not match content encoding
2015-11-04 - SPL-106303, SPL-100294 - PDF delivery fails for specific scheduled searches
Search, saved search, alerting, scheduling, and job management issues:
2015-11-04 - SPL-103271, SPL-103270, SPL-100183 - Warn when a large lookup table is loaded into memory!
2015-11-04 - SPL-103705, SPL-103704, SPL-82385 - default remote_timeline_fetchall = 1 in limits.conf causes searches spending long time in Finalizing status
2015-11-04 - SPL-104232, SPL-104227, SPL-103419 - Indexed lookup returns NULL result when the lookup table has large number of duplicate rows
2015-11-04 - SPL-104425, SPL-104427 - Role is automatically mapped back to user and LDAP group even after the role is deleted then re-introduced.
2015-11-04 - SPL-104475, SPL-103381 - Test email contains incorrect subject and message values
2015-11-04 - SPL-104560, SPL-103416 - Splunk add saved-search with -email parameter creates the typo with action.emai (missing the 'L') in savedsearches.conf
2015-11-04 - SPL-104660, SPL-103527 - The "fields" command cannot remove "row*" fields created by "transpose" command
2015-11-04 - SPL-104884, SPL-104023 - Show source displays blank page with message "Show source not available for this event"
2015-11-04 - SPL-104951, SPL-104591 - Regex in IFX does not allow multiline match in an event
2015-11-04 - SPL-105277, SPL-99985 - Drill-down on field returns HandleIntentionsParserDataProvider error
2015-11-04 - SPL-105405, SPL-103836 - Datamodel acceleration status needs to show the correct percentage when backfill parameter is configured
2015-11-04 - SPL-107200 - Splunk Search Process Crashes - Integer division by zero
2015-11-04 - SPL-107253 - After upgrade searches fail due to vector::_M_range_check exception because of Malformed lookup CSV files.
2015-11-04 - SPL-107263 - Backfill script does not accept wildcard for name attribute
2015-11-04 - SPL-107270, SPL-103546 - Same regex may behave differently between rex command and props.conf.
Splunk Web and Home interface issues:
2015-11-04 - SPL-104471, SPL-103137 - Job management view selects an incorrect app when an app name contains another app's appid
2015-11-04 - SPL-104473, SPL-103538 - Improve messaging for the form input dropdown when there are duplicate values
2015-11-04 - SPL-104677, SPL-103168 - Cursor jumps to end of line when typing anywhere inside the login form input fields
2015-11-04 - SPL-104861, SPL-96663 - GDI File directory browser breaks when running behind Apache proxy
2015-11-04 - SPL-104883, SPL-104327 - HTTP response header provides CherryPy version
2015-11-04 - SPL-104886, SPL-97319 - In Chrome, the Time field in time picker sizes incorrectly.
2015-11-04 - SPL-104952, SPL-100036 - GDI Index dropdown displays default index even if write access is not available
2015-11-04 - SPL-106302, SPL-103938 - Information in Splunk Web and inputs.conf is inconsistent when enabling or disabling TCP input
2015-11-04 - SPL-107390 - DMC Forwarders: Deployment page shows wrong figure of average events
Unsorted issues:
2015-11-04 - SPL-103614, SPL-103613, SPL-81391 - splunkd.log needs to continue to report a authentication forwarding error beyond restart. ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath
2015-11-04 - SPL-104078, SPL-104017 - Splunkd crash due to assertion failure in Tailing.
2015-11-04 - SPL-104515 - The default value of max_count should be 500000 in limits.conf.spec. (Clones: SPL-104440, SPL-104512, SPL-104513, SPL-104514)
2015-11-04 - SPL-104881, SPL-103335 - Site minder proxy using unsupported “Content-type” case in XHR response headers cause GET requests to have undefined job id.
2015-11-04 - SPL-105147, SPL-103293 - support for https protocol when using googlemapview lib
2015-11-04 - SPL-106838, SPL-105362 - Corrupt/truncated info.csv causes crash in IdataDO_Collector after throwing an instance of JsonStreamingParser::error
2015-11-04 - SPL-107105 - Splunkd crashes when a SAML Attribute Query receives a bad response
2015-11-04 - SPL-107563 - SimpleXML chart data count option does not work

New in Splunk 6.3.0 (Sep 28, 2015)

Platform:
Search Parallelization. Optimized CPU utilization for faster search execution. See "Manage report acceleration", "Accelerate data models", and "Configure batch mode search" in the Knowledge Manager Manual.
Index Parallelization. Optimized CPU utilization for faster data ingestion.
Intelligent Job Scheduling. Intelligent job scheduling provides improved system utilization and predictable performance. See "Configure the priority of scheduled reports" in the Reporting Manual.
Data Integrity Control. Data integrity control ensures that indexed data has not been modified. See "Manage data integrity" in the Securing Splunk Enterprise manual.
Single Sign-On Using SAML. Support for SAML 2.0 for single sign-on using PingFederate as the Identity Provider. See "About single sign-on using SAML" in the Securing Splunk Enterprise manual.
Search Head Clustering Improvements. Performance optimization, scalability, and management improvements. Support for Windows OS.
Indexer Clustering Improvements. Ability to turn off search affinity. See "Implement search affinity in a multisite indexer cluster" in the Managing Indexers and Clusters of Indexers manual.
HTTP Event Collector. Indexing of high-volume JSON-based application and IOT data sent directly via a secure, scalable HTTP endpoint. No Forwarder required. See "Use the HTTP Event Collector" in the Getting Data In manual.
Custom Alert Actions. Customizable alert actions and packaged integrations with popular third-party applications or messaging systems. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.
Management and Administration:
HTTP Event Collector Configuration. Create and manage configurations for the HTTP Event Collector. See "Use the HTTP Event Collector" in the Getting Data In manual.
Source Type Manager. Create and manage source type configurations independent of getting data in, and search within the source type picker. See "Manage source types" in the Getting Data In manual.
Powershell Input. Native support for ingesting data retrieved by Powershell scripts. See the Splunk Add-on for Microsoft PowerShell manual.
App Browsing Interface. Automates and simplifies app and add-on discovery within Splunk Web.
Indexer Auto-Discovery. Forwarders now dynamically retrieve indexer lists from cluster master to enable elastic deployments. See "Use indexer discovery to connect forwarders to peer nodes" in the Managing Indexers and Clusters of Indexers manual.
Distributed Management Console. New topology views, status, and alerting for Splunk platform deployments including: indexers, search heads, forwarders, and storage utilization. See "About the distributed management console" in the Distributed Management Console Manual.
Field Extractor Enhancements. Simplified field extraction via delimiter and header selection. Displays field extractions within the event preview. See "Build field extractions with the field extractor" in the Knowledge Manager Manual.
Search Process Memory Usage Threshold. New configuration parameters to specify the maximum physical memory usage that a single search process can consume. See the search_process_memory_usage_threshold and search_process_memory_usage_percentage_threshold stanzas in "limits.conf" in the Admin Manual.
Usability:
Single Value Display. Support for at-a-glance, single-value indicators with historical context and change indicators. See the "Single value visualizations" section of "Visualization Reference" in the Dashboards and Visualizations manual.
Geospatial Visualization. Support for choropleth maps to visualize how a metric varies across a customizable geographic area. See "Mapping data" in the Dashboards and Visualizations manual.
Dashboard Enhancements. More powerful dashboards with extended search and token management. See "Token usage in dashboards" in the Dashboards and Visualizations manual.
Search History. View and interact with ad-hoc search command history. See "View and interact with your Search History" in the Search Manual.
Anomaly Detection. New SPL command that offers histogram based approach for detecting anomalies. Also includes the capabilities of existing anomalousvalue and outlier SPL commands. See "anomalydetection" in the Search Reference manual.
Search Helper Improvements. Re-architected to improve responsiveness.
Developer:
Java logger Support for HTTP Event Collector. Adds support for log4j, logback and java.util.logging to allow logging from Java apps over HTTP.
.NET Logger support for HTTP Event Logger. Adds support for the .NET Trace Listener API and SLAB (Semantic Logging Application Block) to allow logging from apps over HTTP.
Custom Alert Actions. Allows developers to build, package, and integrate custom alert actions as native to Splunk software. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.
Documentation:
The Splunk Enterprise 6.3 release includes one new manual and several enhancements to key areas of existing content.
The Distributed Management Console Manual provides dedicated information on the distributed management console that was introduced in Splunk Enterprise 6.2.
The Distributed Deployment Manual has been substantially expanded to provide enhanced guidance on implementing, maintaining, and expanding a distributed deployment. In particular, it now features a set of end-to-end implementation frameworks for common deployment scenarios.
The Getting Data In manual has been reorganized to provide faster access to the information you need to get your data into Splunk Enterprise. The manual includes information on updated features, and content within the book has been reorganized to make procedures easier to understand and follow.
The Forwarding Data manual has been updated to make the installation instructions for the universal forwarder more accessible, and to better group and clarify universal forwarder concepts and activities in deployments of the Splunk platform.
New REST APIs:
This release includes the following updates to the REST API.
data/inputs/http
data/inputs/http/{name}
data/inputs/http/{name}/disable
data/inputs/http/{name}/enable
licenser/usage
services/collector/event
services/collector/mint
services/data/ui/alerts
servicesNS/{user}/{app}/data/ui/alerts
services/server/introspection/search/dispatch/Bundle_Directory_Reaper
services/server/introspection/search/dispatch/Dispatch_Directory_Reaper
services/server/introspection/search/dispatch/Search_StartUp_Time
services/server/introspection/search/distributed
services/server/introspection/search/saved
services/search/scheduler
services/search/scheduler/scheduler

New in Splunk 6.2.5 (Aug 12, 2015)

New in Splunk 6.2.4 (Aug 4, 2015)

The following issues have been resolved in this release:
Security issues:
For a list of security issues, please see the Security Advisory.
Data input issues:
Duplicate events occur because of clock skew between source and Splunk (Clone: SPL-98328).
props.conf LINE_BREAKER with initial zero-width capture group discards first character of event.
When useACK=true, the UF takes 6-7 minutes to restart, and does not forward any log events from that time.
recursive=false for one of multiple monitor inputs with overlapping paths causes duplicate events.
Inconsistent event merging of iis logs with delimiter containing a double quote followed by a closing curly brace (?}).
Charting, reporting, and visualization issues:
Incorrect drilldown search generated by "fillnull" and "rangemap".
SimpleXML dashboard panel raises malformed error when postprocess search contains tabs.
Indexers and indexer clustering issues:
register_replication_address and register_search_address do not work as documented(Clone: SPL-100211).
selectiveIndexing does not index events while still forwarding data.
Cannot move bloomHomePath to filesystem outside of bucket.
Crash on Cluster master manager UI - CMBucketToIndexInfo - Integer division by zero.
Splunk does not catch all exceptions in JournalSRReaderThread and handle it safely (Clones: SPL-91274).
Splunk Introspection process crashes due to "Assertion failed: minuend.tv_sec >= subtrahend.tv_sec" (Clone:SPL-94942).
Data model and Pivot issues:
In the Data Model editor, if user clicks a field in the lookup dropdown, changes the field name and saves the change, when navigating back to the same page, the original field name still displays.
In DataPreview, Splunk treats file as a directory and does not allow preview.
While creating a Pivot, when I split rows by time and select the format "Year", it returns this value: 2014-01-01 00:00:00.
Integrated PDF generation and PDF Report Server issues:
PDF: Pie chart is missing from the generated PDF (Clone: SPL-98436).
Search, saved search, alerting, scheduling, and job management issues:
CSV attachment sent by the scheduled alert contains line break after 900 characters.
Hong Kong timezone abbreviation - HKT - is not recognized from an event.
The resize bar of visualization container appears over the search assistant container.
OUTPUT option in lookup clears destination fields irrespective of the existence of the input fields.
A search with two sets of earliest/latest time modifiers on each side of an OR returns inconsistent results.
Drill-down on field returns HandleIntentionsParserDataProvider error.
Multikv.conf isn't recognized on an indexer when it is passed as part of the bundle.
Y-Axis max value does not reflect correctly on a panel.
Time Range Picker doesn't return error message when inputting a wrong time range.
Search results might be incomplete error with pre 6.2 search peers.
Splunk Web fails to parse huge xml responses from Splunkd.
Splunkd Segmentation Fault (Signal 11) in Scheduler thread occurs when re-validating user
SessionToken during scheduling of a saved search.
auto_summarize.timespan fails to read manual valid ranges, generates error
ResultsTable with fieldname 'watch' gets considered as timestamp by default on firefox.
Extra Fields Visible And Persisted Across Transforming Commands.
Splunk Web and Home interface issues:
404 Not Found after creating a dashboard from the listing page in the manager namespace.
Distributed deployment, forwarder, and deployment server issues:
Huge serverclass.conf file causes the Forwarder Management page to stay blank. (Clone:SPL-94242 )
Distributed search and search head clustering issues:
Throttling setting does not apply to all nodes of the Search Head Cluster.
Peers incorrectly report 4 billion replications in high latency environments (Clone: SPL-98488)
Search head cluster fails to parse search string when a search string is the same as a control character, increasing size of splunkd_stderr.log 75GB (Clone: SPL-98396)
Search Head Pooling on Windows does not allow splunkweb to start when splunk installed on a non C drive
modifying lookup table file in-place (outputlookup append=t) while upload is already in-flight triggers assertion in HttpClientConnection::asyncWriteComplete() (Clone: SPL-99958)
Search head clustering summary indexing searches run multiple times causing duplicate data
DistributedPeerMonitorThread thread on SH Splunkd crashed due to race condition for _myLicenseKeys
Splunkd Segmentation Fault (Signal 11) in Scheduler thread when revalidating user SessionToken during scheduling of a saved search.
Search error messages are cluttering the search page
REST, Simple XML, and Advanced XML issues:
The time ticks on x-axis fails to render when charting.legend.labels option is used in the dashboard xml.
Web.conf privKeyPath and caCertPath are pre-pending $SPLUNK_HOME dir to directories thatare an absolute path (Clones: SPL-86733 )
KVStore creates files in shared memory.
Splunk on AIX fails to start as nonroot user when the user has no read permissions for /etc/inittab.
Invalid key 'pass4SymmKey' in stanza [deployment] in /opt/splunk/etc/system/local/server.conf.
Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart) (Clone: SPL-93020).
CSV logs are broken incorrectly, causing delayed indexing.
Splunk web should use the new API directory listing API. (Clone: SPL-98934 )
disk_objects.log / group = partitions doesn't show mount points used for volumes on mounted filesystems
Unable to Install Splunk 6.2 on SunOS 10 Sparc machines with "`SUNW_1.22.6' not found" error.
Splunk Introspection for CPU-time produces incorrectly high values on busy system -- instrument-resource-usage records values > 100% in resource_usage.log for system-wide CPU usage (component=Hostwide / cpu_system_pct and cpu_user_pct). (Clone: SPL-91396)
Stats command spends a lot of time in finalizing phase when max_mem_usage_mb = 0.

New in Splunk 6.2.3 (May 2, 2015)

Security issues:
SPL-95798 - Secure flag inconsistently set for session cookies when appServerPorts!=0
SPL-98351 - Multiple vulnerabilities in OpenSSL prior to 1.0.1m (Clones: SPL-98356, SPL-98352)
SPL-95270 - Secure flag not set for cval, uid, csrf cookies on the login page when running Splunk in legacy mode (appServerPorts=0).
SPL-95594 - Cross-site scripting in Search. (Clone: SPL-97822)
SPL-96280 - Disable SSLv3 in KV Store Replication.
SPL-93516 - Cross-site scripting in management and configuration.
Highlighted issues:
2015-03-17 - SPL-96265 - Orphan KVStore process stops Splunk from restarting.
2015-04-23 - SPL-100103 - KV store collections are purged when owning app is disabled
SPL-94017 - mongod creates up to 65k files in /dev/shm/, using up to 500MB of space
Data input issues:
SPL-98155 - Duplicate events when monitoring gzip files on NFS server with Clock skew Clone: SPL-96292
SPL-97132 - archivereader thread crashes when reading csv.gz files.
Charting, reporting, and visualization issues:
SPL-97255 - Summary Status in Report Acceleration Summaries page does not update from Pending (Clone: SPL-87068)
SPL-97427 - Map graph is empty when using lower boundary limits for binspanlat and binspanlong in the geostats map command. (Clone: SPL-91723)
SPL-95571 - Home menus disappear once a home dashboard is refreshed.
Indexers and indexer clustering issues:
SPL-93244 - ERROR message in Tailing Processor: "Bug: tried to check/configure STData processing but have no pending metadata".
SPL-97654 - Internal Splunkd Log message displays in SplunkWeb when Splunk fails to discard Search artifacts on peer.
SPL-98007 - Clicking "remove" button in the cluster management excess buckets page deletes all standalone buckets.
Data model and Pivot issues:
SPL-97524 - When a user clicks the update link within acceleration information we should provide user feedback once the data is updated. (Clones SPL-95099)
SPL-95808 - Data Models page does not display acceleration information when the datamodel name is a substring of app name.
Search, saved search, alerting, scheduling, and job management issues:
SPL-97264 - 404 error message when editing the email action of a ES app correlation search via Manager (Settings >> searches, Reports and Alerts).
SPL-97298 - Token replacement fails in email alerts when raw data contains binary character. (Clones SPL-96721)
SPL-94296 - Triggered Alerts only kept 7 days upon restart regardless of user configurations. (clone: SPL-93331)
SPL-96790 - Search results table fails to display field named latest_time or earliest_time correctly.
SPL-97661 - PCRE Heap Overflow issues for PCRE versions less than 8.36
SPL-97079 - Excessive time is spent in dispatch.createProviderQueue when search includes splunk_server specification as opposed to searching all peers. (Clone: SPL-94054)
SPL-98807 - Searches block on search head because of splunkd timeout on /receivers/bundle REST endpoint when replicating bundle to slow peer. (Clone: SPL-98547)
SPL-95428 - spath processor, due to malformed XML input.
SPL-97601 - Bundle Replication: Skewed modtimes on temporary bundle files cause premature reaping and errors in distributed search.
SPL-96622 - search does not work with combination of NOT and "date_hour < 24 AND date_hour >0"".
SPL-96849 - Search "index=_* AND index!=main" returns no results.
SPL-97020 - SearchParser returns error when using savedsearch to call macro with line feed. Clone: SPL-92827
SPL-96865 - When system-wide search limits are reached, realtime searches are skipped with no user notification. (Clone: SPL-87805)
SPL-97309 - stats count by eventtype(or tag)" to return no results. (Clone: SPL-85091)
SPL-97372 - Netapp Dashboard takes too long to generate graphs, consumes a lot of memory. (Clone: SPL-95086)
SPL-97419 - "Calculated" field should not expand when preceded immediately by a NOT Operator or inside a NOT Expression. (Clone: SPL-93523)
SPL-96334 - loadjob on savedsearch with no results shows error instead of "no results" message. (Clone: SPL-93526)
Splunk Web and Home interface issues:
SPL-97154 - Incomplete exported csv when field value has double-byte white space at the end. (Clone: SPL-91706)
SPL-95194 - Simple XML Dashboard - report's permission operation from edit panel mode causes change in chart type. (Clone: SPL-94969)
SPL-95560 - Mako template fails to render error when splunk is restarted. (Clone: SPL-92223)
SPL-95603 - Autofill of user credentials causes login failure on Safari, Firefox and Internet Explorer.
SPL-97589 - In a combination of map and sendemail, when a field has a space the substring after the space is not recognized. (Clone: SPL-93240)
SPL-98540 - "Explore Data" link in settings tab returns a 404 page.
SPL-92298 - Workflow action event menu does not encode _raw field when used in link.uri.
SPL-93746 - Workflow Actions field menu does not URI encode special tokens when used in link.uri.
SPL-96057 - Workflow action does not honor $!token$ and will always encode the link.uri
SPL-96068 - SSO timeout presents a misleading message to the end user - "Reconnecting to Splunk server"
SPL-96243 - When typing a password spaces are deleted. (Clone: SPL-95847)
Distributed deployment, forwarder issues:
SPL-92713 - The "Edit Instance Info" and "Edit Server Roles" pop-ups in the Management Console setup do not show the selected instance's serverName (clone: SPL-92712)
Deployment Server issues:
SPL-96407 - If user deletes items out of order and seta whitelist to * , the Edit Clients option fails in the Deployment Server.
SPL-98561 - If you reload the deployment server with an out-of-sequence whitelist and blacklist, TcpChannelThread crashes.
SPL-84687 - If you add multiple entries to whitelist in non-consecutive order, deployment server cannot find whitelist.
Distributed search and search head clustering issues:
SPL-95885 - Search head cluster member crashes with SEGFAULT intermittently when alerts are run too fast
SPL-99022 - [DSPROXY] Prevent clobbering of default lookup table files when issuing "splunk apply shcluster-bundle". (Clone: SPL-84485)
SPL-96866 - Search Head Clustering - Crash in DispatchReaper thread during heavy scheduler activity. (Clone: SPL-95746)
SPL-99027 - Time To Live (TTL) is set to 0 (expired) for jobs executed by cluster member in saved/searches//history REST endpoint. (Clone: SPL-98740)
Windows-specific issues:
SPL-95834 - [Deployment Server] reload deploy-server breaks when %HOMESHARE% declared and %HOMEPATH% starts with '\'
SPL-96835 - On the Edit Clients page in forwarder management, the values inside the text area disappear when clicked upon.
SPL-95121 - Splunk 6.2 installer fails if msi database on the machine is partially corrupted
SPL-96431 - The login form does not appear when user that is not already logged in accesses the bookmarked login link.
2015-5-1 - SPL-95995 - Windows Heavy forwarder crash in EventLoop::checkWaitSet when WSAEFAULT error is returned by the OS during Network read operations. (Clone: SPL-94156)
2015-5-1 - SPL-97735 - During Indexing Splunk shows impossibly large number of Windows events.
SPL-95638 - Universal Forwarder 6.2.0 does not enable Windows event logs by default.
SPL-95004 - Large delays in Windows Event Logs due to low network thruput caused by ~250ms pause after tcp sends 6-7 packets.
SPL-96852 - WinEventLogChannel should report system error when failed to subscribe to a channel. (Clone: SPL-96831)
REST, Simple XML, and Advanced XML issues:
SPL-93954 - Iframe module does not display scrollbars when Iframe height is fixed pixels.
Web Framework issues:
SPL-96165 - Indexers crashed repeatedly in tcp channel with assertion failure assert(!_data.hasWriteData()). (Clone: SPL-95193)
Unsorted issues:
SPL-85036 - roleMap attributes are removed in $SPLUNK_HOME/etc/system/local/authentication.conf when user reloads auth (splunk reload auth) or restarts Splunk.
SPL-97089 - Search filter does not work properly when a user has a role with search restriction and inherits another role which also has search restrictions.
SPL-97644 - SummarizationDirector exceptions during search in Splunkd process causes crashes. (clone: SPL-92820)
SPL-94066 - Unable to save summary searches when a summary index is created in search peer. (Clone: SPL-91999)
SPL-95840 - Improve logging - Unclear "StringPool - SuppressionKey" warnings at search head restart. (Clone: SPL-95574)
SPL-96262 - splunkd.log contains unhelpful warning message "HTTPAuthManager - Nonce collision -- nonce: a5d6a32a95097797e195751accc2d428, peer: xxxx". (Clone: SPL-89162)
SPL-94977 - Host and servername in conf files not populated after removal using clone-prep-clear-config command.
SPL-97752 - Scripted input with high interval does not start on ubuntu. (Clone: SPL-84358)
SPL-92617 - splunkd instrument-resource-usage mis-identifies remote scheduled searches as historical searches. (Clone: SPL-91273)
SPL-93569 - Introspection resource_usage.log missing data.search_props fields. (Clone: SPL-97775)
SPL-97684 - tstats in subsearches returns no results in search head clustering environment due to incorrect datamodel summary path.

New in Splunk 6.2.2 (Feb 25, 2015)

New in Splunk 6.2.0 (Nov 10, 2014)

Search head clustering:
Search head clusters are groups of Splunk Enterprise search heads that serve as a central resource for searching. You can run or access the same searches, dashboards, knowledge objects, and so on, from any member of the cluster. This feature is designed to provide horizontal scaling, high availability, and no single point of failure.
For more information, see "About search head clustering" in the Distributed Search manual.
Indexer cluster monitoring:
A new dashboard provides detailed information on the status of the entire cluster, as well as information on each of the cluster master's peer nodes.
For more information, see "View the indexer cluster master dashboard" in the Managing Indexers and Clusters of Indexers manual.
Distributed management console:
The distributed management console provides insight into your Splunk Enterprise deployment with information on instances, indexing performance, search activity, resource usage, license usage, and more.
For more information, see "Configure the distributed management console" in the Admin Manual.
Getting data in:
This release features completely remodeled pages and wizard-like workflows for adding data. The new Data Preview feature makes it easier to create the right sourcetype for your data, and the new Forwarder Inputs feature allows you to push input configurations to Splunk Enterprise deployment clients.
For more information, see "How do you want to add data?" in the Getting Data In manual.
Advanced field extractor:
The advanced field extractor allows you to create custom fields in Splunk Enterprise. This feature allows you to select fields in events and automatically generate a regular expression that captures the fields.
For more information, see "Build field extractions with the Field Extractor" in the Knowledge Manager Manual.
App key value store:
The app key value store enables developers to build rich applications by providing a way to store and retrieve data for use in the operation of an app, such as state data. The app key value store provides both a REST API for full read/write operations and direct access to data via the Splunk Enterprise search pipeline.
For more information, see "About KV store" in the Admin Manual.
Event pattern detection:
Splunk Enterprise 6.2 can analyze your data for patterns of common events. Run a search and click on the Patterns tab to review a list of the top event patterns in the search dataset. You can see the estimated number of events associated with each pattern and run a new search that returns events matching a selected pattern. You can save patterns as event types and alerts.
For more information, see "Identify event patterns with the Patterns tab" in the Search Manual.
Instant pivot:
In past releases, to create tables and charts based on search results, you needed to run a search that included transforming commands like stats or timechart. With instant pivot, you can now run a non-transforming search and then open the search in Pivot. From there, you can create tables and charts that reflect the data returned by the search. When you are finished you can save your Pivot creations as reports or dashboard panels.
For more information, see "Open a non-transforming search in Pivot to create tables and charts" in the Search Manual.
Home page redesign:
Splunk Enterprise 6.2 introduces a redesigned home page. The new design moves Apps into a scrollable list on the left side of the page and creates space for a user-specific dashboard in the center of the page. A collapsible panel at the top of the page provides helpful links for getting started with Splunk Enterprise.
For more information, see "Meet Splunk Web" in the Admin Manual.
Prebuilt panels:
You can now create customized panels to share among various dashboards. This is useful to create a personalized dashboard for a group of users. It is also useful to make a commonly used search and visualization readily available to other dashboards.
You can share a prebuilt panel from the same app, a different app, or from a different user.
For more information, in the Dashboards and Visualizations manual see:
Dashboard panel:
Create and add a panel by reference
Post-process searches:
If your dashboard contains panels that run similar searches, you can save search resources by creating a base search for the dashboard. Panels in the dashboard can use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.
For more information, see "Post-process searches" in the Dashboards and Visualizations manual.
New search commands:
This release includes the new search command, findkeywords. You can use this command after the cluster command, or a similar command that groups events.
New REST APIs
This release includes the following updates to the REST API.
New APIs:
cluster/master/control/control/remove_peers
licenser/localslave
server/control/restart_webui
server/introspection/indexer
server/introspection/kvstore
server/introspection/kvstore/collectionstats
server/introspection/kvstore/replicasetstats
server/introspection/kvstore/serverstatus
shcluster/captain/artifacts
shcluster/captain/artifacts/{name}
shcluster/captain/info
shcluster/captain/jobs
shcluster/captain/jobs/{name}
shcluster/captain/members
shcluster/captain/members/{name}
shcluster/config
shcluster/member/artifacts
shcluster/member/artifacts/{name}
shcluster/member/consensus
shcluster/member/info
The REST API Reference Manual describes the endpoints.
New documentation:
Splunk Enterprise 6.2 introduces a new manual:
The Capacity Planning Manual provides high-level guidance on how to plan resource capacity for a Splunk Enterprise deployment and helps you decide when to add resources and distribute Splunk Enterprise services to maintain performance.

New in Splunk 6.1.4 (Oct 2, 2014)

Resolved security issues:
OpenSSL TLS protocol downgrade attack (SPL-88585)
Persistent cross-site scripting (XSS) via Dashboard (SPL-89216)
Persistent cross-site scripting (XSS) via Event Parsing (SPL-85579)
Highlighted Issues:
Scheduled real-time searches (per-result or rolling window) may stop triggering alerts for matching events when two consecutive matching events are more than 1 hour apart. (SPL-84357)
After upgrading to 6.1.x, a real time search filtering optimization is not occurring. (SPL-90587)
Splunk Enterprise installs on Windows may encounter the following error while attempting to pick a time frame via the GUI: "Earliest time cannot be greater than latest time" even though the times are correct. (SPL-90600)
After upgrade to 6.1 Splunk Enterprise crashes while reading my disk_objects.log file on Windows platforms. It is triggered by the use of JSON-based indexed field extractions during the acquisition of two native files:
%SPLUNK_HOME%\var\log\introspection\resource_usage.log
%SPLUNK_HOME%\var\log\introspection\disk_objects.log
(SPL-83975)
Upgrade issues:
On Solaris, search processes crash after upgrade from 6.0.x to 6.1.x. (SPL-85666)
Search issues:
Cluster search command does not return cluster_count by default. (SPL-86134)
Reporting Issues:
Report acceleration is not used when a dashboard uses a post-process search. (SPL-88017)
HTML dashboards created without a panel give a warning message "This dashboard has no panels." (SPL-88439)
Indexer issues:
Audit.log does not log when an index is enabled or disabled. (SPL-85085)
Distributed deployment, forwarder, and deployment server issues:
Platform Instrumentation is enabled by default on universal forwarders (resulting in introspection data being forwarded by default) and also cannot be disabled through app.conf alone on any other instance type. (SPL-83778)
Startup script should handle stale PID files gracefully after server crashes. (SPL-36597)
Running "splunk reload deploy-server" crashes splunkd. (SPL-84299)
The file_tracking_db_threshold_mb parameter in limits.conf cannot be updated using a deployment server, because the file is written to system/local/limits.conf instead of system/default/limits.conf. (SPL-86026) (SPL-86554)
Integrated PDF generation and PDF Report Server issues:
Generating PDFs of table reports that include a large number of events is slow. (SPL-86958)
When scheduling a Dashboard for delivery in PDF format, choosing Landscape layout does not override the default setting. (SPL-89961)
PDF generation fails when a search contains %. (SPL-87652)
Splunk Web issues:
In bar charts with values of 0.1 or less the bar display does not scale automatically. (SPL-85665)
Y-axis lables in a bar chart collide with each other when there are more labels than the chart height can accommodate.(SPL-86360)
Input issues:
With INDEXED_EXTRACTIONS, tailing might ignore the file. (SPL-88387)
Unsorted issues:
Platform Instrumentation is enabled by default on universal forwarders (resulting in introspection data being forwarded by default) and also cannot be disabled through app.conf alone on any other instance type. (SPL-83778)
BucketMover gives error when attempting to freeze. Buckets will attempt to freeze and then show an error "ERROR - BucketMover - sizeBytes=******* candidateBytes=******". (SPL-86189)
External/dynamic lookups working path is hardcoded to $SPLUNK_HOME/bin directory. (SPL-87195)
Universal forwarder sends many RST packets to indexer when enabling SSL. (SPL-83133)

New in Splunk 6.1.3 (Aug 5, 2014)

The following issues have been resolved in this release:
Highlighted issues:
After upgrade to 6.1 and Splunk crashes while reading my disk_objects.log file on Windows platforms. (SPL-83975)
Upgrade issues:
Permission issue for $SPLUNK_HOME. (SPL-84372)
After upgrading to 6.1, all saved reports / alerts fail to send email. (SPL-83956)
Search issues:
splunkd.exe Memory leak in monitoring. (SPL-84715)
Search heads request truncated replicated bundle listing from indexers, causing problems if a bundle >30 entries in the past is needed. (SPL-86760)
Splunk autoKV experiences difficulties handling user data with leading/trailing whitespace in fields. (SPL-79644) (SPL-85791)
Private objects do not have delete option in Splunk Web. (SPL-85630)
Failure to open search head pool configuration file during copyAppUpdatesToSharedStorage results in nonsense exception / migration&install failure. (SPL-84880) (SPL-82521)
In datapreview, JSON Index Time Field Extraction produces no events when TRUNCATE is set to 0. (SPL-83690)
Error when user tries clone from Settings > User interface > Views. in the HTML dashboard. (SPL-81822)
Crash in JSON parsing thread when using JSON data preview. (SPL-83679)
splunkd crashes intermittently in Bundle replication worker thread. (SPL-83952)
The "rest" search operator doesn't return any results when scoped to a fired alert endpoint. (SPL-83405)
Error "The process cannot access the file because it is being used by another process" in splunkd.log in reference to dispatch search.log. Error does not affect search. (SPL-82288)(SPL-84457)
splunk-optimize.exe crashes in "tsidx_optimize_n+0x492 [c:\splunk\build-src\current\src\searchthing\tsidx.c @ 2855]". (SPL-84446) Local-File-Inclusion with Path Traversal Vulnerability. (SPL-84469)
If saved search contains the transpose command, an alert is triggered even when search returns 0 event. (SPL-82864)
The search drilldown changes search condition may not work with inline calculated fields. (SPL-86150)
Intermittent 'File not found? browser error when trying to export very large result set (eg. 700K) to .csv file. (SPL-86096)
relative_times eval function does not return expected results. (SPL-86806)
Alerting issues:
Can not delete triggered alerts from triggered alert page. (SPL-84239) Data Model and Pivot Issues
Data Model acceleration data creation occurs less promptly than desired. (SPL-84730)
Indexers/search-head/cluster-masters with a large number of indexes : a large number of SummaryDirector searches are triggered and the instances are becoming unresponsive. Workaround [[1]]. (SPL-76956)
Index replication issues
Hot buckets with small event counts may fail to be replicated to other peers in the cluster (SPL-84734)
Manually modifying indexes.conf to add a new index stanza and running splunk apply cluster-bundle can cause peer(s) to unexpectedly restart rather than reload (SPL-82152)
Clustering issues
Peer holds on to mutex when downloading a large bundle causing heartbeat timeout. (SPL-84903)
Peer fails on move bundle to peer apps error: failed to rename (Invalid cross-device link). (SPL-85025)
AckQ causes permanent data stall when a single pData is larger than entire AckQ size. (SPL-82109)(SPL-84882)
If peers don't return bundle status due to download/network issues, but re-add themselves, the master is stuck infinitely on a bundle push.
Manually modifying indexes.conf to add a new index stanza and running splunk apply cluster-bundle can cause peer(s) to unexpectedly restart rather than reload (SPL-82152)(SPL-84888)
Distributed peer manager search peer tracking does not drop old license hash info when receiving new information from search peers (such as
when they change license masters or local license keys). (SPL-81246) Unable to grab diag after cleaning index. (SPL-85788)
Cluster Peer missing pass4SymmKey has no error/warn after adding a
session key in CM. (SPL-82685)
Deployment server issues:
Splunk Enterprise deployment clients on Windows incorrectly capitalize host names. They also truncate host names that are longer than 15 characters. (SPL-82528)(84879)
"splunk reload deploy-server" causes deployment server to recompute bundles of unmodified apps, resulting in *all* deployment clients re-downloading *all* apps. (SPL-86804)
Integrated PDF generation and PDF Report Server issues:
Schedule PDF delivery for email of a dashboard that includes post processing runs as a separate search process and provides 0 results (SPL-82301)
Forwarding issues:
New crash "Crashing thread: structuredparsing" may occur on UF. (SPL-86141)
Splunk Web issues:
js/views/shared/eventsviewer/shared/workflowActions.js does not work with some attributes. (SPL-85525)
A report created and scheduled by admin cannot be embedded by a power user. (SPL-82650)(SPL-81526)
Socket error from 127.0.0.1 while accessing /services/auth/login: Winsock error 10053 causes Splunk Web to be unavailable. (SPL-85334)
eventstats makes search unordered and then Python ResultSet class times out. (SPL-85335)
Power user can delete read-only reports. (SPL-85185)(SPL-84189)
When auto-pause time becomes 0, search does not pause. (SPL-84197)
Input issues:
splunktcp:// input does not inherit default setting "connection_host = ip" from [splunktcpin] stanza, leads to intermittent forwarder connection timeouts. (SPL-85899)
Windows issues
ADmon: Timestamp fields (pwdLastSet, badPasswordTime, lastlogonTimestamp, etc.) are not retrieved accurately from the AD record. (SPL-84878)
Error message in windows event viewer's Application log after installing splunk. (SPL-83455)
On Windows 2003 Server 32bit, upgrade from 6.0.1 universal forwarder to 6.0.4 universal forwarder, events are not sent to indexer after migration. (SPL-84121)
WinEventMon::processLogChannel: Failed to checkpoint for channel='security'. (SPL-84181)
Licensing issues
License Manager peers lack configurable heartbeat period. (SPL-81863) License Manager appears to be hitting a scalability ceiling. (SPL-84876) With universal forwarder on Windows, excessive RAM usage when processing events with useAck = true. (SPL-86897)
Unsorted issues
TCP output stalls inside unnecessary condition variable. (SPL-80196)
splunk reload deploy-server -class is not supported in 6.0 but works in 5.0.x.(SPL-85118)
Multi-line JSON does not render properly. (SPL-85528)
Simple XML: Dashboard fails when popSearch for dropdown returns no results. (SPL-85314)
conf-mutator.pid lacks cleanup strategy for crashes with PID-collision. (SPL-85226)
For RPM, deb, and solaris pkg installation, when using non-passwd file based users, Splunk installer doesn't set the owner of the folder for the Splunk user. (SPL-85193)
PendingDiscard state does not reset the Searchable state at CMBucket level (SPL-85055)
ERROR DispatchThread - Error reading runtime settings: File does not exist. (SPL-86829)
Misleading error message applying cluster-bundle while login failed. (SPL-86812)
When SSL is Disabled: Deployment Clients 5.0.X or upgraded to 6.0.1 are unable to establish communication with DS - appears to still be attempting
SSL Communication. SPL-83098
cron validator in the wizard fails to recognize valid cron. (SPL-85234)
In server.conf, setting maxThreads or maxSockets in the httpServer stanza to a value of -1 results in an effective value of 0, contrary to what server.conf.spec says (SPL-82389).
Splunkd generates warning msgs incorrectly during shutdown. (SPL-84610)

New in Splunk 6.1.2 (Jul 2, 2014)

New in Splunk 6.1.1 (Jul 2, 2014)

New in Splunk 6.1.0 (May 6, 2014)

Dashboard Editor enhancements:
Splunk Enterprise 6.1 introduces interactive creation and editing of forms in the Dashboard Editor. This lets you select which inputs to add to a form, and to optionally place the inputs within specific form panels.
Contextual drilldown:
Splunk Enterprise 6.1 improves dynamic drilldown in dashboards and forms so that you can now drill down into your data without leaving the page.
Chart overlay:
Use chart overlays to represent two different series on a single chart. You can highlight one series of search results as a line graph on top of a column chart, area chart, or another line chart. For more information, see:
Data model enhancements:
Create and share data models more easily in Splunk Enterprise 6.1.
Data model upload and download allows you to use the Splunk Web interface to export data models out of Splunk Enterprise and upload exported data models into other Splunk Enterprise implementations. Use this feature to back up data models or to collaborate on data models with other Splunk Enterprise users. For more information, see Manage data models in the Knowledge Manager Manual.
Splunk Enterprise 6.1 includes several improvements to the way that the Data Model Builder handles creation and maintenance of attributes. These enhancements include:
Bulk edit - You can now select multiple attributes and change their type and status (hidden/shown, optional/required) with a single click.
Manual auto-extracted attribute addition - Know a field will be in your data but don't see it in the set of available auto-extracted attributes? You can now add it yourself.
Improved lookup attribute definition - You'll now be able to select your lookup attributes from a list of every eligible output field in your chosen lookup table. You can also define a lookup that is based on multiple input fields.
Improved regular expression attribute definition - When defining regular expression attributes, you can now get much more insight into how the fields extracted by a given regular expression are distributed in your object's dataset. You can also drill down to see events in the object dataset that have a specific extracted field value.
Pan and zoom chart controls:
Intuitively explore large amounts of data in your visualizations.
Multisite clustering:
In Splunk Enterprise 6.1, clusters have built-in site-awareness, meaning that you can explicitly configure a cluster on a site-by-site basis. This simplifies and extends the ability to implement a cluster that spans multiple physical sites, such as data centers, thus enhancing the disaster recovery capabilities of the cluster.
Search affinity:
One of the key benefits of multisite clustering is that it gives you the ability to set up a cluster so that search heads limit their searches to data stored on their local sites. This reduces network traffic while still providing access to the entire set of data, since each site contains all the data. This benefit is known as "search affinity."
Data preview with structured inputs:
With Splunk Enterprise 6.1, you can view and interact with fields found in a file header or within the body of your structured data source.
zLinux forwarder:
Splunk Enterprise 6.1 includes support for the universal forwarder on the zLinux operating system.
Low privilege Windows Universal Forwarder:
Run the Splunk Universal forwarder on Windows platforms as a domain user without having to grant local administrator privileges.
Custom email alerts:
This release provides you with the ability to customize both the content and format of the emails that Splunk Enterprise alerts deliver.
Embedded reports:
Publish Splunk charts in any HTML-based dashboard or external web page with simplified sharing controls.
Platform instrumentation framework:
The Splunk Enterprise platform instrumentation framework generates data about your Splunk instance and environment and writes that data to log files to aid in troubleshooting problems with your Splunk Enterprise deployment.
Web Framework SplunkJS Stack:
You can use the Web Framework SplunkJS Stack to integrate Splunk into your own applications, allowing you to develop SplunkJS Stack applications outside of Splunk Web.
New search commands:
This release includes the following updates to existing search commands.
The iplocation command has one new option, lang.
The sendemail command has many new options for configuring email notifications. These options include: message, sendcsv, use_ssl, use_tls, pdfview, papersize, paperorientation, maxinputs, and maxtime. Some existing options, including format and width_sort_columns, have also changed.
The tstats command has two new options, allows_old_summaries and chunk_size, and now works with the full set of stats functions.
New APIs:
cluster/master/indexes
cluster/master/indexes/{name}
cluster/master/sites
cluster/master/sites/{name}
data/index-volumes
data/index-volumes/{name}
data/indexes-extended
data/indexes-extended/{name}
server/roles
server/status
server/status/dispatch-artifacts
server/status/fishbucket
server/status/limits/search-concurrency
server/status/partitions-space
server/status/resource-usage
server/status/resource-usage/hostwide
server/status/resource-usage/splunk-processes
Updated API parameter descriptions:
cluster/master/buckets
cluster/master/buckets/{name}
cluster/master/peers
cluster/master/peers/{name}
search/jobs (SPL-82458)

New in Splunk 6.0.3 (Apr 12, 2014)

New in Splunk 6.0.2 (Feb 25, 2014)

Highlighted issues:
Under certain conditions, installing or upgrading the Splunk universal forwarder on a Windows system can result in that system collecting unwanted data unexpectedly. This issue has been resolved as of 10/8/2013 and an updated universal forwarder installer for Windows has been posted. You can also work around this issue by following the instructions in "Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade." (SPL-74872, SPL-74908)
Setting the value of frozenTimePeriodInSecs = 4294967295 in indexes.conf is interpreted as frozenTimePeriodInSecs = -1 on Windows only. Setting this value will delete all buckets. (SPL-80218)
Data input issues:
Splunk shows a Possible typo in stanza... syntax error at startup when you specify an input in the format [splunktcp:9997] and specify compressed = true. This will create a functioning input, but you'll see the error at startup time. To work around this issue, specify the input in the format [splunktcp://9997] instead. (SPL-73654)
Hostnames with underscores are not accepted in outputs.conf and deploymentclient.conf (SPL-76795)
Splunk can re-read files for IIS, and possibly other files written in a similar manner using headers, resulting in duplicate events. (SPL-77048)
Pressing "Enter" after creating a new sourcetype for an input causes Splunk Web to exit the workflow instead of proceeding to the next step in the workflow. (SPL-77006)
Charting, reporting, and visualization issues:
Timestamps overlap on X axis when resizing the window. (SPL-68007)
In the Vizualizations editor, pressing the Enter key to save text input values does not work. (SPL-77199)
Warning message "Search query is not fully resolved" occurs in the Dashboard when there is no actual error. (SPL-75612)
Index replication issues:
If the homepath or coldpath settings for an index in indexes.conf use an environment variable that's invalid on one or more peers, this causes splunk apply cluster-bundle to fail with validation errors. Attempting to rectify this by correcting the environment variables on the peers and restarting the peers can create a situation where the peers are still using the old bundle even though it appears to the master that the bundle has now been pushed successfully. (SPL-73839)
If a peer is not up while pushing a bundle, all peers restart. (SPL-75632)
Clustering:
A manual refresh of the clustering search head manager page is required to show current status after adding or removing a cluster. (SPL-74022)
Apply cluster-bundle fails and indexer restarts with no configuration. (SPL-75725)
splunk edit master CLI command does not allow the user to specify a new master. (SPL-73732)
Data Model and Pivot Issues:
Extracted field names containing spaces cause search operations to fail when included in a data model. (SPL-73534)
Drill down results may not work properly for chart reports saved in Pivot when _time is used. (SPL-74695)
Limits in filters on the Pivot interface have several known issues including no results when you open in search. (SPL-58121)
No way to disable temporary acceleration of non-accelerated data models. (SPL-77928)
Data Summary table header does not display. (SPL-77034)
Setting the limit filter for an object count sometimes does not return correct counts. (SPL-58121)
Search, saved search, alerting, scheduling, and job management issues:
Intentionsparser drilldown doesn't work for any generating command other than search. (SPL-73358)
Drilldown on metadata searches doesn't work and you end up with a broken view. (SPL-74247)
A search returning lots of large events with multikv applied can crash the indexer's splunkd process. (SPL-74818)
Distributed search head not able to retrieve the index values from indexer in Access Control (SPL-74975)
Cannot go back to first page after deleting Alerts in Alert Manager. (SPL-79189)
Search heads with many users, apps, and metadata files creates high memory usage. (SPL-79211)
When adding data to a summary index using the collect command with commands that create key-value pair (i.e., top, table, stats) Splunk adds an extra escape to special characters: (\) and ("). Splunk does not undo these escapes when a search is run on the summary index, causing a search failure. (SPL-77622)
Problems navigating screens and drilling down in tables using the keyboard. (SPL-77478, SPL-76638, 76637, SPL-76625, SPL-76622, SPL-76621, SPL-76611, SPL-76605, SPL-76570, SPL-76554)
When a search string starts with an open parenthesis "(", the search defaults to all time. (SPL-77027)
Search Job inspector does not provide enough useful information for transaction searches. (SPL-76775)
Some Typeahead searches cause indexer to crash. (SPL-76547)
Having a very large number of learned sourcetypes can cause forwarder and indexers to use too much memory. (SPL-76448)
When adding a view, Splunk does not recognize the XML if you provide it before you provide the View Name. (SPL-76131)
remote_searches.log is not sourcetyped. (SPL-76015)
In the Search and Report pages, searches using |history do not allow the user to drill down the results properly. (74449)
Distributed deployment, forwarder, and deployment server issues:
Under certain conditions, installing or upgrading the Splunk universal forwarder on a Windows system can result in that system collecting unwanted data unexpectedly. This issue has been resolved as of 10/8/2013 and an updated universal forwarder installer for Windows has been posted. You can also work around this issue by following the instructions in "Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade." (SPL-74872, SPL-74907, SPL-74908)
Distributed searches fail when they invoke a lookup file that is over 10MB in size. (SPL-74438)
The reworked implementation of the deployment server can result in increased maximum deployment times at high client counts (>5k), but with the benefit of lower system resource usage. (SPL-72608)
When in streaming mode, events from different clusters are grouped incorrectly due to cluster information being incorrectly reset for each chunk of events. (SPL-78085)
In the Forwarder management interface, if the user reassign clients to different groups, these settings go live immediately and Splunk does not confirm before triggering reboots of clients. (SPL-74378)
PDF:
Scheduled PDF generation does not properly render the alert_actions.conf settings reportPaperSize and reportPaperOrientation. (SPL-73584)
Integrated PDF generation does not render non-transforming reports correctly. (SPL-77339)
Hunk:
When attempting to use data model on a virtual index, selecting anything other than "All time" returns zero results. (SPL-76851)
Unsorted Issues:
When passwords are updated in inputs.conf, any hashed version in system/local doesn't get refreshed and the password doesn't work. (SPL-78412)
On Linux 6.2+ Splunk should check during install/start time if 'Transparent Huge Pages' is turned ON as it causes indexing degradation and high CPU. Recommendation is to turn THP off. (SPL-76283)
Splunk diag etc-filesize-limit file size filter does not work properly. (SPL-76785)

New in Splunk 6.0.1 (Dec 18, 2013)

Resolved security issues:
The following security issue has been resolved in version 6.0.1:
Malformed network input crashes Splunk Enterprise (SPL-75668)
For more information, refer to this posting on the Splunk Security Portal.
Upgrade advisory:
A code change made to resolve an issue in this release unfortunately requires that all data model summaries be rebuilt upon upgrade. Splunk instances that make use of accelerated data model searches will experience this when upgrading from version 6.0 to version 6.0.1 or later.
Resolved highlighted issues:
Monitoring of certain log formats that worked with Splunk 4 and 5 can fail. In particular, Cisco csv formats (including 'cdr' and 'cmr'), Microsoft Exchange logs, and Microsoft DHCP server logs are affected. Other logs types with nearly identical headers may also fail. Symptoms include splunk.log error messages about seekptr not matching or the file length being too short, as well as mentions of initCRC being the same for multiple files. As a short term workaround, monitor these files with a 5.x forwarder. An alternate strategy is to use a large initCrcLen value for these source types, although this may force some amount of reindexing. (SPL-75066)
Searching indexes where homePath or coldPath are specified with a trailing slash character (/ or \ depending upon platform) will fail, returning no results for warm and cold buckets in these locations. A search.log for these searches will show a message similar to "WARN DatabaseDirectoryManager::Bucket - idx=your_index id=your_bucket_id Bucket directory disappeared mid-query. Abandoning results". To work around this problem, remove the trailing slash from homePath or coldPath for your index configurations. (SPL-76516)
Resolved data input issues:
Setting sourcetype=IIS for data that is not both W3C-formatted AND utf-8-encoded results in significant memory growth on the indexer. (SPL-74967)
A toggle has been added that allows the disabling of the AccessCheck() call used by Splunk input processing to validate readability of files. (AccessCheck() is not reliable in network filesystem scenarios). To disable AccessCheck() this, set TAILING_SKIP_READ_CHECK=1 in $SPLUNK_HOME/etc/splunk-launch.conf. (SPL-74889)
Resolved charting, reporting, and visualization issues:
The drilldown option for table doesn't work with values of "off" or "all", and the charting.legend.labelStyle.overflowMode for chart doesn't work with a value of "default". (SPL-73831)
Cell drilldowns for report tables with split columns display event counts from the row drilldown results. (SPL-74681)
Error message appears when navigating back from Drilldown results to Report page with timechart used in search. (SPL-74688)
Sparkline doesn't work for max() function. (SPL-74995)
Resolved index replication issues:
When Splunk freezes a summary (either via summary size retention, or via bucket freezing), its 12KB inflight- directory remains on the file system. To work around this issue, delete the inflight directories by hand. (SPL-74644)
Cluster migration python scripts are now included in the package. For more information about migrating indexer clusters, refer to "Upgrade a cluster" in the Managing Indexers and Clusters Manual. (SPL-75616)
Replicated bucket (rb_) only contains journal.gz and optimize.result files | Errors: (CMRepJob - Failed to sync search files for bid=) and (Fsck - Repair (entire bucket)...failed: non-EXDEV error renaming tmpDir to stageDir). (SPL-76563)
"Config validation failure" at Peers when an index db defined in a peer's app in "etc/apps", and "repFactor=auto" is applied to it. (SPL-74578)
Resolved data model and Pivot issues:
Splunk Web erroneously allows acceleration of data models with only search-based objects. (SPL-74286, SPL-75410)
After sharing a report with All/All Apps and then editing the report in the Pivot editor, an In handler 'savedsearch': Error in 'PivotProcessor': In handler 'datamodelreport' error is generated and the report is not saved. (SPL-74393)
Report drilldown not working if search contains tstats with capital letter in data model. (SPL-76571)
Pivoting on an object with spaces in eval Field Name shows error "In handler 'datamodelreport': Pivot Error in buildSearchWithModel: error building non-tstats searchString" (SPL-74789)
Resolved search, saved search, alerting, scheduling, and job management issues:
In rare cases, running continuous real-time CLI searches can cause the splunkd process to hang, and block logins. (SPL-74822)
Realtime searches with historical indexed-based backfill (typically time-windowed realtime searches run from Splunk Web) may have some duplication. This happens when the realtime updates and historical backfill searches both return the same data. If this is a significant issue, possible workarounds include temporarily disabling the 6.0x-specific indexed-realtime feature; avoiding realtime search; or disabling backfill. (SPL-74656)
Backgrounding a search job does not make the job globally readable, so emails to users without privileges to read a search see a "Job not found" message when clicking on the link. (SPL-75070)
The eval command fails to create field names containing an umlaut. (SPL-75055)
Resolved Splunk Web and Home interface issues:
Splunk Web does not show Show all X lines if linecount field is not present. (SPL-74637)
Other than the default available translated/localized language, the search will not return results or show loading. (SPL-75244)
Workflow actions are not restricted to the specified event type and fields, are shown for all results. (SPL-69481)
The Roles manager page is not able to display the list of selected indexes if the list in authorize.conf contains spaces. (SPL-74258)
New button missing in the Settings > User interface > Navigation management page. (SPL-75199)
Clicking the in timerange picker scrolls to the top of the page and adds a # to the URL. (SPL-74410)
Resolved distributed deployment, forwarder, and deployment server issues:
Search head pooling: unnecessary "duplicate" replications cause spurious untar failures on search peers. (SPL-74416)
Bundle Replication: nonsense modtimes on bundle files cause premature reaping and errors in distributed search. (SPL-74894)
Unable to define multiple receiving indexer with CLI silent install of universal forwarder. (SPL-74176)
Resolved Windows-specific issues:
In environments with malware and end-point scanning activities occurring, some network events can cause Splunk to generate TcpChannel - Error trying to begin socket accept: An invalid argument was supplied. messages in splunkd.log. (SPL-74902, SPL-76208)
Windows Server 2003 R2 incorrectly reports that the splunkd.exe binary in the Splunk version 6.0.0.2 MSI package is an invalid application and forces the MSI to roll back the installation and exit with 'Error Code 1'. (SPL-77131)
Crashing thread: TcpChannelThread -or- HTTPDispatch due to non-thread-safe setlocale usage on Windows platform (SPL-75537, SPL-75557)
If you install the Splunk Add-on for Windows into a Splunk 6.0 instance and subsequently restart from the CLI, you might receive Possible typo in stanza syntax warnings. While these warnings can be safely ignored, if you want to get rid of them, edit %SPLUNK_HOME%\etc\apps\splunk_TA_windows\default\inputs.conf and remove the [WinEventLog://] stanzas. This issue was resolved in the 4.6.5 version of the Windows TA. (MSAPP-1275)
Setting sourcetype=IIS for data that is not both W3C-formatted AND utf-8-encoded results in significant memory growth on the indexer. (SPL-74967)
[IE9] - In compatibility view, the events viewer's "time" column is not properly resized. (SPL-74936)
Resolved REST, Simple XML, and Advanced XML issues:
eval $foo$ tokens don't work in Simple XML, searches fail with error Search query is not fully resolved. (SPL-74498)
Invalid XML prevents dashboard listing page from showing all dashboards. (SPL-74529)
AppLogo does not always get displayed in Simple XML dashboards. (SPL-74368)
If you create a workflow-action and leave the 'Apply only to the following event types' field blank you will not get the workflow-action in the dropdown as expected. (SPL-74757)
REST HTTP server threads and sockets limits are based on soft file descriptor ulimit even when the hard limit is higher. (SPL-74989)
Splunk.Module.ViewRedirectorLink or Splunk.Module.ViewRedirector popup parameter do not open a new window. (SPL-74516)
Resolved Web Framework issues:
Using Django on Splunk Free doesn't work and displays an infinite redirect loop. To work around this issue, use the trial version of Splunk Enterprise. (DVPL-3006, SPL-75072)
Using Django from a locale other than en-us will most likely result in errors. For a code workaround, contact [email protected]. (DVPL-3033)
On non-universal forwarder Splunk installs, the diag command will not work when passed any arguments or flags. (SPL-75535)
Web Framework redirect does not respect URLs with root_endpoint. (SPL-75587)
Resolved Hunk issues:
When running a search against a Hunk search head that is also configured to search Splunk indexers, reporting searches that are ran in "verbose mode" show errors in later pages of results. (SPL-75588)
When a search is run that specifies a virtual index in a subsearch, it fails with "Permission denied:License does not allow execution of searches for virtual_index" error, even though Hunk License is already installed. (SPL-74861)
Searches against high cardinality data can yield incorrect results. (SPL-75105)
Resolved unsorted issues:
A dashboard table with a "fields" element does not render in PDF. (SPL-74876)
Upgrading causes crash in "Crashing Thread: archivereader". (SPL-74873)
diag on FreeBSD runs isainfo which is not usually available. (SPL-63092)
Command-line option and matching key has been added to server.conf to exclude/include content from diags with component-based labels. The new flags for diag are --collect, --enable --disable. (SPL-53648)
Launcher mangles diag command line when any flags are used on non-universal forwarder. (SPL-75535)
Following the instructions in http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/TranslateSplunk to create a new translate language causes no results to be returned when running a search. (SPL-75244)
Setting srchDiskQuota in default stanza does not take effect when creating roles from Splunk Web. (SPL-75058)
For Japanese and Chinese language, when you hit an enter key to select a word from the suggestions dropdown, the report is immediately saved. (SPL-74996)
sendemail command does not support sendpdf=true. (SPL-74968)

New in Splunk 6.0 (Oct 3, 2013)

New Home screen:
Splunk Home is your portal to the apps and data accessible from your Splunk Enterprise instance. The new home screen includes a search bar and panels that provide an overview of and navigation for your apps and data.
Enhanced search experience:
This release provides a new interface that brings search and reporting together. We've built in new ways to interact with your data and fields. In addition, we've added the ability to edit reports in the search page, making it easier than ever to create and edit.
The search page redesign brings together a collection of UI changes to improve the usability of the search interface and enable simpler report authoring and editing.
Data model:
Data models drive Splunk Enterprise's Pivot tool. They enable users of Pivot to realize compelling reports and dashboards without first going through the sometimes complex step of designing the searches that generate them. Data models can have other uses as well, especially for application developers.
You can also use the Splunk Enterprise High Performance Analytics Store to accelerate your data models. With an accelerated data model, your pivots, reports, and dashboard panels that use that data model will return results faster, greatly improving the speed of analytical operations over large data sets.
Pivot:
The new Pivot tool is a drag-and-drop interface that enables non-technical and technical users alike to build complex reports without using the search language. Using Pivot, you can quickly build queries and display results through an easy-to-use interface.
Native maps:
You can now display geographic data and summaries on maps directly within Splunk Enterprise without relying on another app.
Predictive analytics:
Using historical data as the baseline, you can use predictive analytics to forecast the future needs of key system resources.
Predictive analytics can be used in a number of ways.
Forwarder management:
The forwarder management feature is a Splunk Web interface that provides an easy, visual way to configure the deployment server and monitor the status of deployment updates. Although its primary purpose is to deploy apps and configurations to large groups of forwarders, you can use forwarder management to configure the deployment server for any update purposes, including deploying apps to non-clustered indexers and search heads. For most purposes, the capabilities of forwarder management and the deployment server are identical.
Simplified cluster management:
The main focus of this feature set is to make it easier to configure and operate large-scale clusters. Key improvements include:
Enhanced cluster monitoring UI: Monitor the health of a cluster through a centralized dashboard.
Auto rebalancing of peers: Distribute loads evenly among cluster peers.
Faster recovery: Recover from peer failures quickly by copying index files instead of regenerating them.
App management: Manage and distribute fully functional apps to peers through the cluster master UI.
Simple XML enhancements:
The dashboard creation process has been enhanced to enable more powerful views without requiring the use of advanced XML, including improved support for form inputs, token substitution, and more.
Integrated web framework:
For custom dashboard creation, this release offers a much more web-developer-friendly method to customize apps and dashboards. We now enable developers to convert dashboards directly to HTML and JavaScript, where they can more easily modify the layout and style, integrate custom JavaScript and more. As part of this feature, we have packaged many of the core dashboard objects and controls into a JavaScript component library that enables developers to use them more readily as they build these custom views. This library is also shared with our new web framework, giving developers full portability to build apps external to Splunk Enterprise, and incorporate many of the elements and controls familiar to Splunk Enterprise customers.
License Usage Report View:
The new License Usage Report View provides a fast and easy approach to determine the consumption of your Splunk Enterprise license. Directly from the Splunk Licensing page, get immediate insight into your daily Splunk Enterprise indexing volume as well as any license warnings. In addition, get a comprehensive view into the last 30 days of your Splunk license usage with multiple reporting options.
New search commands:
This release includes the following new search commands:
cofilter returns a count of events that contain the two specified fields.
datamodel returns JSON for all or a specified data model and its objects.
foreach runs a templated streaming subsearch for each specified field.
geostats returns geographical data in summaries that can be rendered on a world map.
iplocation extracts location information from IP addresses using 3rd-party databases.
pivot enables you to run pivot searches against a particular data model object.
tstats performs statistical queries on indexed fields in tsidx files, which could come from normal index data, tscollect data, or accelerated datamodels.
Documentation improvements:
The Splunk Enterprise 6.0 release includes two tutorials and several new manuals.
The Search Tutorial guides you through adding data, searching your data, saving reports and creating simple dashboards.
The Data Model and Pivot Tutorial guides you through adding data, building simple data models, and creating new Pivots.
The new manuals include:
Pivot Manual: decribes how to use the Pivot tool and provides tips on how to create useful data visualizations using Pivot.
Reporting Manual: covers reports and report management in Splunk Enterprise, including report acceleration, report scheduling, and printing reports as PDFs.
Forwarding Data: describes how to use forwarders to get data into Splunk Enterprise.
Distributed Search: describes how to use search heads to distribute searches across multiple indexers.
Updating Splunk Enterprise Instances: describes how to use deployment server and forwarder management to update Splunk Enterprise distributed instances such as forwarders and indexers.
The Distributed Deployment Manual is now focused on the conceptual background for distributed deployment, an overview of common deployment architectures, information about hardware requirements and capacity planning, and instructions for upgrading a distributed environment.
In addition, the Module System User Manual and the Module System Reference have moved from dev.splunk.com to docs.splunk.com.

New in Splunk 5.0.5 (Sep 24, 2013)

Resolved security issues:
The following security issue has been resolved in version 5.0.5:
Abuse of a test script mechanism to execute shell code (SPL-70250)
Resolved data input issues:
Very busy logfiles which are "rotated" with the copy-truncate pattern can lead to partial logfile re-indexing minutes to hours after the copy+truncate occurs. The duplication will consist of all events from the file start to some point in the middle of the file. (SPL-70749)
Compressed data is re-indexed multiple times if the compressed file is > 256 bytes. (SPL-69770)
Splunk fails to index a file ending with a capital letter .ZIP extension; lower case .zip works. (SPL-68226)
WinEventLog InputChannel stops collecting data due to constant timeout and must be restarted. (SPL-64915)
Perfmon events ingested by a universal forwarder do not have a valid extracted timestamp. (SPL-63796)
TIME_FORMAT parameter specified in 'data preview' window not honored if spaces present until splunkd is restarted. (SPL-68420)
Resolved charting issues:
Right clicking on chart and selecting print freezes all versions of IE. (SPL-71276)
List of enabled chart types is incorrect for commands like timechart, top, rare. (SPL-55112)
legend.placement=right in JSChart cause detail truncated if we set height=100% and browser has small height. (SPL-66919)
Resolved integratd PDF generation issues:
After migration to 5.x, generating PDFs from a saved search generate error: An error occurred when trying to generate PDF - ssName and pdfViewID unavailable. (SPL-69407)
Resolved index replication issues:
The percentage of total peers to restart during a rolling restart is now configurable. Refer to this topic for more information. (SPL-70814)
Cluster becomes unsearchable after killing some peers. (SPL-70888)
Clustering dashboard shows cluster to be 'Not Completely Searchable' but master has already committed generation. (SPL-70802)
Cluster master assumes bucket is present in a peer and crashes every few minutes. (SPL-70512)
Need control over display of warning Banner "ACK not enabled on forwarder" when clustering is on. (SPL-71482)
clustering peers do not receive heartbeat when clock on the master goes backwards. (SPL-69479)
Resolved search, saved search, alerting, scheduling, and job issues:
Using mode=sed with the rex command does not replace characters with '\' value correctly (SPL-55549)
Show Source" option is not available when using "fields" command because the events api is missing _cd, _si fields. (SPL-61651)
Search process seems to be caught in a loop due to "Max Raw Size Limit Exceeded", never ends. (SPL-70794)
Dispatch reaper fails to reap search artifacts when oversubscribed with bundle reaping activity. (SPL-71625)
Search does not auto-finalize on first run when using Google Frame extension on IE. (SPL-70971)
Can not export all events using unlimited export feature in Splunk Web. (SPL-68343, SPL-59215)
Tunning stats AS * does not return correct number of events. (SPL-67410)
Can't use private macro in a map command. (SPL-66265)
rex mode=sed does not appear to replace characters with \ value correctly. (SPL-55549)
Search tag= not showing correct results. (SPL-47120)
The multikv command does not set linecount field correctly when splitting up events and causes erroneous "collapse back to 10 lines" link in Splunk Web. (SPL-38179)
Resolved Splunk Web and Manager interface issues:
The Next link in Splunk Web should be grayed out after displaying by default 10K events in 4.3.x and 1K events in 5.0.x. Clicking Next at this point will display an empty page. (SPL-64905)
The root_endpoint is not working if you log out and then re-log in to Splunk Web because Splunk Web is setting the location of response header as / and not as the value set in root_endpoint of web.conf. (SPL-70334)
Manager > Licensing page taking too long to load. (SPL-71147)
Splunk Web generates an "event" file if exporting the results in a Chinese character filename rather than the Chinese character file. (SPL-68227)
A search being rendered into a SimpleResultsTable will have status_buckets set to at least 1 for the search feeding it. Often this API parameter is unnecessary, and can have negative effects on performance. (SPL-66501)
If you use both real-time search and postprocessing in an event module, an error "Negative offsets are not allowed when a postprocessing search is specified" is displayed. (SPL-62459)
Resolved distributed deployment, forwarder, and deployment server issues:
In splunkd.log, deployment client debug message says: DEBUG DeploymentClient - Handshake not yet finished. will continue retrying with a rate of '60000 secs'. The value 60000 is in msec and not secs. (SPL-70584)
Updating assets.csv causes the restart message to be displayed in Splunk Web. (SPL-71121)
Deployment server initiating a restart after application deployment, and Windows based UF takes longer than Windows allows (30 seconds). SPL-61193
The server.conf spec file fails to indicate that search head pooling parameters cannot be specified in apps hosted on the shared storage. (SPL-72069)
Search head pooling: Build event type page shows error: "Unable to get sample events: local variable 'f' referenced before assignment". (SPL-70870)
UF forwarding data in load balancing mode is sending twice more to one specific indexer in the list. (SPL-69922)
Once a connection fails to the license master, it refuses all subsequent license-slave connections with HTTP server 500 error. (SPL-61116)
Deployment client fails to download apps when appname, servername, tenant class name contain space. (SPL-38923)
Resolved Windows-specific issues:
A problem with the deployment client can cause a Windows server running that client to take longer to start than Windows's service manager allows. Affected systems log an entry into the System event log: A timeout was reached 30000 milliseconds while waiting for a transaction response (SPL-61193)
Generating streaming commands (such as streambag.py) give an Invalid header error on Windows. (SPL-67101)
Deployment server initiating a restart after application deployment, and Windows based UF takes longer than Windows allows (30 seconds). SPL-61193
Diag does not recover from file I/O errors when copying windows checkpoint files. (SPL-71788)
Right clicking on chart and selecting print freezes all versions of IE. (SPL-71276)
Search does not auto-finalize on first run when using Google Frame extension on IE. (SPL-70971)
Splunk on Windows does not start/restart properly with deployment server, fails with FATAL loader - Timed out waiting for config lock; see splunkd_stderr.log for details. Exiting. (SPL-70075)
Resolved unsorted issues:
After upgrade from 4.3.x, splunkd.log is reporting a lot of ERROR ProcessDispatchedSearch - PROCESS_SEARCH - Error opening "": No such file or directory. (SPL-63237)
After upgrade from 4.3.4 to 5.0.x, splunkd crashes with assertion failure in _writeWithTimeout. (SPL-62009, SPL-73904)
splunkd crashes in SummaryDirectorSearchExecutorWorker thread. (SPL-70756)
Online fsck doesn't repair corrupted *.data when "./splunk stop -f" + "./splunk restart" (SPL-65914)
The root endpoint is not honored in dashboard edit context, redirected to wrong page or 404 when saving. (SPL-64210)
Diag does not recover from file I/O errors when copying windows checkpoint files. (SPL-71788)
Crash during shutdown: Crashing thread: indexerPipe Registers:. (SPL-71646)
splunkd on primary search-head consumes all cpu forcing reboot of the whole system. (SPL-70684)
Splunk checks for availability of management port at startup even when disableDefaultPort is set. (SPL-70520)
Crashing thread: HTTPRequestHandlerThread. (SPL-69425)
Crashing thread on universal forwarder: Exec. (SPL-69283)
Crash in search or dispatch thread. (SPL-68356, SPL-68904, SPL-69155)
splunkd crashes in UDPInputProc due to race condition. (SPL-68148)
SimpleXML forms fail to load if there are no fieldsets. (SPL-63681)
Multiprocessing Python scripts do not work on CentOS. (SPL-60550)

New in Splunk 5.0.4 (Jul 30, 2013)

Resolved highlighted issues:
Historical scheduled searches without an explicit "dispatch.latest_time" specified in their savedsearches.conf definition will run out of schedule on 5.0.3 instances which are part of a search-head pool. (SPL-68970)
Resolved index replication issues:
Files distributed by means of the cluster master configuration bundle may land in the peer's $SPLUNK_HOME/etc/apps/slave-apps with incorrect permissions. Typically, this only affects scripted inputs which lose their executable bit and can't be run by splunkd. (SPL-64308)
Clustering status should show the server name along with GUID. (SPL-68151)
Resolved PDF generation issues:
If you schedule delivery of a PDF report of a dashboard that includes HTML panels, the PDF report will not be attached to the email. You will see the following error in the python.log: No search job available. (SPL-64056)
is not honored as a way to specify a search in a simple XML view when creating a search in a dashboard. (SPL-65757)
Using causes PDF generation not to work. (SPL-65757, SPL-64056)
Resolved search, saved search, alerting, scheduling, and job management issues:
Inline+PDF email alert gets disabled when updating saved searches after upgrading to 5.0.x. (SPL-63477)
python.log can grow due to email alerts automatically logged in DEBUG mode: INFO sendemail:mail sendPDF ...DEBUG Preloading from '/opt/splunk/var/run/splunk/merged/server.conf'. (SPL-64933)
On Windows, using the rex command with double quotes in the arguments causes scheduled search to not run script. (SPL-61818)
Search performance issues when there are a lot of search peers. (SPL-70145)
Export in raw mode fails when using reverse command. (SPL-70119)
Real-time search fails for events without a valid extracted _time. (SPL-66660)
When searching, UnboundLocalError: local variable 'rs' referenced before assignment error is shown. (SPL-69933)
Splunk Web is slow when there are +3K stanzas in savedsearches.conf. (SPL-67141)
After saving a new search in Searches and Reports under Manager, the alert expiration time is always set according to the custom time. (SPL-65246, SPL-64810)
Skipped searches due to bandwidth give no indication as to why they were skipped. (SPL-63110)
Show message when max_mem_usage_mb is reached. (SPL-62405)
"Unable to get viewstate information; formatting may not be correct" error in Splunk Web after cloning a search and changing its permissions. (SPL-61124)
Searching for transactions gives different results in CLI vs Splunk Web. (SPL-58103)
RT search backfill takes 15x longer than historical search to fetch a given set of events. (SPL-56820)
Typeahead doesn't display source values, just Index, Sourcetype and Host. (SPL-55342)
Resolved Splunk Web and Manager interface issues:
Invalid XML response (500 internal server error) while accessing lookup manager view when lookup file name contains special characters (SPL-66497)
IE9 Compatibility mode default setting does not render dashboard edit menus. (SPL-61480)
CherryPy instance should serve a robots.txt file. (SPL-67956)
Using the Back button after drilling down on a table gives an error in IE9 and earlier. (SPL-66459)
'New Panel' in Edit Dashboard is empty - Only Cancel and Save buttons. (SPL-65847)
"List by Tag Name" link displays error "Splunk cannot find "saved/ntags/" when changing permissions from public to private. (SPL-63548)
Full list of fields not displayed in field picker with error "No fields to display for this search." (SPL-58178)
Resolved distributed deployment, forwarder, and deployment server issues:
The syslogSourceType attribute for syslog routing does not work. (SPL-64400)
Forwarder performance with SSL enabled is significantly degraded from 4.3.x. (SPL-67365)
Syslog routing transform creates misleading warning: DEST_KEY=_SYSLOG_ROUTING is claimed to be undocumented. (SPL-68932)
Universal forwarder continues to try to resolve reverse DNS after setting autoLB=false in outputs.conf. (SPL-68225)
When a forwarder is sending with useAcks on, sendQueue (outputs.conf maxQueueSize) does not automatically adjust to recommended value. (SPL-66915)
splunk list forwarder-server shows the indexer as inactive. (SPL-65372)
Outputs.conf does not include a definition for backoffOnFailure. (SPL-64584)
Events specified in syslogSourceType still get timestamp added for SYSLOG_ROUTING. (SPL-64400)
Indexer memory growth associated with frequent forwarder disconnects. (SPL-63778)
splunkd.log reports ERROR HTTPClient - Invalid URI fragment "": can't find hostname after installing Deployment Monitor app. (SPL-63568)
Splunk's sslCommonNameToCheck feature can't validate multiple certs, so doesn't work with search peers in different domains. (SPL-55098)
Resolved Windows issues:
IE9 Compatibility mode default setting does not render dashboard edit menus. (SPL-61480)
Using the Back button after drilling down on a table gives an error in IE9 and earlier. (SPL-66459)
The $decideOnStartup variable does not work for [perfmon] input.conf stanza. (SPL-66103)
Overriding the automatic assigned sourcetype for a WinEventLog at the forwarder does not work. (SPL-63554)
Blank pages added when printing dashboards from Windows IE. (SPL-61979)
Add an option to globally force flash rendering (simple_xml_force_flash_charting) of all charts so IE8 users can switch from JavaScript. (SPL-66162)
Resolved unsorted issues:
Tempfile permission denied error: ERROR BundleArchiver - Cannot create temporary for filtering: $SPLUNK_HOME/etc/apps//metadata/local.meta: Permission denied. (SPL-63776)
Splunkd.log reports ERROR HTTPClient - Invalid URI fragment "": can't find hostname. (SPL-63568)
Reset license may not take effect if you have more than one active license stack. (SPL-67719)
Spam in splunkd.log from OneShotWriter when shutting down. (SPL-65744)
TcpOutEloop crash Assertion `it != _ackableEventsPerChannel.end()' failed. (SPL-59183, SPL-67365)
Memory leaks in PipelineDataRawStoragePool and SQLitePersistentStorageImpl. (SPL-57217)
Memory growth issue when search summary page is opened and loading big metadata searches. (SPL-69162, SPL-55163)
Deleting an index containing a capital letter (for example, splunk remove index MyIndex) causes crash. (SPL-68995)
Wrong location for the list_maxsize in limits.conf.spec. (SPL-68519)
useSplunkdClientSSLCompression default is incorrect in server.conf.spec. (SPL-68437)
sslAltNameToCheck in server.conf does not handle internal whitespace in list. (SPL-68259)
default-mode.conf spec file is inadequate. (SPL-68150)
Multiple consecutive delimiters treated as one when using multikv.conf. (SPL-67748)
Status_buckets are set unnecessarily and could cause performance issues. (SPL-66510)
Invalid XML response/500 error from Splunk Web when lookup file contains special characters. (SPL-66497)
Memory leak in ArgList when running large numbers of accelerated searches. (SPL-66152)
The $decideOnStartup variable does not work for [perfmon] input.conf stanza. (SPL-66103)
Crash in merging thread. (SPL-65117)
Discrepancies between app.conf.spec and app.conf.example. (SPL-63822)
Running oneshot input on exported Windows events file not working. (SPL-63481)
Splunkd crashes on AIX, btree becomes corrupt and needs rebuilding. (SPL-63180)
The btool command should be able to create proper output from a diag collected from Splunk with search head pooling enabled. (SPL-57104)
[limits.conf.spec] Inaccurate default value specified for subsearch/maxout. (SPL-46228)
Default sourcetyping for $SPLUNK_HOME/var/log/splunk/web_(access|service).log files does not account for file rotation, generates lots of entries in learned app. (SPL-66311)
Attempting to add a file input monitor with an existing but disabled target index yields error claiming that the index does not exist: "In handler 'monitor': Parameter index: Index 'test' does not exist. Please provide a valid index." (SPL-64709, SPL-53081)
Log settings for appender.licenseaudit* in log.cfg do not include maxFileSize and maxBackupIndex properties. (SPL-63431)
Bucketmover should log why a bucket is moved from warm to cold. (SPL-62307)

New in Splunk 5.0.3 (May 29, 2013)

Resolved security issues:
This version of Splunk addresses the following security vulnerabilities:
Reflected XSS in Splunk Web (SPL-59895, CVE-2012-6447)
Unquoted service path in universal forwarder on Windows (SPL-60250)
Plaintext recovery attack and DoS in OpenSSL 0.9.8x (SPL-61546)
For more information about these issues, refer to this listing on the Security Portal.
Resolved highlighted issues:
Indexes and Data Inputs Manager pages time out with a "500 - internal server error" in environments where indexers hold many buckets in warm/hot directories, because of excessive response time for GET requests to the /services/admin/indexes endpoint. (SPL-61718)
Deployment server: 'splunk reload deploy-server' command causes Linux host to freeze. (SPL-62493, SPL-63795, SPL-62304, SPL-62021, SPL-67089)
Resolved data input issues:
During upgrade, if a Splunk instance times out with the message, "Conf is currently being modified by process ", run the command splunk clean locks on the instance and retry the upgrade. (SPL-60905)
In rare cases, a monitor input for rotating log files can result in log.* being completely re-indexed. (SPL-58862, SPL-64370)
Monitoring wildcards in the root directory, or Windows directories on unix can cause data duplication. AKA [monitor:///logfile.log.*] or [monitor://c:\program files\something.*] on UNIX are not currently handled correctly. (SPL-55853, SPL-66464, SPL-63085)
Rotated file "*.log.{n}" is re-read entirely a few minutes after "*.log" is indexed, resulting in duplicate data. (SPL-56831)
For modular inputs, linebroken events larger than 4KB may be broken arbitrarily. (SPL-63685)
Restart while actively reading evtx files can cause Splunk to stop indexing that input. (SPL-61602)
Corruption in .data files leads to blocked indexing queue. (SPL-59600)
Batch inputs cannot index Windows Event logs. (SPL-64358)
MainTailingThread crash on AIX universal forwarder. (SPL-62864)
Resolved index replication issues:
Using the delete operator on clustered data can potentially result in unintended events getting deleted. In most cases it will result in intended events not getting deleted. (SPL-56812)
When there are network issues between peers, lots of small buckes are created because the master continues to schedule replications to that peer. (SPL-56244, SPL-60092)
Message in splunkd.log on peer is confusing when the peer is disconnected from the replication port ("Received unexpected byte message!") (SPL-56302)
splunkd.log gets spammed with "master is not enabled on this node" messages every second. when you disable clustering on the master. (SPL-50709)
splunkd.log gets spammed with "INFO CMMasterHTTPProxy - updated genid=1 with guid=..." on search head and and "CMSlave - event=writeBucketsToSearch" on peers. (SPL-64125)
splunkd.log is full of commitPendingGeneration messages. (SPL-63400)
Cluster master can crash with signal 11 in HTTPRequestHandlerThread shortly after an indexer-peer crashes. (SPL-59908, SPL-63310)
Frozen buckets are not handled properly after a master restart; the knowledge that a bucket has been frozen is not persisted and is lost if the master is restarted. (SPL-65100)
When pushing a new config to the cluster, the Cluster Master got stuck in a restart loop with one of the peers when peer was out of commission. (SPL-63003)
Resolved search, saved search, alerting, scheduling, and job management issues:
Searches that contain subsearches do not return data in environments where search heads are running version 5.0.x and indexers are running version 4.3.x. (SPL-62457)
Searches with subsearches that use the join command in environments where search heads are running 5.0.x and indexers are running 4.3.x return different data than environments with both search heads and indexers running 4.3.x. (SPL-59398)
The simultaneous running of many summary indexing searches that use the 'stash_new' command can result in namespace collision, which can cause errors in splunkd.log similar to "WARN FileClassifierManager - The file '/var/fflanda/splunk/var/spool/splunk/RMD5257b69c72240c88d_342014304.stash_new' is invalid. Reason: binary" and block summary indexing searches from running. To work around this issue, turn off binary checking by editing $SPLUNK_HOME/etc/local/props.conf and setting the value of NO_BINARY_CHECK=1 under the [stash_new] stanza. (SPL-59578)
Some new search objects (rtsearch command, and its objects) are not included in the CLI help yet. (SPL-56409)
Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)
In AutoKV prior to 5.0, an event that contained key value pairs encapsulated in double-quotes and included a trailing ' / ' was treated as one value. Now, the backslash acts as an escape for the double-quote, causing AutoKV to consume everything up to the next double quote as part of the value. (SPL-58852)
Using the outputlookup command with append=true outputs inconsistent numbers of results. (SPL-63997)
Extremely slow start times when running searches on pooled search heads in Splunk Web. (SPL-63579)
Real-time search/alerts sometimes have unacceptable latency (>10 seconds). (SPL-60620)
Search head return double results from 4.3.2 indexers when using append command. (SPL-60049)
splunkd search consumes unreasonable amounts of memory when reading events with a large _raw. (SPL-57336)
Search performance issues after upgrading from 5.0.1. (SPL-65627)
Searching against summary index replacces fields that contain characters that are not in a-z, A-Z, and 0-9 ranges with an underscore (_). (SPL-58300)
rex command fails to update a multivalue field to a new single value. (SPL-64395)
No results while searching for terms that include . (SPL-64361)
Linear max lag increase for scheduled searches, possible connection with increases quota elapsed_ms. (SPL-62321)
Real Time Alerts not working consistently in 5.0.2. (SPL-62129)
Resolved Splunk Web and Manager interface issues:
Tags created via Splunk Web of fields that include special characters are double-encoded in tags.conf and will not display correctly. (SPL-53510)
"Metadata results from this peer are incomplete: the peer has over 100000 entries" message in the summary dashboard in large environment. (SPL-58112)
Indexes and Data Inputs Manager pages time out because of excessive response time for GETs to /services/admin/indexes on indexers with many buckets in warm/hot directories. (SPL-61718)
"Your network connection may have been lost or Splunk web may be down." banner messages in Splunk Web on pooled search heads, Splunk Web becomes unresponsive. (SPL-63230)
Splunk Web becomes unresponsive due to cherrypy threadpool issue. "Splunkd daemon timed out" banner messages in Splunk Web. (SPL-66828)
Show source doesn't work when using srchFilter based on automatic lookup-generated field. (SPL-64388)
Resolved distributed deployment, forwarder, and deployment server issues:
Different results for sub-searches when there is a mismatch of versions between search-heads (5.0.0, 5.0.1, 5.0.2) and search-peers (on older version 3.* or 4.*). (SPL-59398)
All users of the same search head can see app deletion messages. (SPL-65784)
Default search head pooling polling intervals are too aggressive for environments with high number of users, become detrimental to performance. The values of poll.interval.check and poll.interval.rebuild have been raised to 1 minute each. (SPL-62772)
Resolved Windows-specific issues:
If you tell Splunk to monitor a Windows Event Log (.evt or .evtx) file using a [monitor://] stanza in inputs.conf, then restart Splunk while it is reading the requested file, Splunk abandons reading that file further, only indexes the data collected from the part of the file it has already read, and mistakenly ignores the file as having been fully read later. (SPL-61602)
A problem with Splunk's Registry Monitor driver can cause the Splunk Registry monitor process (splunk-regmon.exe) to hang when you attempt to restart Splunk, thus preventing other Splunk services from restarting successfully. To fix the problem, you must reboot the server. (SPL-64212)
splunkd running on Windows runs out of ephemeral ports, resulting in "Splunkd daemon is not responding" errors in webservice.log. (SPL-60511)
Batch inputs cannot index Windows Event logs. (SPL-64358)
Resolved unsorted issues:
Poor indexing performance paired with ERROR StreamGroup and ERROR STMgr in splunkd.log caused by null characters in configuration files. (SPL-58854)
The "quota" attribute for the licenser/pools REST endpoint is inconsistent between the XML and JSON outputs. (SPL-53124)
Splunk on AIX hangs on first time run. To work around this issue, add the following to $SPLUNK_HOME/etc/splunk-launch.conf: SPLUNK_IGNORE_ICU_TIMEZONES=1. Do not add this setting unless you are experiencing the hanging issue. (SPL-58929)
MainTailingThread crashes splunkd with a message that says 'Assertion failed: bytesToHash < 1048576' (SPL-58292, SPL-60604, SPL-67106, SPL-64104)
Splunkd.log of indexer/search peer is flooded with the benign message: WARN NetUtils - write failed with :32 (and/or :104). Workaround set in log.cfg [splunkd] category.NetUtils = CRIT (SPL-61961)
Splunk Web crashes or becomes unresponsive when clicking Next link quickly in event list. (SPL-64911, SPL-65692)
Deleting an index that uses the volume setting causes splunkd to crash with "Crashing thread: indexerPipe". (SPL-60990)
Crash in HTTPRequestHandlerThread when Splunk is scanned by a security scanner. (SPL-60736, SPL-62334)
Crash in AsyncQueuedMessageDispatcher_connection_.... - assert_fail in PhoneHomeListener::handleMessage. (SPL-59477)
Overloaded disk (high iowait) causes logins to timeout. (SPL-59129)
splunkd is stopped after deleting index which has "homePath.maxDataSizeMB" parameter setting. (SPL-58345)
btool output needs to explicitly differentiate between repository locations. (SPL-57545)
SSL_ERROR on search head, searching halted due to insufficient entropy in random number generator in version of OpenSSL 0.9.8x. OpenSSL version upgraded to 0.9.8y. (SPL-63544, SPL-56723, SPL-64394)
Applying intentions failed 'rawargs' ERROR in the UI when drilling down in a search with | xmlkv, json spath drill-down does not work correctly. (SPL-66922, SPL-59671)
limits.conf.spec has two entries for use_dispatchtmp_dir. (SPL-65673)
REST always returns a result when in previous versions 0 results were returned. (SPL-64751)
Main splunkd crash > HTTPRestDispatcher > seg fault. (SPL-64378)
diag fails on windows when unicode file exist in $SPLUNK_HOME/etc. (SPL-63703)
ERROR HTTPServer - Exception in handleRequest Could not decode attribute errors in splunkd.log when license slaves lost communication wiuth the master. (SPL-57540)
Repeated crash with assertion failure in _writeWithTimeout. (SPL-62009)
Spaces in userid (LDAP) causes spaces in SID. (SPL-61655)

New in Splunk 5.0.2 (Feb 7, 2013)

Resolved highlighted issues:
Significant increase in indexer latency and reduction in throughput of up to 75% related to execution of MaxDataSize settings in indexes.conf, which can result in the indexer(s) refusing forwarder connections. This issue is more likely to manifest in deployments with slower storage volumes. (SPL-58689)
A 500 Internal Server Error is displayed when using Manager to edit or create a saved search, add a data input, list or edit indexes, or edit user roles. (SPL-58872, SPL-58650).
Resolved data input issues:
In Australia, with devices set to Australia/Sydney (Australia Eastern), logs get generated as 11/16/11 10:30:00 EST, and Splunk (or the machine) interprets EST as US Eastern. (SPL-56076)
WARNs about "Endpoint has not specified a type for val=auto, will return this as a string in JSON API." in splunkd.log when adding an index via the CLI. (SPL-53640)
Indexer throttled and indexing paused with "...too many tsidx files in bucket=* Is splunk-optimize working? if not, low disk space may be the cause..." message displayed in Splunk Web. (SPL-58922)
Indexing processor spends too much time hot bucket metadata files, resulting in slowed indexer performance. (SPL-58859)
Indexed host name will become "$decideOnStartup" when uploading data via Splunk Web. (SPL-57073)
Summary index fields that contain characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_). (SPL-58300)
Scripted inputs defined in Manager do not work with search head pooling configurations. (SPL-57429)
splunk-admon.exe consumes excessive amount of memory. (SPL-57409)
Cannot update fields in a disabled index. (SPL-56752)
A warning should be issued when indexes are set to write to a volume's path without referencing the volume in homePath or coldPath. (SPL-56031)
Resolved charting issues:
The "Edit report" link is missing when you load a saved report from Splunk Web. (SPL-59182)
JSChart should choose _time as the x-axis field even if it is not the first field in the results. (SPL-56805)
Resolved index replication issues:
Rename the 'cluster' special app to '_cluster', which is more indicative of its special nature and migration requirements. (SPL-57536)
Allow multiple apps to be pushed onto peers from master-apps. Refer to this topic in Managing Indexers and Clusters for information on cluster app limitations. (SPL-57373)
Replication connection failures show up as "WARN BucketReplicator - Failed to replicate warm bucket" in splunkd.log (but the bucket is still replicated). (SPL-55413)
Setting sslVerifyServerCert=true is not being picked up and no validation takes place when clients are replicated. (SPL-56368)
The splunk list cluster-master-generation command does not list peer list for generation. (SPL-53096)
Clustering peers get stuck at the license agreement prompt when restarting the first time after an upgrade if you run a rolling restart. (SPL-52871)
If an invalid active bundle exists on the master, slave keeps downloading it every second and spams splunkd.log. (SPL-51320)
Lots of "Examining bucket" debug messages in web_service.log when viewing index replication dashboard. (SPL-56240)
"A splunktcp forwarder port is not configured in inputs.conf" error message appears on forwarder/search head/master when it should only appear on the affected slave. (SPL-56019)
Crash in ReplicationDataReceiverThread, no space left on disk. (SPL-56817)
Searching directly on a slave only works on searchable & primary bucket. (SPL-57197)
Running ./splunk edit cluster-config does not allow 'max_peer_build_load' and 'max_peer_rep_load' to be edited. (SPL-57193, SPL-56665)
Peer unable to handle failed replication (reason: state mismatch for bucket status on target, actual=Complete expected=NonStreamingTarget). (SPL-56671)
If a primary peer's connection is interrupted and the master node is restarted before it comes back up, another peer can be designated the primary, which causes problems when the original primary peer comes back up. (SPL-56515)
Off by one error for max outstanding build jobs parameter (we allow 6 when max is set to 5). (SPL-56246)
Deletes not handled properly on buckets that are already searchable if the peer from which the events were deleted fails. (SPL-51974, SPL-58208)
CLI help for index replication topics is missing. (SPL-57455)
Shutting down a peer can hang/time out if the master is down. (SPL-57144)
Running splunk list peer-buckets and cluster-buckets commands fail to to display all buckets. (SPL-56104)
A peer shouldn't be green/searchable when status is pending. (SPL-55876)
The default value of max_peer_build_load in server.conf.spec is incorrectly stated as 5, should be 2. (SPL-56640)
Resolved integrated PDF generation issues:
When a PDF is generated of a dashboard that includes one or more panels with table visualizations, it's possible that the PDF versions of the tables will include columns for fields that are not seen in the original dashboard tables. The PDF table columns may also appear in a different order than they do in the original dashboard tables. Splunk adds any field in the original stats results of the search to the PDF version of a table, even if the field is restricted from showing in the original dashboard table by the dashboard XML. (SPL-56255)
PDF wizard uses "admin_xxxx" name for non-English dashboards. (SPL-56279)
Row numbers are missing in PDF of simple results tables. (SPL-56248)
PDF generation does not work on HPUX or the PowerPC architecture. (SPL-56049)
Rendering reports broken with error referencing "searchFieldList". (SPL-56809)
Print to PDF doesn't include panels that have an ampersand (&) character in the title. (SPL-57419)
When on non-x86 system, if a remote report server is available, we should be using that. Otherwise, no PDF support should be provided. (SPL-57359)
If you create a search in manager with an email alert for pdf results (or edit an existing search to add pdf) you get only csv. (SPL-58921)
When disabled, the Generate PDF button still responds to clicks. (SPL-58231)
Sparklines can sometimes extend off the right side of a table. (SPL-58207)
PDF report should not print empty charts when there are no results. (SPL-56189)
Resolved report acceleration issues:
In Manager, report names appearing on the Report Acceleration Summaries and Report Acceleration Summary Details pages (under Reports using this summary) may be followed by a period. (SPL-56540)
Under very specific conditions Splunk can erroneously summarize data in a manner that causes subtle charting errors. This happens when you accelerate a search with an unbounded time range (earliest and/or latest time not set) and a timechart without an explicit span setting. (SPL-56001)
Numeric calculations in prestats mode don't emit precision. (SPL-56070)
When you switch to Free and then create a summarization (which is not supported in Free), the following error is shown "TSUM: LicenseRestriction: [HTTP 402] Current license does not allow the requested action" (SPL-56339)
If two summaries from searches in two different apps have the same hash, the link to each of them in Manager goes to the same search. (SPL-56040)
Status of a summary is always pending unless it's building. (SPL-56451)
Show source fails intermittently with "DispatchSearch - Could not find target event on the remote server, unable to form the proper distributed search". (SPL-55970)
The values() command doesn't work in non-prestats mode. (SPL-56081)
Configured namespace data is not cleaned when running ./splunk clean all. (SPL-55894)
Resolved search, saved search, alerting, scheduling, and job management issues:
Killed or otherwise 'zombie' search jobs are not flagged as such in Splunk Web, and are displayed differently on different tabs. (SPL-54026)
Summary index file header gets indexed when using the collect command. (SPL-58176)
Searches do not match with numeric values for indexed fields with uppercase characters. (* Searches do not match with numeric values for indexed fields with uppercase characters. (SPL-60142)
Searches using _indextime consume large amounts of RAM. (SPL-58601)
Using loadjob on a large search artifact can use a large amount of memory. Loadjob now handles the data on disk instead of in memory, however, for large artifacts access performance may be reduced. (SPL-58653)
Searches can time out when fetching full events due to remote timelining where the search head->indexer connection is unstable. (SPL-57454)
Running a timechart command with the span option, such as "index=_internal | timechart span=1h count by clientip" returns the error "Error in 'bin' command: Option 'span' should not be specified more than once." (SPL-57184)
Sorting in postprocess search broken for more than 50k results. (SPL-56641)
Scheduled RT search creates too many preview dispatch directories. (SPL-57584)
Using the name option with a value of "*" in the summary indexing backfill script will not capture any searches with criteria: are enabled, scheduled, and has summary indexing action. (SPL-56841)
No way to make a saved search use action.email.inline=1 from Manager. (SPL-56830)
Setting [searchresults] max_mem_usage_mb in limits.conf improperly overrides maxresultrows. (SPL-56815)
Search queued message shown even afte the search starts running. (SPL-56433, SPL-56435)
Resolved Splunk Web and Manager interface issues:
The "Edit report" link is missing when you load a saved report from Splunk Web. (SPL-59182)
Restart Splunk link is broken in Chinese Splunk Web. (SPL-49823)
The Send to background button tooltip is truncated. (SPL-58426)
Strings in the App dropdown are not localized in Manager pages. (SPL-57403)
Changing the source type setting for any input in Manager is not saved. (SPL-57022)
Uploading a lookup file in manager fails with "Encountered the following error while trying to save: In handler 'lookup-table-files': Source file is outside of staging area". (SPL-56835)
Error "ERROR AdminManager - Invalid Link hostname" when adding port value to link hostame under Manager » System settings » Email alert settings. (SPL-56833)
Edit dashboard options not localized in Splunk Web. (SPL-56484)
Strings in Field Picker are not localized. (SPL-56207)
"Save & share results" is not localized. (SPL-56204)
Resolved unsorted issues:
Splunk can experience intermittent crashes in different threads on AIX due to a unresolved gcc bug in AIX. (SPL-49004)
On startup splunkd says "My newly generated GUID is X", then "My newly generated GUID is Y", X ≠ Y. (SPL-57592)
Errors on startup about "Possible typo in stanza [distributedSearch]" due to removal of invalid parameter. (SPL-57577, SPL-58095)
CLI command error: 'local-index' is not a valid argument for the 'enable/disable/display' command. (SPL-57501)
CLI command error: 'jobs' is not a valid argument for the 'list' command. (SPL-57500)
The diag command should not include tsidxstats files. (SPL-57543)
External REST handlers can't handle unicode. (SPL-57103)
When an index has been disabled, but splunkd hasn't yet been restarted (as is required), a REST request to delete it should return a clearer error message. (SPL-56819)
btool inputs list ignores --dir argument, returns results from live instance. (SPL-56626)
After configuring a new universal forwarder, the splunk list forward-server sometimes takes a short while to list correct forward server status. (SPL-55793)
If you create a dropdown with a populating search where the results include a back-slash, you cannot then use that token in a search. (SPL-58362)
Setting phoneHomeIntervalInSecs on a Linux deployment client to a high number (10 minutes) causes client to not download updated changes from deployment server. (SPL-57589)
In dynamic drilldown, Japanese characters are passed as UTF-16, expected UTF-8. (SPL-57534)
Text fields ignore seed value in simple XML. (SPL-57532)
Email alert sent, but no warning in the logs or scripted alerts when a search peer is missing. (SPL-57391)
Splunk's bin/python doesn't start up on HP/UX 11.11i machines without /dev/urandom. (SPL-57317)
Crash in TcpOutEloop thread during shutdown. (SPL-56875)
License slave master-uri incorrectly parsed with a trailing slash. (SPL-56836)
Rebuilding archived bucket throws error ERROR - Error opening The process cannot access the file because it is being used by another process. (SPL-56834)
Username with embedded space running existing saved search fails with 404 error in SimpleResultsTable module. (SPL-56587)
Splunk diag fails to exclude files with --exclude command in universal forwarder. (SPL-56399)
" WARN AdminManager - Endpoint has not specified a type for val=openLDAP" errors in splunkd.log when mapping LDAP groups via Splunk Web. (SPL-55928)
Splunk lacks date parser support for AM/PM for Japanese and Korean. (SPL-55733)
The default outputs.conf/forwardedindex blacklist targeting _internal make no sense for a search head. (SPL-52440)
When provided with an invalid value for the 'count' argument, the 'rest' search command produces an error that does not correctly explain what the expected value for 'count' should be. (SPL-57148)

New in Splunk 5.0.1 (Nov 16, 2012)

New in Splunk 5.0 (Oct 30, 2012)

Index replication - Splunk indexers can now be grouped together to replicate each other’s data, maintaining multiple copies of all data – preventing data loss and delivering highly available data for Splunk search. Using index replication, if one or more indexers fail, incoming data continues to get indexed and indexed data continues to be searchable. For more information about index replication, see:
Report acceleration - Accelerating search for reporting over large datasets is now as easy as clicking a checkbox and setting a time range. Summaries are stored on the indexers rather than the search head to allow map reduce parallelism for any search that uses reporting and/or streaming commands. You can enable report acceleration for an eligible search when you save it or add it to a dashboard in the Splunk Web UI. You can also enable report acceleration for an eligible search in Manager > Searches and Reports. For more information about report acceleration summaries, see
Integrated PDF generation - You can now create PDF files from your simple XML dashboards, views, searches, or reports on any OS running on an Intel-compatible platform. All PDF features in Splunk Web work without the need to install the PDF Report Server app. Non-UI PDF reporting functionality also uses Integrated PDF generation. For more information about integrated PDF generation, see:
Dynamic drilldown - Create custom drilldown behavior for any simple XML table or chart. Specify custom drilldown behavior on a per-field basis. Drill down within one dashboard, from a dashboard to form, or to any third-party tool that accepts URLs. Form searches built in simple XML also accept drilldown information so you can connect one form to send information to another. For more information, see:
Modular inputs - Enable any data inputs installed by a Splunk App, making them easier to manage and deploy. Inputs appear automatically on the Splunk Manager > Data Inputs page and are accessible from REST API endpoints for advanced management. For more information, see:
REST API versioning and JSON support - Beginning with this release, the REST API is fully versioned, so that if developers embed the version number in a URL, they are guaranteed a particular endpoint behavior. In addition, REST endpoints optionally can now return JSON instead of XML.
Splunk JavaScript SDK integrated into core - The Splunk JavaScript SDK is now completely integrated into the core Splunk product and no longer requires a separate download.
JSChart enhancements - JSChart now supports more configurations, so you can build more charts that show up on iOS devices. Configure custom colors for charts using SeriesColors, rearrange fields in a legend, and more. Additional enhancements increase browser performance. For more information, see:
Documentation improvements - The Splunk documentation set has been reorganized for the 5.0 release. This reorganization makes the tutorial a stand-alone document, gives more visibility to key product areas (indexing, search, visualization, security), provides better browsing structure in the tables of contents, and creates tighter context for search results. The new content design reflects new Splunk features and addresses customer feedback we have received via doc comments, email, and IRC.

New in Splunk 4.3.4 (Sep 11, 2012)

Resolved data input issues:
When restarting a universal forwarder, *.gz files are reindexed, resulting in duplicate events. (SPL-51091, SPL-51734)
The .sizeManifest4.1 file reports a smaller total size than reality for buckets rebuilt by splunk fsck. (SPL-51366)
A capital letter in stanza name in indexes.conf causes the index to become "unfindable". (SPL-55151)
When editing/adding new scripted inputs in manager/REST, pre-existing cron-scheduled scripted inputs run once at the wrong time. (SPL-53278)
Violation of MAX_DAYS_HENCE by file-based data sources without modtime updates leads to indexing congestion in the merging pipeline. (SPL-52210)
Path in indexes.conf ends with "\" will cause parsing problem in Windows. (SPL-52103)
Errors splunkd.log "in TailingProcessor - Error matching path and file". (SPL-47988)
Resolved Splunk Web and Manager interface issues:
Unable to delete/clone saved searches from Manager -> Searches and Reports. (SPL-52179, SPL-47878)
JSChart: in flashtimeline long-running top/rare searches with preview make the chart flicker. (SPL-54371)
JSChart: when in a dashboard, the maxResultsForTop parameter is not being respected. (SPL-53530)
Wrong/broken icons in Manager after upgrade from 4.2.5. (SPL-53520) Sparkline not display partially and sometimes it will become very short after complete the search. (SPL-52709)
The tz value (tz = Etc/GMT+10) is incorrect for Hawaii time zone. (SPL-52106)
Can't highlight, or copy/paste LDAP users from LDAP group in the group mapping / permissions screen on Firefox. Works fine on IE. (SPL-51542)
Changing permissions on a tag via Splunk Web from private to global makes tag appear to have been deleted. (SPL-52388)
Users with expired tokens/cookies are unable to log into Splunk Web. (SPL-45981)
Clicking reload link in job management page takes you right back to the app page on IE. (SPL-43234)
Search_User_Activity dashboard doesn't show latest user search activity. (SPL-50182)
Application "Loading" message obscures logout link. (SPL-49191) Resolved search, saved search, alerting, scheduling, and job management issues
Searches using cidrmatch may cause crashes. Workaround: replace: 'cidrmatch(A, B)' with: 'if(typeof(B, "String"), cidrmatch(A, B), null())' (SPL-49828)
Using the rex command with mode=sed does not work with multi-value fields. To work around this issue, use mvexpand before using rex. (SPL-52007)
Search fails and Splunk Web banner message: "DISPATCHCOMM_RP_FAIL__" is displayed (SPL-52565)
Subsearch failing with the error "Encountered an error while reading file '/opt/splunk/var/run/splunk/dispatchtmp/subsearch_*/prereport_*.csv.gz'.", the workaround is to format the fields with the command fields instead of table at the end of the sub search. (SPL-52862)
When a lookup table size is zero, searches run on a search head in distributed search or on a standalone instance on Windows Server might start to crash. This particularly affects the VMWare app and results in empty dashboards. (SPL-53256)
Summary generating searches skip even while realtime_schedule = 0. (SPL-54029)
Searches referencing conf files that include settings with embedded nulls cause all subsequent searches to fail with "SearchException: An unknown error occurred while parsing search". (SPL-53090)
Using the "rest" command in a subsearch results in a CSV read error in var/run/splunk/dispatchtmp/..., only when commands are piped after "rest". (SPL-52862)
"None" is in the time unit drop-down menu in throttling setting for saved searches. (SPL-54681)
Could not identify leap second on 30 June, 2012. (SPL-52775)
Creating alert to run a script: Need to validate and prevent the field called "File name of shell script to run" to accept special characters of: "..", "/", or "\". (SPL-49225)
Windows - scheduled searches with long (>260 char) search name always return 0 results. (SPL-43587)
rex mode=sed doesn't handle multivalue fields. (SPL-52007)
Resolved distributed deployment, forwarder, deployment server, and deployment monitor issues:
File system change monitor (fschange) settings on Windows universal forwarder does not forward events to an indexer. (SPL-54233)
SSO: Direct logins in permissive mode cannot logout - "Logout" button not shown. (SPL-53917)
A distributed search fails with a warning "DISPATCHCOMM_RP_FAIL__". (SPL-52565) Resolved dashboard and app development issues
Charts not populating on realtime dashboard with filter. (SPL-53261)
The sort postprocess should treat the number of rows as an integer instead of a string in SimpleResultsTable. (SPL-52827)
Simple XML : not respected for module. (SPL-52492)
The web.conf minify_css setting modifies base path. (SPL-51365)
Resolved unsorted issues:
Fields in custom conf files are not persisted if they do not have a default provided. (SPL-54152)
Search peer on Solaris platform fail to restart after creating an index on the search peer. (SPL-52863)
Summary indexing with alert condition set to "always" does not index all events. (SPL-52959)
After direct upgrade from 4.1.6 to 4.3.2, instance has index corruption and cannot run fsck on indexes. (SPL-47246, SPL-52868)
The 'configs/conf-authorize' endpoint is slow. (SPL-50334)
splunkd crashes if you delete and then create a new key in $SPLUNK_HOME/etc/auth/audit/. (SPL-49185) 32
Crashing thread: CallbackRunnerThread > Seg fault > unknown signal origin > CallbackRunnerThread > MetricsManagerprobe. (SPL-53372)
Crash: Sig abort > HTTPRequestHandlerThread > tcmalloc > Assertion `utf8bytes >= 0xC280' failed. (SPL-53260)
Crashing thread: HttpClientPollingThread_index_us > Signal sent by PID 22865 running under UID 0 > XMLDocument > __assert_fail. (SPL-52991)
Events logged by splunkd processors to splunkd.log should reference the full context (source/sourcetype/host) of the pdata chunk in scope. (SPL-52686)
PDF of a dashboard does not contain results from inline realtime search. (SPL-52618)
Python.log: INFO Sending email: Misspelling: recepients. (SPL-52530)
Splunkd.log: TcpOutputProc: logging: Typo. (SPL-51842)
Crashing thread: HTTPRequestHandlerThread with Received fatal signal 6 (Aborted). (SPL-52226)
Creating an index with "Volume" in the name fails. (SPL-50749)
Certs are always created for splunkweb on startup if the privkey.pem and cert.pem files do not exist. (SPL-49542)
Every request to splunkweb is creating a session lock file in var/run/splunk, ending up in DOS. (SPL-48237)
"SearchResults - Unable to write" message in logs is not accurate. (SPL-47283)
Crash in "regex matching: Access violation" due to an extracted field having the same name as the field from which it is being extracted. (SPL-45102)

New in Splunk 4.3.3 (Jun 29, 2012)

Dashboard panels with Flash charts do not rearrange properly. (SPL-46019)
Flashtime search events list sometimes displays empty result rows. (SPL-49330)
Inconsistent zoom behavior in flashtimeline when using the browser Back button. (SPL-47930)
HiddenSavedSearch results cannot be post-processed and displayed in JSChart. (SPL-50300)
After logging into the Splunk UI with Internet Explorer 8, a logout and subsequent login attempt will fail. The Splunk UI will display a green bar in the upper right hand corner with the word "Loading..." To reconnect, close the browser and open a new browser to get the proper login screen. (SPL-50631)
Export with Unlimited for csv, xml or json in the Advanced Charting view will generate a zero(0) byte file (SPL-51334, SPL-48117).
_time format is not human-readable when you export events using the Export button. Workaround: use the cTime_convert function. (SPL-48611)
Using showsource=1 to convert a simple xml dashboard to advanced XML sometimes generates incorrect advanced XML. (SPL-48485)
Splunk sometimes fails to read the Message field for Windows Event Log data and shows a message such as "Splunk could not get the description for this event." instead of the correct message text. (SPL-51312)
Windowns Event Log failure with FormatMessage error when monitoring Windows Event Logs for more than a day. (SPL-52527)
When Splunk Web is configured for listenOnIPv6 = yes, only listener for IPv4 is created. (SPL-51911)
Bulk export of more than 50K events is broken from the flashtimeline. (SPL-51662)
The splunk rebuild command fails due to large sized malloc failure in _lex_writer_open. (SPL-51570)
The splunkd process crashes when running multiple (>10) saved searches with defined alerts at once. (SPL-51203)
Data loss triggered by change in parsing of frozenTimePeriodInSecs value from 4.2 to 4.3. (SPL-50828)
IE 8: dashboards with multiple timecharts with lots of data gives 'script taking too long warning'. (SPL-50135)
Using | stats latest() doesn't emit results in many cases. (SPL-50131)
TIME_FORMAT and eval's strptime() should accept dates with leap seconds. (SPL-52549)
Crash in splunkd withsegmentation fault at vsnprintf(). (SPL-51798)
Using kv_mode=json causes unbounded memory expansion in large events. (SPL-51613)
REST commands used in scheduled saved searches do not return results. (SPL-51423)
Splunk can sometimes crash when running a search that includes an unsupported macro definition. (SPL-51088)
When tailing files, consecutive failures for accessing or handling the same pathname will result in a doubling interval up to 0.5s ^ (2*12), or 1 ^ (2*11) seconds or 2048 seconds, or 34 minutes and 8 seconds. If more errors are encountered, the timer will remain at 34 minutes and 8 seconds. (SPL-50995)
In Volume Manager logging in splunkd.log, index name is blank on ERROR lines, and too many errors thrown when it takes a little while to move a bucket. (SPL-50876)
on IE6, the saved search wizard dialog does not resize to reflect the content in it. (SPL-50763)
on IE6, the create alert wizard steps don't display correctly. (SPL-48368)
When the root_endpoint option in web.conf (using Deployment Server via an app) is defined, users are unable to modify their personal settings without getting a 404 error. (SPL-50384)
Using the commands() function of eval as a post-process within a view causes a memory leak. (SPL-50223)
Hyperlink missing from restart Splunk dialog in Chinese version of Splunk Web. (SPL-49823)
Cannot seach on capital letters in non-ASCII text. (SPL-49760)
Files not indexed because they don't match the whitelist of a higher-level overlapping stanza. (SPL-49599)
Setting maxTotalDataSizeMB = 0 causes the index to be deleted on restart (rather than allowing infinite index size, which is what one would expect). (SPL-49535)
High levels of knowledge bundle replication can result in a memory leak. (SPL-49434)
Exporting results from long-running searches sometimes doesn't export all the results because auto-cancel is erroneously set when the export re-runs the original search. (SPL-48907)
Can't use the search inspector icon until >0 scan count. (SPL-48489)
Need to reinstate specific error message displayed when a view has bad xml, or a missing argument to a module, or another small problem. (SPL-48365)
In Manager > Searches and Reports, the Include PDF version of results checkbox is hidden when you enable Include results in email. (SPL-48142)
Add option to indexes.conf that disables global metadata generation to handle deployments with rapidly growing sources.data file. (SPL-47689)
SearchLinkLister view module does not show results list. (SPL-52107)
The link for sharing a saved search is not generated correctly. (SPL-52088)
When you use the interactive field extraction tool (IFX) and provide multiple fields in the example box, high python memory usage on the server ensues. (SPL-52045)
Line charts should not support the 'stacked' setting. (SPL-52032)
Can't install an app using Deployment Server when client's useHTTPClientCompression (in server.conf) is set to true. (SPL-51970)
Login screen says there's a new version available when there isn't. (SPL-51890)
App will not launch main flashtimeline view after installation. (SPL-51855)
Splunk won't start when using /sbin/service splunk start in Linux. (SPL-51749)
When a user with a per-user timezone set creates a summary indexing search, the summary data gets generated with times in that user's display timezone and no timezone offset. (SPL-51742)
Event acquired by TCP input processed with TIME_FORMAT of "%s%3N" triggers merging thread crash in TimeFormat::rawParse(). (SPL-51716)
Windows event inputs logs a bunch of 'file not found' errors. (SPL-51512)
When adding a data input via REST, the check-index parameter is not respected. (SPL-51486)
Data Preview does not apply timestamps correctly if it includes space between "=" and attribute or value. (SPL-51424)
Selecting suggested fields from autosuggestion wipes out the current search. (SPL-51327, SPL-50949)
Bucket metadata manifest should get properly refreshed after |delete. (SPL-51271)
SH Pooling: Search Returns "end-of-stream" error in Splunk Web, and "RunDispatch::runDispatchThread threw error: Application does not exist:" in search.log. (SPL-51252)
Running"splunk set deploy-poll" doesn't work if the user home directory is different from $SPLUNK_HOME directory. (SPL-51132)
The eval command's strptime, strftime, and relative_time functions don't work with multivalue fields. (SPL-51003)
Upgrading an app without a default directory from 4.2.x to 4.3.1 caused an exception. (SPL-50735)
Forwarder re-reads all non Splunk internal logs on restart, resulting in duplicate entries. (SPL-50656)
Re-login session will show session expired by IE8. (SPL-50631)
Using TCP_ROUTING to send data to nonexistent group triggers exception; documented recipe for replicating subsets of data to 3rd party system throws errors. (SPL-50576)
Uncaught JS exception in firebug.js on IE7. (SPL-50559)
Drill-downs do not work when chart is resized so that source labels show "...". (SPL-50467)
URLs with "#" page anchors do not handle login redirects well and redirect to a malformed URL. (SPL-49952)
Saved searches that include macros are sometimes not editable by non-admin users. (SPL-49875)
Search using cidrmatch crashes in signal 6 leaving zombie processes. (SPL-49828)
Can't set y-axis maximum value in panel editor. (SPL-49769)
Files in symbolically linked directory input not being read. (SPL-49761)
The spath command floods search.log with WARN message if many of the events are not XML or JSON. (SPL-49697)
In Search or advanced charting view if you have a lengthy query that fails, the red bannered error / status message is hidden by the search content box. (SPL-49473)
Can't add a URL (such as referer) as a tag from the search UI, just manager or by editing tags.conf. (SPL-49417)
Manager > Apps lists Splunk Data Preview with a "View details on Splunkbase" link. This link goes to a "Page not found." (SPL-49156)
On app permission change, when going to object permission, page greyed until you click on All apps. (SPL-49120)
Fixes to generation and display of Splunk REST API Reference Manual. (SPL-48847, SPL-49217)
Data Preview's timestamps always display in the browser's timezone, not the Splunk user's. (SPL-48785)
Need exception handling for app XML so that if we cannot parse URLs in a .css file then we leave the file untouched. (SPL-50137)

New in Splunk 4.3.2 (May 11, 2012)

Promoted issues resolved in this release:
An issue with the Highcharts library used in Chrome version 18.x causes dashboards to crash when hovering over a point on a line graph. (SPL-49700)
Scheduled searches with summary indexing plus email alerts with conditions are not generating summary data. (SPL-47904)
If you create an alert with a condition of "once per result", an alert will always be triggered even if there is no matching alert condition. (SPL-49767)
Sendemail and python script commands fail on Windows 2008 with "ERROR script - External search command". (SPL-48993, SPL-48239, SPL-48064)
Installing an app from a downloaded file fails on Windows 2008 if the system time is changed from the default. (SPL-48214)
Error message unlinking on distributed search: "WARN ProcessDispatchedSearch - PROCESS_SEARCH - Error unlinking". (SPL-48732)
Several memory leaks relating to Windows inputs on forwarders. (SPL-48695, SPL-49248)
The phoneHomeIntervalInSecs entry is missing from the deploymentclient.conf.spec file, which causes an error message about typos to display during startup. (SPL-48417)
Exporting events in XML from the search jobs endpoint results in duplicate header lines. (SPL-48184)
DispatchReaper error "Failed to reap" when using search head pooling and duplicate serverNames. (SPL-48049)
AIX 32bit crash with signal 6 in SchedulerThread with search head pooling enabled. (SPL-47829)
Adding a Windows 2008 search head as a slave to a License Master fails with "invalid string format" when you do it from Splunk Web (but works if you do it from the CLI). (SPL-47789, SPL-48986, SPL-48786)
Search performance degrades when search head pooling is enabled and NFS request concurrency value (tcp_slot_table_entries) is exhausted. (SPL-47730)
Saved searches started by the scheduler should not send confirmation emails in addition to alert emails. (SPL-47705)
PDF server issues resolved in this release:
PDF Server App fails with the following error: "An error occurred while generating a PDF of this report: Failed to generate PDF: Appserver failed to dispatch report request to /services/pdfserver/renderpdf: Splunkd daemon is not responding: ('The read operation timed out',)". (SPL-48455)
Using the "preview PDF" feature doesn't work while the PDF is being generated and the PDF delivery times out. (SPL-48769, SPL-48609)
PDF Server: Remote PDF generation fails with "Timed out while waiting for a response". (SPL-49903, SPL-47547)
Charting and view/dasbhoard issues resolved in this release:
Gauge chart freezes up when charting.chart.rangeValues array includes non-incremented values. (SPL-49235)
Can't set gauge color ranges manually in panel editor in IE7. (SPL-49069)
Gauge ranges aren't parsed correctly when the number starts with a decimal. (SPL-47997)
Radio buttons for null value and drill-down are displayed on multiple lines in panel editor on IE7. (SPL-49068)
Pie Chart generates two layers for one result when splitSeries=True. (SPL-48940)
Scatter chart y-axis range can extend into negative numbers when it should stop at 0. (SPL-48864)
Chart properties that start with '#' or '@' are not escaped and show up twice. (SPL-48475)
The limit set for maxResultCount is not honored in advanced XML JSChart. (SPL-48048)
Other issues resolved in this release:
Indexing performance negatively affected by a large number of real-time searches. (SPL-48446) See this topic in the external wiki for more information.
Windows universal forwarder experiencing high latency when sending Windows Event Log data, resulting in high indexing latency. (SPL-40892)
With search head pooling enabled, Splunk Web navigation frequently times out and etc/users directories are constantly being scanned. (SPL-49501)
Search head pooling makes unnecessary system calls which stresses NFS servers at startup. (SPL-49541)
Export of data can sometimes reorder fields. (SPL-49227)
Indexer REST endpoints can take minutes to return. (SPL-49886)
A file monitor blacklist set to a NULL value ("blacklist = " in inputs.conf) results in all files for that input being blacklisted and therefore not indexed. (SPL-38750)
Splunk Web fails to start on Windows with error "Timed out waiting for splunkweb to start)" and errors in Windows Application Event Log like "File "C:\Program Files\Splunk\Python-2.6\Lib\subprocess.py", line 830, in _execute_childstartupinfo) is not a valid Win32 application" when 0byte Program.exe file in C: directory. (SPL-43488)
Many real-time searches (especially real-time alerts) can slow indexing. (SPL-48446)
On Windows, upload a new app from the manager returns "error processing the upload" , changing a server to license-slave fails for "invalid string uri" and the sendemail script and email alerts fail. This occurs only if the user is not using the default server time zone in his or her profile. (SPL-48993)
Memory leaks in PipeToLogger. (SPL-48251, SPL-48254)
Splunk Web times out (and provides no feedback) on a search if it has subsearches that run for ~30s or longer, or if it's queued. (SPL-47908)
When running a search that contains a subsearch that runs for >30 seconds, Splunk Web holds a session lock (for example, you cannot open a new Splunk Web tab in the same user session). (SPL-48095)
Segmentation fault with fatal signal 11 crash in merging thread on SunOS due to an issue with TIME_FORMAT when using S2S input. (SPL-49025)
Crash with fatal signal 6 in TcpInputProcessor thread "Assertion `!eventIdCopy.empty()' failed". (SPL-48542)
Column width in sparklines can be inconsistent with large datasets. (SPL-48347)
Crash in AD Monitoring (splunk_admon.exe) when GUID is missing from the event. (SPL-47931)
Need an INFO message in scheduler.log when a scheduled search has been continued in the next timeframe. (SPL-44925)
When monitoring large number of static small files, forwarder sometimes fails to forward all of the events to the indexer(s) after restarting indexer(s). (SPL-39246)
Universal forwarder crash with signal 6 in TcpOutEloop on HPUX and Red Hat ES 5.5. (SPL-49491)
DispatchReaper.cpp could crash while printing an error if a pathname contains a '%' character. (SPL-48895)
Crash with fatal signal 6 in SchedulerThread at shutdown. (SPL-48107)
The /search.log endpoint doesn't work if is a remote search run on behalf of a search head. (SPL-49130)
URL for sharing a saved search is truncated when saving the report. (SPL-48729)
Pressing Enter should act as "Continue" or "Save" in various Splunk Web wizards. (SPL-48482)
Traceback involving "NameError" when a required parameter is missing a value in a view. (SPL-48364)
Search UI activity status dashboard is not returning any results. (SPL-47933)
Splunk Web fails to start with SSL error on HPUX-PARISC. (SPL-47929)
Setting a null blacklist value for an input causes everything in the to be blacklisted. (SPL-38750, SPL-47703)
Metadata searches do not return row for large (~billions) values. (SPL-46755)
ERROR message in splunkd.log about virtual address space being too small should be changed to a WARN. (SPL-38715)
Subsearches that return more results than allowed by maxout should notify the user that the results are truncated. (SPL-37234)
"$SPLUNK_HOME/bin/splunk list monitor" misleadingly displays disabled inputs. (SPL-33280)
Action Document:
The File > Revert command would fail to update the window.
Restoring Symbolic Links:
The link's extended attributes would often fail to be restored correctly.
The link's BSD file flags would not be set if the file the symbolic link referred to did not exist.
The latter bug was particularly serious in Lion, where a lot of the symbolic links in the system are compressed. Compression is controlled by one of the BSD file flags; failing to set it would leave the link unusable.

New in Splunk 4.3.1 (Mar 6, 2012)

This release contains a fix for a security issue:
Reflected XSS in Splunk Web (SPL-38585)
For more information about this issue, refer to the notice about it on the Splunk Security portal.
We have updated OpenSSL to version 0.9.8t (CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-0050). (SPL-47440)
Priority issues:
This release contains a fix for this priority issue:
Events from 2/29/12 are not displayed in results from searches using relative day time boundary (-1d@d) on Windows, Solaris and AIX. (SPL-48724)
Other resolved issues:
Memory leak in process tracker. (SPL-48350)
Thread deadlock between PropertyPages and UserManager. (SPL-48156, SPL-47973, SPL-47905)
Memory leaks in lookups. (SPL-48046)
Crash when using 'show source'. (SPL-48009)
Choosing 'start new source type' in data preview uses props.conf values from previously auto-detected source type. (SPL-47198)
Can't re-log in to a Splunk Web session on IE9, session shows as expired. (SPL-46857, SPL-47467)
New default wildcard setting for value of proc in regmon-filters.conf. (SPL-46805, SPL-46844, )
Flash vs nonflash charts do not display the same x-axis range. (SPL-46724, SPL-47495)
Error when inputs.conf contains an invalid tcp:// stanza is very unclear ("In handler 'raw': * specified in incorrect format. Please specify in : form"). (SPL-46697)
Error "Failed to index" (some number of events) when rebuilding rawdata. (SPL-45933)
Metadata searches (run when the sumary dashboard is loaded in Splunk Web) are consuming a lot of memory. This issue is also discussed in detail on Splunk Answers (SPL-45901, SPL-47087, SPL-47088)
The spath search command leaks memory when used on data of source type "twitter". (SPL-48387)
Changing a chart to remove the X-axis when the number of categories is above 80 will continue to remove the x-axis even if the categories are fewer than 80. (SPL-47503)
Upgrading an app using the "install app from file" option in Splunk Web fails. (SPL-47354)
Various apps, including the Search app, Splunk for Windows, the Deployment Monitor, and the Web Intelligence app are not working on German, Japanese, and Chinese versions of Windows. (SPL-47279)
When performing lookups, duplicate/redundant fields are added, causing high memory usage. (SPL-47239)
Fatal signal 6 crash in DispatchReaper when restarting Splunk if the DispatchReaper thread fails to properly parse a search artifact in the search dispatch directory. (SPL-47232)
Issue with timeformat setting assuming the leading "=" is part of of the time format definition. (SPL-46840)
Indexer thread pool workers which are executing BucketMover:AsyncFreezer can get stuck doing statfs64() most of the time that they are picked up by pstack, which hammers the storage device. (SPL-46638)
When using search head pooling, lots of /etc/users directories makes conf/search startup very slow. (SPL-46568)
Sparklines over all time don't always render properly, and are sometimes blank. (SPL-46534)
The text field and drop-down menu in the Create alert panel are cropped. (SPL-46386)
Setting CHARSET in data preview has no effect. (SPL-46347)
When adding using an IPv6 address as the host for forward-server from the UI, duplicates are allowed (and shouldn't be. (SPL-46096)
Indexer using the Hadoop Connector app sees splunkd grow to several GB of RSS/Virtual size, exhausts available swap space. (SPL-46056)
High CPU usage when using universal forwarder in cloning groups where the UF is sending uncompressed data and the indexers are expecting compressed data. (SPL-46034)
Fatal signal 6 crash in universal forwarder MainTailingThread. (SPL-45418)
Incorrect date format for en-GB, it-IT, ja-JP, ko-KR, zh-CN, and zh-TW onthe x-axis of summary and report chart and flash timeline views. (SPL-42469)
Saved search manager loses lookup populating fields it does not recognize. (SPL-42244)
A splunktcp input can become unacceptably slow when DNS resolution is slow, and connection_host is set to DNS. There is no warning logged anywhere. (SPL-41351)
Fatal signal 10 crash in DispatchReaper thread due to non-existent accessed physical address. (SPL-46028)
Fatal signal 11 crash on universal forwarder MainTailingThread. (SPL-39617, SPL-40409)
Search Head Pooling: segfault in PropertyPages when IConfCache gets bounced while _cacheLock held. (SPL-48070)
In Manager > Data inputs > Remote event log collections, the enabled/disabled banner message does not display the correct status. (SPL-45692)
Under Firefox 3.5 via Splunk Web's Manager > Access Control > Users to save a new user record, a banner message displays indicating: Your entry was not saved. The following error was reported: server abort. (SPL-47195)
The spath command does not correctly recognize and extract nested XML elements unless you list every element above the one you want to extract. (SPL-46890)
The like function is not accepting sub-functions. For example: | where A like(lower(B)). The workaround is to use the sub-function in an eval expression before | eval B=lower(B). (SPL-47213)
fstat incorrectly reports the size of the journal write to NFS, resulting in missing indexed data. (SPL-39590)
Unreasonable ViewstateReaper RAM usage with ~600 global app viewstates + 1000's of /etc/users. (SPL-48037)
Ubuntu zoneinfo causes Splunk timestamp to show 18 min and 48 seconds due to 01/01/1920 time change. (SPL-47828)
A view of an app cannot use the dispatch directory of a saved search, unless said search is within the content of the same app. (SPL-47771)
A non-working UDP input (for example if another process is using the same port) will cause a splunkd crash on Windows. (SPL-47539)
When a real-time windowed search has too many results in the window, disk is used as backing store. these files should be gzipped rather than straight csv to save space. (SPL-47462)
The upper() eval function not identified as returning a string . (SPL-47447)
Non-flash chart with a real-time search is leaking memory. (SPL-47359)
Link to results from RSS goes to a different event in the result set than the link from an alert. (SPL-47240)
In Firefox 3.5, when saving new user record, displays red banner of "Your entry was not saved. The following error was reported: server abort." (SPL-47195)
The splunkd tcpinput seems to have trouble with "connection aborted" ECONNABORTED on first accept() -- tcp input stops calling accept() after this point. (SPL-47102)
The redirect to set up the Windows TA app directly after installing it fails because the app name is all lowercase. (SPL-47073)
Internationalization log warnings should be DEBUG-level messages. (SPL-47017)
Splunk Web shows a maximum of 100 indexes in the role permissions screens. (SPL-46879)
The default saved search "Messages by minute last 3 hours" no longer shows anything in default report. (SPL-46868)
IPv6 and syslog out (TCP or UDP) do not work well together; events are not received from forwarders. (SPL-46860, SPL-46859)
Using distinct_count as stats function for a sparkline causes search to fail. (SPL-46818)
Alert action: Script: runshellscript.py fails to escape special characters, and fails to pass full contents in a argument. (SPL-46735)
When configuring forwarding and receiving ( Manager » Forwarding and receiving » Forward data ), Splunk currently allows you to make duplicated IPv6 entries. (SPL-46676)
Data preview: clicking reset after apply existing sourcetype clears chosen source type (SPL-46673)
Forwarding with SSL does not seem to compress the SSL stream. (SPL-46535)
Fatal signal 11 crash on Sparc with "No memory mapped at (some address) Crashing thread: MainTailingThread". (SPL-46421)
Fatal signal 10 crash on Sparc with "Unaligned memory access at (some address) Crashing thread: MainTailingThread". (SPL-46390)
User can browse an AD via Splunk Web but cannot connect via the CLI. (SPL-46411)
The license_usage.log can display blank values for the host value (h) This is causing reporting issues where customers rely on the host value to gather stats. (SPL-46372)
Drop down boxes overlap other drop down boxes in Edit visualization dialog box. (SPL-46301)
The init.d splunk script returns a useless error code (always 0) for 'status' command. (SPL-46273)
In the absence of a default "host" in inputs.conf, events indexed to _audit get "host=localhost". This is inconsistent with the "host" value for _internal. (SPL-46179)
The append command fails when the subsearch to which the results are to be appended produces an empty result set. (SPL-46175)
Data preview: the tree browser displays same folder twice. (SPL-46158)
WARN DiskMon - Potential performance issue: getting available disk space for partition (blockSignature index problem). (SPL-45990)
WARN DiskMon - Potential performance issue: getting available disk space for partition (forward slashes in indexes.conf on Windows). (SPL-44955)
Windows regmon ExecProcessor error in splunkd.log after clean install "No enabled entries have been found for regmon or procmon in the conf file" and the ERROR and INFO messages are on the same line. (SPL-45986)
Incorrect msg "Enabled localhost" is displayed even when the event log collection for localhost is disabled. (SPL-45692)
Treeview: tree grows in a loop when "Unable to connect to AD" error occurs. (SPL-45664)
4.2.4 deployment-client unable to finalize install if /metadata/local.meta file is not present in the bundle. (SPL-45019)
Splunk is ignoring whitelist hive path set in regmon-filters.conf and is indexing paths other then what is specified. (SPL-41561)
splunkd only reports the first bucket collision found in each index upon startup even if several conflicts exist. (SPL-39107)
when splunk diag fails, it should clean up temp files. (SPL-46226)

New in Splunk 4.3 (Jan 10, 2012)

Splunk 4.3 includes substantial improvements to the user interface and workflow. Enhancements include:
Charting controls integrated with timeline view
Drag-and-drop dashboard editing
Simplified workflow for saving searches
Unified "Create" button for alerts, reports, and dashboard panels
New "digest" field for grouping alert notifications
Integrated time range picker and search button
More accessible job control and job inspector buttons
Improvements to message banners
Non-Flash UI:
To improve support of iOS hand-held devices, Splunk Web now provides non-Flash chart and timeline display. This also improves printing quality. For more information about the non-Flash UI, as well as the circumstances that might cause Splunk to render charts in Flash.
Dashboard panel editor:
Splunk 4.3 exposes charting controls in a consistent UI that is accessible both from the dashboard and from the report builder UI, allowing you to discover and use this important feature more effectively. For information on how to use the dashboard panel editor.
Sparklines:
Sparklines are a technique to increase information density in tables by adding inline charts to specific cells. They are most commonly used to show time-based trends associated with the primary key of a given row.
Per-result alerting:
Per-result alerting allows you to define alerts that trigger based on single events rather than a group of events.
Real time backfill:
When you run a real-time windowed search, you can specify that Splunk backfill the initial window with historical data. This ensures real-time dashboards seeded with data on actual visualizations and statistical metrics over time periods are accurate from the start. For more information, refer to:
Bloom filters:
Bloom filters speed up keyword searches by ruling out buckets where a searched-for keyword doesn't exist before incurring the overhead of searching the buckets. For more information, check out:
Data preview (single file):
See what data sources are about to be indexed, to where, and preview how their event extractions will be handled by Splunk. Data preview makes it easy to test new sourcetypes and troubleshoot how Splunk will handle them. Data preview lets you see what you're getting, before you commit to an indexing strategy. For more information on data preview, check out:
Structured data field extraction (JSON, XML):
Increasingly, machine data is being generated in structured data formats such as XML and JSON. We've extended the Splunk search language to allow users to extract data from these structures in a straightforward way.
Per-user time zones:
Large deployments often include users in different timezones. These users want to see the data in the timezone they're in. Splunk now supports setting a time zone for each user.
Multi-domain LDAP:
Multiple domain authorization helps large IT departments overcome the challenges of expanding Splunk across departments where different AAA systems are in use. This also resolves issues where, due to the risk of circular references, Splunk isn't able to follow referrals from one LDAP system to another safely.
IPv6:
Splunk supports using IPv6 addresses for all network activity, including data forwarding and splunkweb. Users can use Splunk transparently as they migrate their network to IPv6 and can leverage their existing IT Search deployment and experience for problem solving, alerting and reporting even during changes to the core networking technologies that run their environments.
508 Compliance:
We've done some work to make Splunk Web more accessible for the visually-impaired.
Splunk Developer Portal and REST API Reference:
Splunk for Developers is live. Learn how to extend Splunk with the App Framework and how to build your own applications using the Splunk REST API and SDKs. The Splunk REST API Reference is also available as part of the Splunk doc set.

New in Splunk 4.2.5 (Dec 16, 2011)

Addresses two vulnerabilities:
Reflected XSS in Splunk Web. (SPL-44614)
Remote Code Execution in Splunk Web. (SPL-45172)
Directory Traversal in Splunk (SPL-45243)
Resolved issues:
The action.email.format and alert.track settings in savedsearches.conf are wrong after upgrading to 4.2.2 and editing the search from Splunk Web (SPL-41470, SPL-41589, SPL-45645)
A saved search in Manager with the email alert format set to "plain" sends an alert with a CSV attachment. (SPL-46119)
On AIX, if the hard ulimit on the number of open files is unlimited for the user running splunk (ulimit -nH) and if a limit on the number of file descriptors is set up in limits.conf (max_fd >0), then the instance will crash. Workaround is to remove the max_fd limit from limits.conf. (SPL-44589)
Results (results.csv.gz) do not always exists for rt-rt (all time-real time) searches. Workaround: make earliest relative value to rt, for example, rt-5m. (SPL-44412)
Search assistant does not work for custom search commands. (SPL-43608)
Adding perfmon inputs does not create perfmon.conf during installation on a 64-bit Windows universal forwarder. (SPL-37330).
Memory leak when a user is removed from an LDAP group but still has saved searches used in dashboards. (SPL-39620)
Splunk 4.2.4 on AIX crashes when a local limit on the number of open files is set with mx_fdin $SPLUNK_HOME/etc/system/local/limits.conf and the hard limit for the user is unlimited. (SPL-44589, SPL-41777)
On Internet Explorer 9, the flash timeline does not always render events. (SPL-43209)
The bin search command does not override the default required_fields_list setting, which causes Splunk to extract all fields even if field discovery is turned off (including when search is run in a dashboard or advanced search). (SPL-44302)
Splunk Web crashes with a 404 error if it receives a cookie with an @ sign in the name. (SPL-44716)
Changes to a saved chart do not appear for other users. (SPL-36948)
Interactive field extractor throws an exception when the splunkd process passes malformed XML. (SPL-38624)
If you modify the permission of an existing saved search in Manager>Searches & Reports and save the changes, Splunk Web displays the main Manager view again instead of Searches & Reports. (SPL-42434)
In a distributed search, the timeline will not show any events if you drill down to a level where one bar equals one millisecond. (SPL-39855)
In a new app, lookups are not shared by default. (SPL-40676, SPL-46085)
On a Windows 64-bit installation, the perfmon collector ignores lines in perfmon.conf relating to % Processor Time. (SPL-43492)
Real-time alerts sometimes pass the path for a missing result file to the alert scripts. (SPL-44412)
If you are viewing multi-line data and you click Show all lines or Collapse back to 10 lines, Splunk Web sometimes displays a different event. (SPL-43201)
In a two-tier forwarding configuration, Windows event logs are not sent to the indexer. (SPL-42674)
When forwarding is blocked in a cloning configuration, using add forward-server via CLI or Splunk Web does not reliably reconfigure the forwarder. (SPL-44247)

New in Splunk 4.2.3 (Aug 10, 2011)

Resolved security issues:
Splunk version 4.2.3 addresses two vulnerabilities:
Splunkd Remote Denial of Service Vulnerability (SPL-40645)
SplunkWeb Reflected Cross-Site Scripting Vulnerability (SPL-40804)
Resolved issues:
Error message "Search results might be incomplete!" when using distributed search and searching against peers running major versions (4.1, 4.2, etc) . (SPL-41819)
End-of-stream error for distributed real-time search that includes a summary index residing on the search head only. (SPL-41438)
When searching in real-time, events backfilled in the event viewer are in the wrong order. (SPL-40724)
The file system change monitor (fschange) hash does not work on binary files. All binary files have hash="YvZ8N4q5I5IBpf2sX4GLULPN48YUu9rPH998/FmA/wI=". (SPL-40706)
SingleValue module text dissapears after several minutes when the modules are driven by a real-time saved search. (SPL-40424)
Lowering the value of homePath.maxDataSizeMB in indexes.conf will usually freeze more buckets than is correct. (SPL-40220)
Splunk Web running on an HP-UX system can be slow or time out. (SPL-40167,SPL-40167)
If a search contains tags that don't exist and is piped to another search, Splunk acts as though you searched for *. (SPL-40024)
Sporadic error message "Reading error while waiting for peer WMA-PC. Search results might be incomplete" when using distributed search. (SPL-36872, SPL-39991)
To introduce a new Mako layout template, you must place it in $SPLUNK_HOME/share/splunk/search_mrsparkle/templates/view/ , which makes it very difficult or impossible to package templates with apps. (SPL-34615) (Starting in 4.2.3, an app renders templates out of /appserver/templates.)
Crash on shutdown in indexerPipe thread on SunOS. (SPL-41384)
High memory footprint for universal forwarder on HPUX. (SPL-39100, SPL-41113)
When an app using an auto-refreshed HiddenSavedSearch module that runs a real-time search resides on a search head in one timezone but Splunk Web is in use in a significantly different timezone, the last refreshed time seems to go backwards in time. (SPL-41089)
Saved search or email alert embedded link for viewing search results, return 403: Authorization Failed for non admin users despite the user's permissions to manually run the saved search or view the results (SPL-41061, SPL-40451, SPL-39002)
The misc_text source type should be removed from the inputs page in Splunk Web (but is still available if specified explicitly). (SPL-40881)
Sometimes when a search returns no events, it erroneously displays the "Waiting for data..." message instead of the "No matching events found" message. (SPL-40778)
Memory leak resulting in a crash when lookup content being replicated is too large. (SPL-40757, SPL-40647)
Hosts that are not part of any server class (by use of whitelist) are incorrectly displayed up in the server class status in Manager. (SPL-40731)
Show source search process can use up to 99% of CPU and keep it for long periods of time, (SPL-40426)
An archived file cannot be re-indexed even if you clean the index first. (SPL-40264)
Dynamic lookup tables are generated as gzipped csv files when the output was requested as plain csv, resulting in errors because the path to the file that Splunk uses assumes a plain csv file. (SPL-40222)
Error messages about "end-of-stream" and DistributedBundleReplicationManager on Windows instances. (SPL-40210)
Scheduled search crashing with fatal signal 11 in dispatch thread. (SPL-40672, SPL-40036)
Slow indexing performance for syslog data containing a large number (100K+) of different hostname values. (SPL-40006)
Search crash with fatal signal 6 in dispatch thread. (SPL-39924)
Upgrade of the *Nix app from 4.1.x fails with permission errors. (SPL-39876)
The SoftWrap module does not work with the ShowSource module
The link from the saved searches and reports to the alert manager page takes you to an empty page. (SPL-39804, SPL-38023, SPL-39523)
When installing a universal forwarder on a Windows machine, the expected attributes for the WinEventLog stanza(s), as defined in the Windows app, are missing from inputs.conf. This can cause confusion as to whether or not the universal forwarder is properly monitoring event logs. (SPL-39592).
Splunk Web fails to start after upgrade when you are using self-signed certificates. (SPL-38027)
When using Splunk Web to add (or edit) a scripted input with an interval of 0 or -1, the following error is received in the message bar reads: " Encountered the following error while trying to save: In handler 'script': Parameter interval: Must be a positive integer." (SPL-37569)
Running splunk clean eventdata or splunk clean all doesn't remove the fsck check token, which results in mislearing error messages on startup about needing recovery. (SPL-37472)
Need update on Win32, AIX, HPUX for Russian DST rule change in 2012. (SPL-37324)
ja_bridge.js error when loading dashboard pages via Internet Explorer. (SPL-36977)
Specifying the number of events to show in a simple xml dashboard does not work. (SPL-32968)
Results using the perc* and median functions for stats/chart/timechart are off by 1 rank. For any dataset larger than a few hundred values, the error is negliable or non-existent (because the value at rank N and at rank N+1 are very likely to be the same or very close to being the same) (SPL-40331).

New in Splunk 4.2.1 (Apr 20, 2011)

Security issue resolved:
A reflected XSS exploit was resolved in Splunk Web. For more details about this issue, refer to this issue's page on the Security portal. (SPL-38585)
Resolved issues:
Epoch timestamps not parsed correctly after March 12, 2011. (SPL-37992)
In rare cases, concurrent hash table and string length collisions for metadata field values can cause index-level metadata files to grow to very large sizes, up to several gigabytes. (SPL-38464)
Splunk Web fails to start if the SPLUNK_HOME path in splunk-launch.conf ends with a directory delimiter ("/" for Linux or "\" for Windows). (SPL-38054)
Splunk Web can become unresponsive due to excessive session/lock files in var/run/splunk. Removing the lock files and restarting Splunk will resolve the issue. (SPL-37409)
The error 'SearchOperator:loadjob': Cannot find artifacts within the search..." in is written to splunkd.log on the first run of an alert that includes the 'rises by' or 'drops by' conditions, although the search executes correctly. This is because there can be no change in the value on the first run of the search. (SPL-33432)
If when saving a search, a user gets the error message: 'Cannot find viewstate with vsid=' it means that the user doesn't have sufficient permissions to save viewstates to the app. (SPL-37874)
If you are using distributed search and your Splunk installation is not on the same partition as your indexes, you may see issues where you run out of disk on the indexer if you run searches that return a very large number of events (such as for *). (SPL-37799)
Using "show source" from a 4.2 search head against a 4.1.x index doesn't remove subseconds properly and causes the surrounding search to fail. (SPL-37776)
An error "Failed to fetch data : In handler 'win-perfmon-find-collection': bad allocation" is displayed when trying to add Performance Monitoring counters as inputs installed on non-English Windows server. (SPL-37560)
If you create and delete keys which have Chinese names in the Windows Registry, in Splunk, the events don't show the Chinese names. (SPL-22148)
When viewing Splunk Web in English, a cacheing issue can cause Chinese text to be displayed. (SPL-37917)
The Windows 4.2 lightweight and universal forwarder parses WinEventLog datastreams on the forwarder, preventing all parsing control on the indexer. The symptoms of this are: no filtering nor routing to the nullqueue based on props and transforms. (SPL-38443)
A migration from 4.1.x to 4.2 on Windows replaces %SPLUNK_HOME%\etc\apps\windows\default\*.conf files with *.conf.in filenames. Work around this issue by first backing up the configuration files for your existing Windows app's local directory, then download and install the latest Splunk for Windows app from Splunkbase. (SPL-38402)
Events from Windows Event logs line break at random positions. Work around this issue by editing the value of LINE_BREAKER in $SPLUNK_HOME/etc/system/default/props.conf and specifying ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) as the value. (SPL-38325)
Splunk Web shows Event Log Collections that were enabled in 4.1.x as going to index=None, although it is actually going to the default index. (SPL-37529)
Setting restartSplunkd=true on a Windows deployment client causes an error: "Exception: , Value: [Error 6] The handle is invalid" to be written to the Windows Application event log. (SPL-37439)
The splunk list index command returns a segmentation fault. (SPL-37796)
Distributing a search to a Free version of Splunk gives a "version mismatch" warning. (SPL-37167)
Deployment manager shows extra (not real) forwarders because of empty fields in metrics.log. (SPL-37264)
Occasional universal forwarder crash in TcpOutEloop. (SPL-37491)
Forwarder crash with 'TcpOutputClient::decrementRefCount(): Assertion `_refCount > 0' failed'. (SPL-38776)
If upgrade from 4.1.x to 4.2 fails and "An error occurred: Failed to run splunkd rest" is displayed during the migration process, it is possible that the *nix app failed to migrate. (SPL-38651)
A warning message ("Skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block") is displayed in Splunk Web due to congestion in queues (most often tcpout-queue) (SPL-37407)
An error ("ERROR IndexProcessor - 'homePath' tag required in config for index sample") stops migration process when upgrading from 4.0 to 4.2. (SPL-38061)
The splunkd process crashes on startup if a bucket's metadata is corrupt. (SPL-36595)
Migration from 4.2 should check for metadata corruption. (SPL-38730, SPL-38738)
New 4.2 installations use serverName that does not agree with 4.1.x versions. (SPL-38563)
New 4.2 installations on Windows use $COMPUTERNAME rather than hostname for value of host. (SPL-38561)
Universal forwarder changes capitalization of the hostname and the UI now displays two hosts. (SPL-38141)
Search Head Pooling gets error of "end-of-stream" in the app view if the app is located not only in the shared mount point, but also in etc/apps.(SPL-38485)
Upgrading from 4.1.x to 4.2 overwrites existing Windows and *Nix app config files with files ending in .in. (SPL-38402, SPL-38340)
Crash in HTTPRequestHandlerThread in splunkd when enabling the *Nix app (SPL-38260)
Splunk Web en-US/paths URL is returning "IndexError: list assignment index out of range". (SPL-38100)
Can't use the Services.msc interface to restart Splunk Web on Windows after changing caCertPath, changes don't get picked up properly. (SPL-38027, SPL-35732)
Mako runtime error when upgrading from 4.1.x to 4.2 on PPC Mac. (SPL-38026)
Getting an error "ERROR IndexProcessor - calling getPolicyByDomain, but not a read-only IndexProcessor." in splunkd.log since upgrading to 4.2. (SPL-37994)
Universal forwarders accept and spawn search processes that crash with a lot of PROCESS_SEARCH WARNs in splunkd.log. (SPL-37978)
Splunk generating a lot of dmp files from splunk-admon.exe crashing. (SPL-37898)
Search head peers drop off the list of known search head peers in Manager if authentication against that peer fails. (SPL-37754)
The splunkd.log fills with 2 ERRORs every 5 seconds once minimum free disk space reached. (SPL-37616)
Table command adds a bunch of empty fields at the very end of running the search. (SPL-37500)
Queue full with raw TCP input causes a hang and unclean shutdown when doing index-and-forward. (SPL-37465)
Banner message "skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block" when there is no congestion. (SPL-37407)
splunk-optimize doesn't identify bad tsidx when it finds one. (SPL-37107)
No error messaging displayed to users if SSO login fails. (SPL-30884)
Upgrade of SplunkLightForwarder and SplunkForwarder tries to launch Splunk in browser at the end. (SPL-25676)

New in Splunk 4.2 (Mar 15, 2011)

New in Splunk 4.1.7 (Feb 12, 2011)

Security issues:
A number of cross-site scripting vulnerabilities in Splunk Manager have been resolved. (SPL-37227, SPL-37226, SPL-35709, SPL-34355)
A CRLF injection vulnerability has been resolved. (SPL-35710)
Unsorted issues
Some data sources that don't contain a specific year in their timestamps may have been indexed incorrectly in the hours between the UTC New Year and local time-zone New Year (SPL-36642)
The 32-bit version of the Splunk heavy/full forwarder will reindex events if more than 2.2 billion events are received without doing a restart. (SPL-34726)
Interactive field extractor (IFX) has trouble saving field extractions for host, source types, or sources containing embedded backslashes. The most common case for this problem is Windows file paths for file-based input (source). (SPL-32303)
Trying to export events when lots of fields are selected can fail. (SPL-34380)
Events Viewer row numbering duplicated with real-time search. (SPL-36536)
An invalid lispy query is generated for some search patterns. (SPL-36393)
Splunk Launcher CLI crashes when HOMEPATH env variable not set. (SPL-36206)
Splunk.Module.ViewRedirectorLink popup parameter does not open a new window. (SPL-35681)
Windows 32-bit build search for large buckets does not reliably produce results; caused by default of 4GB buckets in main index. The default value has been changed to 1GB. (SPL-35632)
HTML characters such as > are not correctly escaped in alert emails, resulting in the end of the email being cut off. (SPL-33510)
The Mako package shipped with Splunk has been upgraded to version 0.3.6. (SPL-36013)
Regexes generated by Splunk's regex generator are now utf8-aware. (SPL-36304)
Javascript error in Firefox when scheduled saved search name has apostrophe. (SPL-36155)
SSO and PDF debug page in Splunk causes server to be unresponsive during pdf creation. (SPL-35962)
PDF debug/pdf endpoint can't work when web.conf root_endpoint is set. (SPL-36903)
Splunkd will overwrite the target of a symbolic link at /etc/init.d/splunk when running enable boot-start. (SPL-35794)
Splunk doesn't extract the following timestamp properly when there is a missing preceding "0" in the hour such as, "2009/08/19 0:00:28". (SPL-35774)
The hideChildrenOnLoad = true setting is not honored in ShowHideHeader Module. (SPL-35549)
Many bugs in Windows Registry and AD monitoring have been resolved. (SPL-35457)
MAX_TIMESTAMP_LOOKAHEAD generates invalid UTF8 if byte-cut boundary falls mid multi-byte character. (SPL-34936)
Splunk Web reports no errors & fails to work when decrypting SSL key fails. This is because certs with passphrases are not supported. (SPL-34126)
A splunkd crash on AIX in SelfPipe has been resolved. (SPL-34034)
A crash on HP/UX in the parsing thread has been resolved. (SPL-32703)
Backslash in template string fails (doubles) in simple form search. (SPL-33879)
The header option in the diff command returns an error: Error in 'diff' command: Invalid argument 'header=T'. (SPL-31877)
The lightweight forwarder erroneously complains on startup about _audit index being disabled. (SPL-30939)
Crash of CLI with incorrect command using equal (=) sign. (SPL-36246)
Setting enableSplunkdSSL to anything else but a boolean/0/1 causes Splunk Web to timeout. (SPL-36497)

New in Splunk 4.1.6 (Dec 2, 2010)

OpenSSL has been upgraded to 0.9.8p to address CVE-2010-3864 (SPL-35573)
Splunk can lose track of "source" information when monitoring compressed files. The splunkd.log file will show an error similar to "The event is missing source information". (SPL-34357, SPL-31578)
Pressing Enter on the interactive field extractor (IFX) "Save Field Extraction" form closes the form and does not save the field extraction. (SPL-30419)
Alt+Click does not include the escape character "\" when it's needed. (SPL-32934)
Splunk Web may gradually degrade in performance if the number of concurrent active requests is greater than the thread threshold's earlier default value of 10. This can result in users being unable to log into a new web session. (The value of server.thread_pool under the [settings] stanza in $SPLUNK_HOME/etc/system/local/web.conf has been raised to 50.) (SPL-33305)
Setting a large number of role attributes via Splunk Web may remove settings for that role. Setting of capabilities is not affected. (SPL-34412)
PDF printing is limited to only the admin user. (SPL-33953)
Using the CLI to perform a distributed search to Windows Server 2008 R2 with a bundle having more than 8 lookup files fails. The same operation hangs when you use Splunk Web. (SPL-33572)
The xmlkv command limited to 50K results. (SPL-33841)
There's a misleading success message if you edit a field alias and you don't have the correct permissions (and your changes are not saved). (SPL-35152)
Splunk Web audit log now logs username when they log out. (SPL-34384)
The diff command no longer supports the -tofile argument. (SPL-33884)
A crash in Splunk Web/CherryPy that writes "root:120 - ENGINE: Error in HTTP server" in the web-service.log has been resolved. (SPL-33322, SPL-33740)
ADmon does not retrieve all the contents if the number of records in Active Directory is more than ~1000. (SPL-34805)
Unauthorized users can create Windows Event Log inputs; an error message stating the addition failed is displayed, but the input is created. (SPL-34757)
Users with edit_user capability can now list users. (SPL-34745)
Running a real-time search that uses a lookup table over a long period (

New in Splunk 4.1.5 (Sep 11, 2010)

Security issues:
For additional details about the first two security issues in this list, visit the Splunk Security Portal page about them.
Splunk's XML parser is vulnerable to XXE. (SPL-31061)
SPLUNKD_SESSION_KEY parameter allows session hijacking (SPL-31094)
We'd also like to thank Les Fenison and Atomicorp for alerting us in such a pleasant manner that our libcrypto.so is compiled with executable stack. This has now been resolved. (SPL-33103)
CLI and configuration file issues:
NO_BINARY_CHECK did not correctly allow you to index data that Splunk would otherwise reject as binary, and CHARSET settings based on the source or pathname of files now operate correctly again. (SPL-32979)
Bug with lookup local=t when used after inputlookup append=t. (SPL-33234)
No way to blacklist large lookup files from being replicated (no way for an app to specify that some of its files are not to be replicated). (SPL-33144)
Splunk crash logs fail the CRC check - need a timestamp added to the output. (SPL-32464)
The output csv command is not producing all the results from the CLI. (SPL-31976)
The meta::all command has been removed. The exporttool utility now works properly with or without it. (SPL-33413)
Add an option that allows users to exclude certain files from the diag tarball. Refer to "Contact Support" in the Admin Manual for details. (SPL-26717)
The -raw option for the CLI output command is not supported and should be removed from the help. (SPL-30404)
The runshellscript command is undocumented in searchbnf.conf. (SPL-33112)
Some lists returned by Splunk's CLI (for example, splunk list users only return 30 results. (SPL-32710)
Case-sensitivity of EVT file recognition stanza in default props.conf doesn't account for files with full or partially capitalized file extensions. (SPL-32927)
The default value of receiveTimeout in distsearch.conf is now 600 (10 minutes). (SPL-32904)
Search and scheduled alert issues:
Searches for eventtype=* throw parsing errors when the *Nix app is enabled. (SPL-32957)
With unix app enabled, search for eventtype=*, the search inspector doesnt work. (SPL-32951)
The eval command causes splunkd to crash in the dispatch thread when you leave a string empty. (SPL-32881)
The eval command now has a tonumber() function to go along with the existing tostring() function. (SPL-32869)
Error in 'UnifiedSearch': unable to parse search 'Missing RHS for OR'. (SPL-32258)
Intentions adding "None" when you use the reverse search command. (SPL-31779)
Events Table shows only event counts during high real-time event frequencies. (SPL-31774)
Using the string "::" in a field value was breaking the search, even when the field name string is doublequoted. This behavior will still work, but is deprecated (message will read "Use of "::" (with double quotes) is deprecated. Please use ="" instead." (SPL-31728)
Distributed search error - "Not a Splunk Server". (SPL-31279)
Getting an error in subsearches that use Python search commands. (SPL-31773)
Splunk Web and Manager issues:
Manager always shows 30 for files and directories. (SPL-32356)
The time range picker displays only the first 30 items in the list. (SPL-32769)
"setup" action of an app leaves you in another app's UI context (which prevents application.js from loading). (SPL-32275)
With few results windowed, real-time search does not show results in EventsViewer. (SPL-32132)
Drilldown on field where fieldname contains spaces doesn't work - fieldname not quoted. (SPL-32202)
Link to "Add more data" in Search app dashboard returns an ERROR page when root_endpoint is set. (SPL-32106)
"Cannot find viewstate" error after moving a saved search from one app to another. (SPL-31004)
When you filter a list of objects in Manager by app context or owner, then perform an operation on an object in the list, the filter is reset. (SPL-27623)
Inputs and indexing issues:
TailingProcessor INFO logging is much too chatty. (SPL-33126)
LWF internal logs are included in 'per_host_thruput' metrics. (SPL-30936)
Adding an input directory without the trailing slash can produce an error: "Encountered the following error while trying to save: In handler 'monitor': Path must be absolute." (SPL-30011)
PDF Server appp issues:
PDF Errors with "Failed to start: Check that all Firefox dependencies are met" (SPL-31234)
Fonts in PDF server are unreadable. (SPL-31790)
PDF debug page does not work if SSL is turned on. (SPL-33440)
PDF Server fails to start on Ubuntu 10.04 if libgnome-ui is installed. (SPL-33199)
Unsorted issues:
Crash in merging thread with error "Crashing thread: merging". (SPL-33351)
Crash in "BatchReaderTPoolWorker-0" thread after a few minutes of uptime following upgrade from 4.0.3 to 4.1.4. (SPL-32956)
Splunk now includes support for Chinese AM/PM (上午 / 下午) to date parser. (SPL-32826)
Upgrade from 4.1 to 4.1.3 deletes batch script files from %SPLUNK_HOME%\bin\scripts. (SPL-32713)
Crash caused by ID conflicts when moving from warm to cold, with "DatabaseDirectoryManager - Splunk has detected that a directory has been manually copied into its database, causing id conflicts" error in splunkd.log. (SPL-32602)
Web Client Error Caused by Form Name Reference in getFormValues. (SPL-32476)
Splunk migration should not modify the existing startup type property for the Windows services of splunkd or splunkweb. (SPL-32313, SPL-31582)
Cert generator (genRootCA) script is missing on Windows. (SPL-32133)
Memory Leak in tailing for excluded files (whitelist/blacklist). (SPL-31745)
Modules in lister can be configured to pay attention to outer intentions, but not to outer time ranges. (SPL-31706)
Upgrade from 4.0 -> 4.1 leaves stale data_extractions.xml in etc/apps/search/default/data/ui/manager/ (SPL-31174)
Some 'form search' visual styling elements and contextual styles rely on custom css that only comes with the Search app. (SPL-29816)

New in Splunk 4.1.4 (Jul 21, 2010)

Security issues:
A new configuration option, allowRemoteLogin has been added to server.conf to disallow remote CLI and REST API login access by default. If you are running Splunk Enterprise and have not changed the default password, remote login is disabled by default for the admin user. If you are running Splunk Free, remote access via the CLI is disabled by default and allowRemoteLogin must be set to always to allow remote login. (SPL-31301)
Search and scheduled alert issues:
Summary search is executed with different search string when runs from the scheduler or from Splunk Web (SPL-31729)
HTML results in email alerts does not properly sort fields. (SPL-28474)
A subsearch's maxresult is limited by [format]'s maxresults setting in limits.conf. Default is 100. (SPL-31669)
Resurrection issue (saved searches, dashboards) with searches that use | sort with multiple arguments. All arguments past first arg are dropped on resurrect (SPL-30980)
When running several searches in parallel, subsearches in append sometimes die. (SPL-31686, SPL-31791)
Searching through a bucket with one or more events in the distant future (such as 2012) can cause no results to be returned unless 'over all time' is selected. (SPL-28444)
The audit.log contains random search_ids for saved searches that have been run manually. (SPL-29566)
When you save a top or rare search with the argument showperc, the showperc argument disappears when you run the search. (SPL-27694)
Can't export csv results when viewing search artifacts. (SPL-31534)
| crawl doesn't work from the commandline because it's passed an invalid sessionKey. (SPL-31148)
Scheduled search doesn't show events/results in RSS feed or on dashboard, but if you look at recent job artifacts, there are events/results. (SPL-32166)
Equality comparisons do not work on _time field. (SPL-31953, SPL-28698)
The "outputlookup" search command doesn't work if var/run/ is on a different volume from etc/apps. (SPL-31765, SPL-31130)
Inconsistent results in distributed search environment due to receive Timeout requires display of error in Splunk Web. (SPL-31659)
Real-time search falls behind when handling thousands of events when the time window is >30 seconds. (SPL-31380)
Alert errantly triggered when "Streamed search execute failed". Search failure should not assume "0 events". (SPL-31318)
Off by one error involving the earliest time in the dataset when searching across multiple indexes. (SPL-32727)
Fields referenced in a subsearch do not get extracted. (SPL-32669)
Column order not kept in email attachment. (SPL-31698)
Splunk Web and Manager issues:
The Indexing Volume view in the Search app has been improved to include a license volume dashboard. (SPL-31447, SPL-32195)
Setting the default app for user or role from Splunk Web fails because Splunk creates the setting under the wrong stanza, [general]. The correct stanza setting is [general_default]. (SPL-31580,SPL-30790)
No warning message is displayed when a license violation is committed. (SPL-29454)
Uploading a too-large ( > 500MB) file (such as a lookup table) via Splunk Web fails without an error. (SPL-30595)
Making any changes to an existing automatic lookup table in Manager (or hitting Save on an existing configuration without making any changes) leaves garbage behind and creates undesired configs in props.conf. (SPL-30617)
When accessing the "Longest Running Logins" and "The Most Frequent Logons" searches from the Windows app, Splunk displays an error about the keepevicted flag being required. (SPL-30350)
Timeline in the Windows app is overly compressed. (SPL-29932)
There is no notification in Splunk Web that a job has expired or been deleted when you try to interact with the job elsewhere in Splunk Web (SPL-30114)
Chart/table drill down goes to an incorrect follow-on search when using discretized ranges in a chart. (SPL-29571, SPL-30553)
When a chart displays an "NULL" bucket of values, drilling down into it adds myfield="NULL" to the search string. (SPL-30400)
On the Field Transformations page in Manager, "Delete" links are not presented for objects that are deletable but not editable. (SPL-30899)
When using real-time search, various display issues sometimes occur with the timeline, fields picker, and the events view. (SPL-29400)
Drop-down menus are obscured by selected values in fields onscreen on IE6. (SPL-30056)
Clicking on an event term in Splunk Web to add it to the search fails when the term ends with a parenthesis. (SPL-30465)
Event type builder save-window produces strange behavior in Firefox. (SPL-30104, SPL-30103)
Pressing Enter on the event type builder "Save Event Type" form closes form and does not save the eventtype. (SPL-30407)
Creating a tag with uncommon characters results in undesired behavior such as duplicate tags. (SPL-26414)
Consistent redirect to login page when running searches in Splunk Web. (SPL-31268)
Running a Nessus scan against the Splunk Web port causes Splunk Web to become unresponsive. (SPL-30877)
Drill down rewrites your "not" to become "NOT", breaking your search. (SPL-31862)
Users without admin privileges can access some admin-only pages via the URLs. (SPL-31838)
Splunk Web keeps spinning after login and becomes unresponsive, due to bad dispatch_quota-retry logic. (SPL-31643)
"Export results" to CSV from Splunk Web breaks when column names contain spaces. (SPL-30825)
Fields no longer show in events viewer in IE8. (SPL-31511)
Inputs and indexing issues:
WinEventLog:Security logs stop indexing with splunkd.log reporting: ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security'. (SPL-31339)
WMI collection time counters are rounded to whole numbers. It's not possible to improve the precision on the log events time counter, but the performance data can be brought up to sub-second precision. (SPL-28456)
Default auto header extraction (CHECK_FOR_HEADER) is not consistently maintaing sourcetypes when there is no change in the header. (SPL-30466)
The MAX_DAYS_AGO setting sometimes fails to ignore timestamps beyond the set parameter. (SPL-27817)
File system change monitor does not work and generates a "Monitoring file or directory that doesn't exist at startup time" in splunkd.log when you monitor the root directory. (SPL-27107)
If you configure two different indexes with the same paths to the cold and thawed dbs, Splunk will crash, even if one of the indexes is disabled. (SPL-29281)
Support has been added for parsing epoch timestamps in hex. (SPL-32183)
Monitoring storage with slow stats (eg CIFS/SMB network filesystem Windows) appears to stall. (SPL-31702)
Default value of 'localhost' not there anymore for WMI inputs. (SPL-31619)
A "Failed to initialize checkpoint" error for Windows Event Log indexing was resolved. (SPL-31339)
splunk-admon is not collecting baseline events after startup. (SPL-32393)
Windows inputs in Manager are enabled on Unix. (SPL-32287)
CLI and configuration file issues:
The locktest utility should produce human-readable output. (SPL-27664)
Version number on all conf/spec/example files is 4.0. (SPL-30714)
The value of maxlen in limits.conf is ignored, which can result in poor performance over long events. (SPL-30080)
Running splunk _internal command rebuild-metadata against non-existent index crashes splunkd (SPL-31072, SPL-31284)
Generating a diag on a Japanese language OS can generate a "type 'exceptions.OSError'" error. (SPL-27271)
indexes.conf.spec says the default value for maxMemMB is 50, but actually it's 5 (20 for main). (SPL-31882)
limits.conf.spec needs to be updated with correct default value for dispatch_quota_retry. (SPL-31681)
splunk add search-server fails if 'source setSplunkEnv' not run and SPLUNK_HOME crosses a symlink. (SPL-31476)
splunk diag fails when you have index names with "Path" in the name. (SPL-30804, SPL-32740)
Real-time search does not work when SPLUNK_BINDIP configured. (SPL-32549)
KV_MODE is specified in transforms.conf in $SPLUNK_HOME/etc/system/default and should only be in props.conf. (SPL-32254)
Unsorted issues:
If the disk Splunk uses fills up, eventually users will not be able to log in because the audit log cannot be written to. (SPL-30162)
If a single scripted authentication request hangs, no other authentication requests can be served until the original process is killed. (SPL-30265)
Splunk Windows services (both splunkweb and splunkd) are installed by default with Startup Type set to "automatic", which means that if you have deployed light forwarders on Windows and haven't explicitly set Startup Type to "manual", the splunkweb process gets started every time you reboot your forwarders. (SPL-22434)
Migration from 3.4.x to 4.1 should handle the enabling/disabling of apps correctly. For example, Splunk Desktop is automatically enabled in 4.1 but was previously disabled. (SPL-31280)
The passwd file is now copied to passwd.old on upgrade. (SPL-31724, SPL-31975)
Seeing an error: UnboundLocalError, value: local variable 'files_to_export' referenced before assignment when trying to upgrade from 4.1.1 -> 4.1.2. (SPL-31457)
Alerts/PDF reports use an incorrect URL if root_endpoint!=/. (SPL-31082)
A crash in TcpSendThread has been resolved. (SPL-30687)
A crash in HTTPRequestHandlerThread, (SPL-31860, SPL-31718)
The splunk-forwarder.license has an expiration date of 2011-03-07 22:07:37-0800
A user's default app setting breaks after migration to 4.1. (SPL-31580)
TitleBar module - js error breaks the view if showActionsMenu param is set to False. (SPL-31338)
Upgrade removes 3rd party certificate. (SPL-31335)
Windows: Splunk fails to install with "Service manager failed to open service 'Splunkd': The specified service does not exist as an installed service." (SPL-31306)
Crash: fatal signal 11 (Segmentation fault) No memory mapped at address. thread: CallbackRunnerThread > _ZN21ExpirableNonceManager13removeExpiredEv (SPL-32654, SPL-32468)
Crash in HTTPRequestHandlerThread. (SPL-32208, SPL-32243, SPL-31777, SPL-31718)
Distributed search auth keys location not migrated properly. (SPL-32394)
Can't generate PDFs if scheduled search has no owner. (SPL-32276)
Remote PDF server always returns 404. (SPL-32271)
"ERROR AuthenticationManagerSplunk - Rename failed for file 'C:\temp\splunk\etc\passwd.tmp' -> 'C:\temp\splunk\etc\passwd' errno=Access is denied" error after upgrading to 4.1.3 on Windows. (SPL-31652)
PDF Server app should exit gracefully if no fonts are installed. (SPL-32699)
Received fatal signal 8 (Arithmetic Exception)" crash on Sparc. (SPL-32427)
Crash in ADmonitor. (SPL-32188, SPL-32197)
Poor search head performance due to re-auth requests. (SPL-32191)
Crash in MainTailingThread. (SPL-31894, SPL-32075)
splunk-forwarder.license is associated with an expiration date of 2011-03-07 22:07:37-0800. (SPL-31628)

New in Splunk 4.1.3 (Jun 8, 2010)

A cross-site scripting vulnerability was resolved in this release. More information about this issue is available on the Splunk Security Portal. (SPL-31736)
All dashboard panels that are rendered from any scheduled job that was run by the scheduler, appear to get 'last refreshed time' of NaN NaN NaN (SPL-31162)
Email alert link fails when a saved search is in Japanese. (SPL-31477)
Japanese strings on Email contents are garbled. (SPL-30670)
Links from saved search alerts are showing no events. (SPL-31337, SPL-31324)
Exporting multiline events only writes the first 100 lines to the csv file. (SPL-29261)
The timeout value for distributed searches has been increased to 100s from 30s. (SPL-31682)
Various Job Manager behavior inconsistencies (issues with sorting and display) have been resolved and some architectural improvements have been made. (SPL-31605, SPL-28983)
If client and server are in different timezones, drill-downs create the wrong epochtime timerange. (SPL-31220)
Splunk doesn't restart listening on port 9997 if TcpInputProc shuts down the port to clear blocked queues. (SPL-31190)
The time_before_close setting has been reimplemented as a per-input stanza setting in inputs.conf rather than a global setting in limits.conf. Existing settings are still honored, although a warning is logged. (SPL-31340)
If client and server are in different timezones, drill-downs create the wrong epochtime timerange. (SPL-31220)
The max_fd setting in limits.conf has been reinstated with a default value of 100 to address issues with monitoring over NFS mounts. (SPL-31518)
A crash in the parsing queue has been resolved. (SPL-31379)
A crash in resultproviderworkerthread has been resolved. (SPL-31328, SPL-31768)
The migration script was altered to cp instead of mv certain files to improve distribution of builds from Perforce. (SPL-31316)
A search issue producing a "The search job terminated unexpectedly" error has been resolved. (SPL-31255)
Some improvements were made to the user caching scheme for scripted auth to resolve a session failure issue. (SPL-31248)
Cloning the "admin" role in Manager wasn't inheriting all the capabilities on installations using LDAP auth. (SPL-31240)
Number of events from indexing a plain text file is different than from the same file gzipped. (SPL-31093)
An issue with TcpInputProc disconnecting with "ERROR TcpInputProc - Error encountered for connection" and indexing not beginning until 20-40 minutes from startup has been resolved. (SPL-31032)
Saved searches spanning multiple lines with \n|\r are not migrated properly. (SPL-30986)
Server time zone is not being properly applied to flash charts. (SPL-30950)
3.4.x to 4.1.x migration displays warning about modules directory that isnt needed. (SPL-30678)
CLI password is displayed (not trasmitted) in the clear on AIX. (SPL-30503)
Searches are scheduled & run with SplunkLightForwarder app enabled. (SPL-29224)
Normal users can use /properties endpoint to create conf files in arbitrary places. (SPL-31793)
Inability to write to auth token file after running out of disk space means any Splunk cli command results in "unicode-file-writer.c:122: utrans_write_codepoint: Assertion `(ufil->common.encoding & 0xFF) == (0x0004)' failed" error. (SPL-31651)
Running ./splunk show license segfaults. (SPL-31632)
A segmentation fault with "Crashing thread: ResultProvider setup for" has been resolved. (SPL-31367)
Distributed search bundle replication should reap old bundles to save disk space. (SPL-30987)
Scripted auth examples fail if username/password contain "=" or "--". (SPL-30957)
Typehead - annoying and (for some) frequent bug where it jumps your cursor to the end of the line. (SPL-29858)

New in Splunk 4.1.2 (May 3, 2010)

New in Splunk 4.1.1 (Apr 20, 2010)

File upload fails with an error when js_logger_mode=Server in web.conf. (SPL-29570)
The crawl command returns binary files when it shouldn't. (SPL-30522)
A crawl input won't pickup directories with capital letters in the name. (SPL-30214)
Forwarding data to an index that does not exist on the indexer will drop the data. (SPL-30366)
Show source option is unavailable when using pipe to fields. (SPL-30290)
Migration failed on LDAP config with same base DN's and improper group settings. (SPL-30784) Workaround is update groupMappingAttribute and groupMemberAttribute to a value that will be present in the user's ldif entry (e.g. uid)
LDAP implementations where groupMappingAttribute is assigned multiple values will not work. Splunk requires that groupMappingAttribute have a unique value (SPL-30789)
Drill-down does not work as expected with real-time search; will give zero results when expecting historical results. (SPL-29436)
CTRL/Command click isn't working for row clicks. (SPL-28530)
Sometimes the header will contain the wrong event count from a previous search instead of the event count of the currently running search. (SPL-30338)
Deleting a saved search job does not delete the associated dispatch directory. (SPL-30511)
Jobs deleted from the Jobs Manager do not actually reclaim disk space. (SPL-30097)
Scheduling a search doesn't validate that an email address has been entered when you click "Send email". (SPL-30392)
PDF report of a scheduled search sometimes renders with a black bar on the timeline. (SPL-30393)
Simple XML searchPostProcess doesn't work with and . (SPL-27248)
Line wrapping is broken in the simple XML form. (SPL-29666)
Entering incorrect credentials in the Windows GUI installer produces a self-contradictory error message. (SPL-29931)
Creating a WMI collection with a name that includes trailing nulls generates an error. (SPL-29150)
Windows Event Log (.evt) files are not indexed before they are deleted when they are dropped into the spool directory. (SPL-30355)
Deleting via the CLI across a distributed deployment does not work unless the can_delete capability is assigned to the user's role on the indexer itself. (SPL-30498)
Searching across a distributed system should not wait so long to decide one of the indexers is out of service before returning results. (SPL-30533)
Splunk may crash when suspending in Mac OSX. (SPL-30308)
Splunk now enforces a freespace check for the $SPLUNK_HOME/var/run/splunk/dispatch directory. This value is hardcoded to 2GB. Systems with less than 2 GB of freespace should symlink the directory to a partition with more space. (SPL-30788)
Splunkd crash in typing thread. (SPL-30803, SPL-30786).
indexprocessor not initialized on startup. (SPL-30782)
Limit number of buckets moved at once in-flights in BucketMover. (SPL-30671)
Add a raw kb field for tcpin_connection in metrics.log. (SPL-30844)
EntityLinkLister does not ever pass on its value when clicked on. (SPL-30841)
Lookups descriptions are not internationalized. (SPL-30813)
splunkd crash at HTTPRequestHandlerThread. (SPL-30810)
No timestamps on flashtime when using IE8. (SPL-30808)
Show source doesn't work on Windows7. (SPL-30807)
Field Extraction Wizard in Splunk Web doesn't not work. (SPL-30798)
Need migration message when using lookup defined in some other app. (SPL-30796)
Running a report in flashtimeline, using a selected range on the timeline, certain interactions from there discard the timeline selection. (SPL-30794)
NOT searches on lookup generated fields fails to yield expected results. (SPL-30776)
splunk-optimize failed to start for index, need a better error message. (SPL-30769)
PDF Server add-on does not work if supportSSLV3Only = true in web.conf. (SPL-30764)
Saved searches created in 4.0.x with latest time +0s display in UI as "custom relative time range". (SPL-30690)
Creating saved search through Manager creates nonsense cron_schedule value. (SPL-30681)
Inexplicable (and apparently benign) SSL_write errors in the logs. (SPL-30606)
Shutdown on idle receiver takes minutes. (SPL-30575)
Make disk quota checking faster. (SPL-30513)
Summary popups in FieldPicker open offscreen and cant be closed. (SPL-30072)
CLI login command on Win-32 build has been fixed. (SPL-30830)

New in Splunk 4.1 (Apr 6, 2010)

Field picker sorting broken after I click around different pages of search results and add/remove fields. (SPL-23308)
maxTotalDataSize doesn't seem to be honored. (SPL-30534)
When getting local Windows Event logs and also indexing .evt files, splunkd will crash if the local Windows Event logs have GUIDs in them. (SPL-30314)
Saved search object "win_eventlog_count_sum_index" has a specific owner, which causes the UI to try to access that specific user's workspace. (SPL-30229)
Dashboard search in Windows app creates excessive summary index entries. (SPL-29972)
Event Results Time range displayed in wrong TZ when choosing date from calendar picker.
Running the MSI commandline installer with LAUNCHSPLUNK=0 & SplunkLightForwarder enabled causes splunkweb to start up. (SPL-29798)
Disabling typeahead per role results in unsightly error in Splunk Web. (SPL-29337)
Show Source' only displays 100 lines. (SPL-29292)
Searches are scheduled & run with SplunkLightForwarder enabled. (SPL-29224)
Running splunk clean all -f barfs with "ERROR :: Cannot call rmtree on a symbolic link" if symbolic links exists in DBs. (SPL-28949)
In situations where an index has been deleted but the inputs feeding have not also been deleted, indexed data volume is measured before it's actually commited to disk. (SPL-28915)
Systems with large metadata (.data) files (can be due to sourcetyping issues) experience degraded search performance. (SPL-28700)
Sending files to the sinkhole follows symlinks to directories, deleting contents outside the sinkhole. (SPL-28652)
Switching from enterprise to free results in nonfunctional searches with ugly summary indexing error. (SPL-28470)
The content of the audit index is counting against license. (SPL-28462)
Archived data copied into thaweddb requires Splunk restart. (SPL-28428)
The _time field is always included in results, even when I tell it not to. (SPL-28413)
SplunkLightForwarder app with forwarder license is reporting license violations. (SPL-28354)_
Should not be able to remove app read/write privileges for the admin user. (SPL-28079)
Cleartext passwords in authentication.conf files are not encrypted/replaced if the authentication.conf file is stored in etc/apps/search/local instead of etc/system/local. (SPL-28073)
Automatic kv extraction is not working some events. (SPL-27889)
Wnabling SplunkLightForwarder without an outputs.conf tcpout set up automatically blackholes your data. (SPL-27747)
host= on TCP input is not respected. (SPL-27735)
Audit signing is IDing the events in wrong order resulting in false gaps. (SPL-27673)
When a machine set up for distributed search goes down, the main indexer becomes unusable. (SPL-27640)
Email alert garbles Japanese characters. (SPL-27541)
If you use panel_row_1_col_1_grp_1 with nothing in the row_1_col_1 node, an exception is thrown. (SPL-27354)
Problems with lookup tables against strings containing backslashes. (SPL-27351)
Strings containing backslashes are not properly passed in forms. (SPL-27343)
The splunk set server-type forwarder CLI option is broken and should be removed. (SPL-27283)
Simple XML searchPostProcess basically doesn't work with and . (SPL-27248)
Automatic load-balancing forwarder breaks when the indexer is out of disk space. (SPL-27235)
Easy to overwrite saved searches when sharing. (SPL-27201)
Setting in $SPLUNK_HOME/etc/system/default/props.conf still taking precedence over setting in app's props.conf. (SPL-27062)
Search processes running but jobs page reports all searches as done. (SPL-26861)
Links to saved searches in email alerts older than 24 hours return 404 and stack trace. (SPL-26448)
The splunk list forward-server command does not work when doing SSL forwarding. (SPL-26236)
Typeahead is not picking the right values. (SPL-26218)
Different fields displayed searching via Splunk Web and email alert link. (SPL-26203)
Typeahead searches crashing, high memory usage. (SPL-25790)
Removing a UNC path via Splunk Web strips Windows backslashes. (SPL-25473_
Highlight works for the first transaction event but not on the second event. (SPL-25419)
Downed (ungraceful shutdown) forwarder completely skips over the rest of log file. (SPL-25259)
Default extractions for access_combined sourcetype don't work when URI is enclosed with quotes. (SPL-18953)
A .csv file with ^M linebreaks won't create fields, replace with proper linebreaks and it's ok. (SPL-17294)
Undefined transform is reference in [WinRegistry] stanza in props.conf, resulting in an error in splunkd.log. (SPL-30433)
Confusing messaging when using distributed search and mixed indexes:"A clause in your search will not return results. Make sure you are using 'OR' to search multiple indexes and at least one specified index exists." (SPL-30198)
Quoted expression inside parentheses is incorrectly escaped on load. (SPL-29155)
Exception data from search script does not work for some flags (streaming, retainsevents, overrides_timeorder) and an "error in 'restitch' command" error is displayed. (SPL-28851)
Provided search command scripts do not actually do the same thing that the commands they are named after do; this confuses people trying to write search scripts. These scripts should be removed or renamed. (SPL-28789)
Typeahead should timeout faster upon initial connection to search peers. (SPL-28773)
Remove '(optional)' from Manager » Distributed search » Search peers » Add New. (SPL-28466)
Alert script stalls if the search does not return. (SPL-28421)
Setting user password with non-existent role breaks Splunk Web access. (SPL-28417)
Package preinstall script tries to create solaris user with shell '/bin/bash' which is frequently not present. (SPL-28331)
House cleaning on limits.conf.spec for those parameters no longer valid. (SPL-28321)
Lookup code doesn't tell user about nonexistent fields. (SPL-28307)
No online help for UPPERCASEd commands, although such are valid. (SPL-28284)
Splunk Web gets really slow if its connection to the external internet is intermittent (it's trying to connect to Splunkbase. (SPL-28210)
Batch file input/sinkhole doesn't re-eat files on Windows XP. (SPL-28019)
Show source action will generate lots of errors in logs. (SPL-27839)
In alert_actions.conf.spec: inline = auto -- should be removed. (SPL-27814)
etc/apps/learned/local/props.conf can balloon when a "bad input is added and too many sourcetypes are created, which affects performance. (SPL-27810)
The cron_schedule is whitespace sensitive (SPL-27775)
Reports with Heat map or high-low values don't show up on a dashboard. (SPL-27743)
The progress indicator does not display anything initially, until the search returns the first event. (SPL-27736)
Delayed indexing for 200+ UDP sources on same port. (SPL-27632)
viewstates.conf is not promoted when a user promote a search that has additional fields from the fields picker. (SPL-27503, SPL-28503, SPL-24827)
Missing etc\system\README deploymentclient.conf.spec and .example. (SPL-27388)

New in Splunk 4.0.10 (Mar 19, 2010)

As of Splunk version 4.0.10, summary index searches do not count towards your indexed data volume. (SPL-29515)
Events generated by the internal auditing feature, which creates events for user-actions such as fired searches are no longer counted against the license. (SPL-28462)
Summary indexing now works if var/run/splunk and var/spool/splunk are on different filesystems. (SPL-26631)
Summary index searches that are suspended due to exceeding disk or concurrent search quotas now resume when the quota is available again, and do not require a restart to resume. (SPL-28999)
Splunk search is no longer limited to lists of OR terms around 415 long, eg "1 OR 2 OR 3.... OR 415". (SPL-28301)
Deploying apps that do not contain a local directory will no longer cause Splunk to crash on the client. (SPL-29019, SPL-30225)
Deploying apps to a location outside of $SPLUNK_HOME/etc/apps will no longer cause a crash on the deployment client. (SPL-29484)
Quotes in saved searches are now correctly being escaped and are no longer returning zero results. (SPL-28734)
Show source is now available for monitor inputs specified as a UNC path on a remote volume. (SPL-28455)
Accessing a search from a link sent in an email alert will no longer display an error. (SPL-29420)
Scheduled saved searches that have never been run from inside Splunk Web now work correctly in email alerts. (SPL-29483, SPL-28302)
Searches with NOT field="value" are now correctly escaped. (SPL-29353, SPL-29121)
An issue with LDAP anonymous bind and squashing of uppercase characters in the failsafe username has been resolved. (SPL-28902, SPL-28874)
Indexing memory leaks have been addressed. (SPL-28772, SPL-30101)
The string "head 1" no longer gets converted to "head true" in search. (SPL-30058)
The tailing_proc_speed setting is now available in limits.conf. Refer to limits.conf.spec for details.
An issue with stats/chart/timechart values of min/max/first when calculated using summary index data generated using sistats/sichart/sitimechart has been resolved. (SPL-29643)
An error is no longer generated when disabling/clearing Windows Event Log inputs. (SPL-29568)
A STOP exception related to converting the _time field to non-epochTime in Windows evt files has been resolved. (SPL-29453)
All available roles are now available for permissions assignments in Manager. (SPL-28338, SPL-29328)
An issue with inconsistent numbers of results displayed when changing the results per page setting on IE browsers has been resolved. (SPL-29314)
An issue with report count and result count displaying differing values in IE has been resolved. (SPL-28976)
An issue involving SSL errors on deployment clients after upgrade to 4.0.9 has been resolved. (SPL-29284)
Some issues with multi-byte character handling in substr() and len() have been resolved. (SPL-29233)
An issue involving KV_MODE=auto not working correctly on data converted from SHIFT-JIS to UTF-8 has been resolved. (SPL-29151)
A locale setting issue reporting "Message:"null" is null or not an object" when using the Windows app has been resolved. (SPL-28458)
Specifying index=* when forcing a roll from hot to warm works correctly and does not generate an error. (SPL-29049)
A crash related to searches with multiple append strings has been resolved. (SPL-28636)
The block signing functionality now recognizes events deleted from within Splunk as potential gaps. (SPL-28508)
The sendemail script now sends only one email regardless of whether a preview has been generated or not. (SPL-29500)
A crash involving "No memory mapped" has been resolved. (SPL-29468, SPL-28854)
An issue with Solaris /etc/timezone value not being recognized, resulting in incorrect display timestamps, has been resolved. (SPL-29460)
Search assistant command link now handles doublequotes correctly. (SPL-26977)

New in Splunk 4.0.9 (Jan 27, 2010)

Some issues related to high memory consumption have been resolved. (SPL-28480, SPL-28303)
A security issue involving passing absolute URIs has been resolved. (SPL-28706)
An issue related to the UTF-8 processor consuming too much memory has been resolved. (SPL-28814)
Excessive FileClassifierManager logging around UTF-8 and VISCII has been resolved. (SPL-28774)
An issue involving Splunk Web hanging when using SSL has been resolved. (SPL-28315)
Splunk Web will no longer generate an error when reloading the page during a search. (SPL-28460)
An issue with garbled WMI-collected Windows Event log messages on Windows 2008 has been resolved. (SPL-28346)
The number of global events indexed is now displayed correctly when using distributed search and multiple indexes. (SPL-28305)
Total events indexed and index sizes are now displayed for all indexes. (SPL-26998)
Event counts are now displayed correctly in the Search app Summary page. (SPL-28499)
The IIS source type now correctly extracts fields for IIS Web logs. (SPL-28272)
The default IIS log file format (the "W3C Extended" standard) is now automatically classified by Splunk. (SPL-28271)
The *Nix app now correctly loads the "Percent % Load by Host" graph. (SPL-28514)
An issue involving Splunk crashing at the login screen due to issues with older metadata files has been resolved. (SPL-28502)
An indexer crash involving HTTPRequestHandlerThread at shutdown has been resolved. (SPL-28711)
Splunk no longer arbitrarily closes standard TCP connections after 15 minutes when enableS2SHeartbeat is true. (SPL-28411)
An issue involving correctly following directory paths in lookup scripts has been resolved. (SPL-28240, SPL-28229)
Key-value extraction now works correctly on Fortinet log events. (SPL-27889)
An issue involving a crash resulting from very large strings in expanded searches has been resolved. (SPL-27645)
A cloned report now includes displayview information correctly. (SPL-27633)
An emailed report generated from a saved search now includes the correct chart formatting. (SPL-25671)
A WARN TcpInputFd - Closing socket errno=0 error will no longer be repeatedly written to splunkd.log. (SPL-27618)
An issue around lock files not being cleaned up and preventing an indexer from being restarted has been resolved. (SPL-27410)
Misconfigured forwarders (for example, accidentally configured to point to the splunkweb port instead of the receiving port) can now be shut down and restarted correctly once they are reconfigured. (SPL-27285)
Fields for reporting are now displayed correctly in Firefox 3.5. (SPL-25977)
All indexes are now listed correctly in Manager across all distributed search heads. (SPL-23796)
Back slashes are no longer added to saved search strings. (SPL-28640, SPL-28136)
Saved searches with NOTs in them now have correctly escaped quotation marks. (SPL-28640, SPL-26944)
All AD monitoring-related fields are now available in the fields picker. (SPL-28537, SPL-28329)
Accessing the _bump endpoint now correctly reloads configs and does not generate a 500 error. (SPL-28464)
Values removed from pages in Manager (such as the Roles page) now remain empty when the page is saved. (SPL-28328)
An issue with forwarders losing a single event when restarted has been resolved. (SPL-26876)

New in Splunk 4.0.6 (Nov 10, 2009)

New in Splunk 4.0.5 (Oct 27, 2009)

Splunk Free is now available.
Splunk is now officially supported on OS X 10.6 "snow leopard". (SPL-25434)
Event signing and auditing now work as documented. (SPL-26299)
Scripted authentication now works as documented. (SPL-26489)
Splunk SSL now supports the use of intermediate CA certificates. (SPL-14463)
When creating new users, all available roles are now shown in the field picker. (SPL-26185)
Failing to define a source type in inputs.conf no longer results in an "unknown#" unsearchable source type. (SPL-26213)
Performance has been improved when searching across separate filesystems for warm and cold storage. (SPL-26263)
Splunk no longer truncates multi-line events of more than 500 lines. (SPL-26880)
The .spec file for inputs.conf no longer states an inaccurate default value for rcvbuf. (SPL-24860)
Local file upload now supports file sizes up to 500MB. (SPL-24292)
The followTail setting in inputs.conf is now respected. (SPL-26010)
You may now add up to 50 rows or columns in a view's layoutPanel. (SPL-26177)
Saved searches now function correctly if user is logged in with username in different case than was used to log in when the saved search was created (for example fflanda vs. Fflanda). Refer to Migrating user configurations to 4.0.5 in the Release Notes for more information. (SPL-26335)
Xpath command now functions correctly. (SPL-26985)
Scrolling in panel layout view now works correctly in IE7. (SPL-24861)
Distributed search on Solaris now returns all results. (SPL-27006,SPL-26440)
A crash involving the TcpInputProcessor thread on distributed search heads has been resolved. (SPL-26568)
Show source on Firefox 3.5 now shows the source of the correct event. (SPL-25578)
Logs forwarded from the lightweight forwarder are now timestamped correctly. (SPL-26949)
Whitelisted symlinks pointing to non-whitelisted files now result in the target files being indexed. (SPL-26718)
The custom time range picker in Splunk Web no longer closes too quickly to use in small browser windows. (SPL-26674)
The vmstat.sh script from the *Nix app no longer fails. (SPL-26635)
When defining a scripted input in Splunk Web, it is no longer possible to erroneously select 'automatic' as a source type. (SPL-26608)
The permission setting on $SPLUNK_HOME/etc/apps/*/metadata now allows updates to permissions on views even if you're not running as root. (SPL-26603)
It's no longer possible to save an unnamed event type in Splunk Manager. (SPL-26536)
There is a new forwarder backoff settings section in outputs.conf to configure the slowdown of subsequent attempted connections to an indexer when there are repeated failed connections. (SPL-26478)
An issue with high memory usage resulting in a INDEXER_INTERNAL_MEMORY_ERROR error has been resolved. (SPL-26466)
Running the delete operator now correctly deletes metadata. (SPL-26415)
The makemv and mvexpand search commands now function correctly. (SPL-26304)
When enabling audit event signing, the ID field for the sequential number is now labeled search_id instead of just "id", which was already in use. (SPL-26283)
Setting the input type for compressed files explicitly now works correctly. (SPL-25812)
Deleting large numbers of events from the CLI works correctly. (SPL-25751)
Splunk Web now consistently displays the selected timezone. (SPL-25728)
The "business_week_to_date" timerange option now functions correctly. (SPL-25629)
Users with spaces in their usernames can now edit views. (SPL-25537)
An issue with non-UTF-8 characters in usernames has been resolved. (SPL-25503)
Setting updateCheckerBaseURL= 0 no longer prevents Splunk Web from loading. (SPL-25319)
Event auditing data now forwards correctly. (SPL-24485)
The 'frozenTimePeriodInSecs' and 'maxTotalDataSizeMB' settings in indexes.conf are now properly respected. (SPL-23415)
Issues with search stemming have been resolved (when you search explicitly for 10.3.2.1 you will not get results for 10.3.2.100). (SPL-17103)
The testmode option for the collect data type now works correctly. (SPL-15853)
Spaces are now supported in stanza names in auth.conf. (SPL-5609)
Invalid .tmp directories (such as artifacts of partially decompressed directories) are now ignored. (SPL-27101)
Saved searches now support terms in quotes. (SPL-26763)

New in Splunk 4.0.4 (Sep 29, 2009)

This release contains numerous localization and internationalization fixes, extensions, and improvements.
Splunk now runs correctly on unpatched versions of AIX 5.2. (SPL-26227)
Splunk now reads tsidx files originally created in version 2.x correctly. (SPL-26169)
An issue related to moving data buckets from 'cold' state to a 'frozen' state has been resolved. (SPL-26125)
An issue with cold-to-frozen script failing has been resolved. (SPL-25810)
DATETIME_CONFIG=CURRENT is now respected for files whose names include the date. (SPL-26311)
An error involving out of range cron values when editing a saved search has been resolved. (SPL-26309)
An issue with corrupted tcpout_connections messages in metrics.log has been resolved. (SPL-25807)
An issue with the "business_week_to_date" timerange and timezones ahead of GMT has been resolved. (SPL-25629)
An intermittent issue with AD LDAP auth not returning all the users when realNameAttribute = cn has been resolved. (SPL-25462)
Running clean globaldata now correctly deletes the files under fishbucket/db/. (SPL-25860)
The export eventdata command now functions correctly. (SPL-25804)
The interactive field extractor now correctly escapes pipes (|) in the regex. (SPL-25793)
An issue with sample events being overwritten in the interactive field extractor has been resolved. (SPL-25488)
The 'delete' operator now works correctly on events timestamped in the future. (SPL-24676)
Resolved Splunk Web and Manager issues:
The timeline scale has been reinstated in Splunk Web. (SPL-25913)
Results are no longer sent as part of an alert email when the box is unchecked in Manager. (SPL-25862)
Firebug logging is less noisy. (SPL-25729)
Clicking through transaction results no longer breaks the search string. (SPL-25697)
The timerange calendar popup in Splunk Web now uses the server timezone (not the browser timezone). (SPL-25532)
The indexing status dashboard now includes a module with information about license usage. (SPL-25518)
The show source feature now works. (SPL-25868)
Usernames are no longer case-sensitive in Splunk Web. (SPL-25903)
Finalizing a search on the job status page in Manager now works immediately. (SPL-25561)
Default time range options now display more compactly in Splunk Web. (SPL-25201)
Issues with seemingly random Splunk Web timeouts have been resolved. (SPL-24389)
The interface for restricting TCP inputs to one host has been added back into Manager. (SPL-24376)
Disabling and re-enabling Splunk Web from the CLI now works correctly. (SPL-25669)
Occasional "Timed out waiting for splunkweb to start" issue on 32-bit Solaris has been resolved. (SPL-26355)
Changing the timerange on a search that has been run via a permalink no longer runs a search for *. (SPL-26319)
The automatic source type option is no longer erroneously available in Manager for network inputs (UDP, TCP). (SPL-25549, SPL-22451)
The Help link for the launcher now works in Firefox 3.5. (SPL-25486)
Resolved deployment server/client, and forwarder issues:
Enabling SplunkForwarder, SplunkLightForwarder, SplunkDesktop no longer disables deployment server and client functionality. (SPL-26024, SPL-26000)
Deployment server now deploys to NATed clients. (SPL-26237)
An issue with deployment clients not picking up Apps from deployment server has been resolved. (SPL-26058)
New versions of Apps are now correctly deployed; default.meta is correctly overwritten. (SPL-25716)
Deployment server now respects permissions of deployed files. (SPL-25715, SPL-24168)
The "round robin" forwarder configuration now supports SSL. (SPL-18873)
The syslog routing forwarder configuration is now working properly. (SPL-26153)
The syslog routing forwarder configuration no longer appears to send an extra event to the syslog receiver (an empty line). (SPL-24995)
Resolved App and App development issues:
The Windows App now uses summary indexing for front page displayed searches. This improves the performance. (SPL-26258)
The Windows App has been updated to remove event types and searches that are not applicable to some Windows platforms. (SPL-26097)
Enabling the *Nix App on a Windows host does not throw a "There is no query runner registered" error and will allow searching. (SPL-25598, SPL-25575)
An issue with enabling previously disabled deployed Apps has been resolved. (SPL-25717)
An issue with usage of vmstat.sh in the *Nix App on Solaris 9 has been resolved. (SPL-26019)
Display organization of available views is now configurable the way it is for saved searches. (SPL-26267)
Improperly structured XML in dashboards no longer causes tracebacks. (SPL-25864)
Scripts that run as part of an App are now stopped when you disable the App. (SPL-25631)

New in Splunk 4.0.3 (Aug 21, 2009)

Resolved general issues:
An issue in which some saved searches were not correctly reflecting the entered string has been resolved. Known situations were when using top for multiple fields as in |top field1, field2 or top x by x. The error was appearing as "Unknown search operator: Undefined" (SPL-25447), or was displaying different search (SPL-25446).
Upon migration from an earlier version, saved searches are now moved correctly to the Search App and promoted to globally available status. (SPL-25311)
The search documentation cheatsheet is now updated for version 4.x. (SPL-23986)
Various issues around resurrecting search jobs and search clause ordering have been resolved. (SPL-21740)
An issue with incorrect character set detection when certain combinations of Unicode characters appear in an active file has been resolved. (SPL-20780)
Running ./splunk list forward-server in the CLI now correctly reflects the status of the forwarders. (SPL-25626)
The listtails command now runs to completion. (SPL-25587)
An issue with slow Splunk startup has been resolved. (SPL-25572)
Automatic header-based field extraction now displays correctly when defining report content (SPL-25544)
The path for results sent to scripts via alerts is now correct. (SPL-25512)
The 'always' alert condition now triggers correctly. (SPL-25504)
The splunkmon.log file now reports restarts accurately. (SPL-24928)
The admin role now sees all non-internal indexes by default. (SPL-24962)
Subsearch clauses are now resurrected when running a saved search with a subsearch. (SPL-24957)
The schedule for a scheduled saved search is now preserved when that saved search is disabled. (SPL-25073)
A crash involving groupmappingattribute when configuring LDAP settings has been resolved. (SPL-25089)
Editing a saved search no longer causes chart formatting settings to be lost. (SPL-24750)
Renaming a source type is now reflected correctly in search assistant (SPL-24672)
An issue with being unable to log into Splunk Web when it starts before splunkd has been resolved. (SPL-24141)
Searching for a single Japanese character no longer requires double quotes ("). (SPL-23697)
An issue with data retirement policy not being respected has been resolved. (SPL-23415)
New source types are now created correctly when a /learned directory is present in /etc/bundles. (SPL-25556)
The CLI no longer gives a permissions exception when it can't write to authToken. (SPL-25347)
The isReadOnly option for indexes.conf now works correctly. (SPL-25233)
The CLI and search command to roll buckets has been changed to: splunk search "| debug cmd=roll index=index_name" (SPL-25227)
When using an Enterprise Trial license, the same license can be used on multiple distributed search heads. (SPL-24892)
The addcoltotals operator now works correctly. (SPL-24628)
Resolved Splunk Web/Manager issues:
The browser's selected locale will now always be respected; and Splunk Web will no longer fall back to en_US. (SPL-25432)
Splunk Web will no longer hang when selecting the "Manager" link from the Launcher or Search App if Splunk cannot connect to splunk.com. (SPL-25520, SPL-24670)
Linewrapping now works correctly in Firefox 3.5. (SPL-24856)
The 'next' pagination link is now localizable. (SPL-25378)
The UDP inputs page now displays the data correctly (does not show all IPs that have forwarded data to the UDP port). (SPL-25465)
Views with modules that include Flash items now load correctly even when scrolled down. (SPL-25476)
Setting source type manually in Manager now works correctly. (SPL-25549)
Semicolons are now correctly handled in field names in Splunk Web. (SPL-17300)
Non-UTF-8 inputs are now handled correctly in Splunk Web, and do not generate an "[SimpleResultsTable module] Input is not proper UTF-8" error. (SPL-25529)
The report builder now handles more complex searches properly. (SPL-25322)

New in Splunk 4.0 (Jul 21, 2009)

New in Splunk 3.4.10 (Jun 6, 2009)

An issue with linebreaking Windows Event logs and the light forwarder has been resolved. (SPL-22002)
Issues relating to the removal or overwriting of configuration files when upgrading Splunk apps (including forwarders) has been resolved. (SPL-21627, SPL-21403)
Changes to setup.conf in /etc/apps/local for the Splunk light forwarder are now recognized correctly. (SPL-20405)
Heartbeat has been reimplemented on Splunk forwarders. File descriptors will be recovered when a forwarder stops sending heartbeats (SPL-19279)
The Splunk light forwarder can now be enabled when running as a non-root user (SPL-22484)
Enabling the Splunk light forwarder via Splunk Web now works correctly. (SPL-21096)
An issue causing an error ("scrubber error") with mismatched timezone specifications in anonymizer has been resolved. (SPL-20851)
The timechart command now supports extracted fields with spaces by converting the spaces to underscores. If your deployment relies on this not occurring, set CLEAN_KEYS to false in transforms.conf. This value defaults to true. (SPL-20563)
An issue with a hostname-restricted port being left in CLOSE_WAIT state when the port was connected to by something other than that hostname has been resolved. (SPL-20172)
An issue with "perpetual" licenses not being displayed correctly on Solaris has been resolved. (SPL-18770)
An issue with Splunk instances becoming unresponsive related to SSL calls blocking has been resolved. (SPL-18565, SPL-16598, SPL-20641)
The last event in Windows Event Logs is now picked up correctly. (SPL-17283)
File system change monitor no longer reports spurious "adds" when monitoring top-level drive letter directories. (SPL-18066)
Backslashes in props.conf are no longer incorrectly escaped in files by deployment server. (SPL-22051)
A crash encountered when using the interactive field extractor has been resolved. (SPL-22179)
The -index flag for the spool CLI command now works properly. (SPL-22074)
Export scripts on Windows now function correctly. (SPL-20493)
The tcpdump-endpoints transform in system/default/transforms.conf now correctly create dest_ip and dest_port as defined in the Common Information Model. (SPL-22543)

New in Splunk 3.4.8 (Mar 31, 2009)

New in Splunk 3.4.6 (Feb 21, 2009)

New in Splunk 3.4.4 (Jan 8, 2009)

New in Splunk 3.4.3 (Dec 15, 2008)

New in Splunk 3.4.2 (Dec 3, 2008)

New in Splunk 3.4 (Nov 11, 2008)

New in Splunk 3.3.4 (Oct 15, 2008)

New in Splunk 3.3.3 (Oct 4, 2008)

The free version of Splunk no longer returns an auth error when attempting to access REST endpoints. (SPL-13741)
Spool input now consumes different files with the same name. (SPL-14536)
indexes.conf is now deployable. (SPL-14480)
Break_before_date in props.conf is now functional. (SPL-14363)
All file types now show the correct timestamp in Splunk Web. (SPL-14347)
Custom timerange now resets correctly when starting a new search. (SPL-14142)
Subsearches that return 0 results are no longer ignored in the search pipeline. (SPL-14006)
The User role can now search distributed search instance without allow_livetail capability enabled. (SPL-13828)
LDAP user DN to group member entry mapping is no longer case sensitive. (SPL-13752)
Event type attribute values are no longer case-sensitive. (SPL-13577)
Eventtypes with complex phrasing are now searchable and reportable. (SPL-11340)
Auto tImestamp extraction now recognizes AM & PM in event data. (SPL-13736)
The filter option in the file system change monitor now works on Windows. (SPL-13610)
The deployment server now restarts Splunk Web. (SPL-13281)
The send email script no longer sends 2 emails. (SPL-6892)
The search idxprobe now looks into colddb. (SPL-14124)
Metrics now have a tunable parameter for the number of results in sample period. (SPL-14090)
Splunk now auto-extracts fields for | idxprobe tsidx. (SPL-14062)
Pie charts now show values. (SPL-13755)
You can now specify -format csv if specifying -header false when searching. (SPL-13392)
The source for UDP inputs is now set correctly. (SPL-13739)
On Windows and AIX, Splunk was using an out of date Olsen database to determine proper timezone offsets. This database has been updated. (SPL-14347)
If you are using IE6, you will no longer see an error dialog saying Error: Can't move focus to the control because it is invisible, not enabled or of a type that does not accept the focus. (SPL-13331)
Issues with assigning multiple graph types to a saved search have been resolved. (SPL-9893)
Dashboard loading issues arising from a security fix in the 3.2.3 release of Splunk have been resolved. (SPL-13639, SPL-13656)
Windows only: Splunk now picks up new and changed files correctly without needing to restart. (SPL-14281)
Windows only: Typeahead now correctly escapes '' in Windows file-path. (SPL-14095)
Windows only: coldToFrozenScript = echo $DIR in indexes.conf now functions correctly. (SPL-14008)
Windows Event Logs are input correctly when "Run Splunk" is unchecked at the end of the installation. (SPL-14121)
Regexes with backslashes in them are now supported when specifying paths to files. (SPL-12679)

New in Splunk 3.3.2 (Sep 6, 2008)

File system change monitor no longer follows symlinks in /etc when followlinks is set to false. (SPL-16089)
File system change monitor is now correctly disabled when disabled=true (instead of only when the entire stanza in inputs.conf is deleted). (SPL-15017)
Splunk now properly indexes files when they are deleted and recreated with the same name. (SPL-16139)
Various crashes have been addressed. (SPL-16002, SPL-15933, SPL-15150, SPL-14958, SPL-14546)
Splunk's indexing processes now more aggressively throttle and address optimization issues (SPL-14552)
An issue with display of graphs in dashboards has been resolved (SPL-15923)
An issue with chart selection being honored has been resolved. (SPL-14870)
24-hour timestamps that include AM/PM information are now handled correctly. (SPL-15688)
Saved searches that include a chart now retain the specified chart type. (SPL-15616)
Timechart now functions correctly in distributed search. (SPL-15514)
If a user clicks on a link that kicks off a search, and this search does not include explicit time terms, the UI now runs that search in All Time rather than the default time range, which matches what happens in dashboard searches. (SPL-15509)
Application browsing will no longer generate a stack trace if splunkbase.com is unresolvable. (SPL-15505)
The splunk set deploy-poll and deploy-multicast commands now accept dns names. (SPL-15396)
An issue with the time picker not being reset correctly has been resolved. (SPL-15364)
Setting blockSignSize = 100 in indexes.conf will no longer prevent event data from being displayed in Splunk Web. (SPL-15253)
host_segment and host_regex now work correctly for data in archives. (SPL-15235)
Searching for the text of a name=value pair in an event now works correctly. (SPL-15225)
The interactive field extractor now handles unicode events correctly, (SPL-15222)
Timestamping issues for native windows event logs are now human readable. (SPL-15066)
Changing the number of warm buckets in limits.conf to a number lower than you actually have no longer causes issues with searching. (SPL-15060)
An issue with menu displays in the Admin Splunk Web interface has been resolved. (SPL-15000)
Sinkhole settings are no longer editable via Splunk Web, only through configuration files. (SPL-14868)
Splunk Web now correctly validates entries for index name. (SPL-15698)

New in Splunk 3.3.1 (Jul 31, 2008)

New in Splunk 3.3 (Jul 1, 2008)

Free version of Splunk no longer returns an auth error when attempting to access REST endpoints. (SPL-13741)
Spool input will now consume different files with the same name. (SPL-14536)
indexes.conf is now deployable. (SPL-14480)
Break_before_date in props.conf is now functional. (SPL-14363)
All file types now show the correct timestamp in Splunk Web. (SPL-14347)
Custom timerange now resets correctly when starting a new search. (SPL-14142)
Subsearches that return 0 results are no longer ignored in the search pipeline. (SPL-14006)
User role can now search distributed search instance without allow_livetail capability enabled. (SPL-13828)
LDAP user DN to group member entry mapping is no longer case sensitive. (SPL-13752)
Auto tImestamp extraction now recognizes AM & PM in event data. (SPL-13736)
The filter option in the file system change monitor now works on Windows. (SPL-13610)
The deployment server now restarts Splunk Web. (SPL-13281)
The send email script no longer sends 2 emails. (SPL-6892)
The search idxprobe now looks into colddb. (SPL-14124)
Metrics now have a tunable parameter for number of results in sample period. (SPL-14090)
Splunk now auto-extracts fields for | idxprobe tsidx. (SPL-14062)
Pie charts now show values. (SPL-13755)
You can now specify -format csv if specifying -header false when searching. (SPL-13392)
The source for UDP inputs is now set correctly. (SPL-13739)
On Windows and AIX, Splunk was using an out of date Olsen database to determine proper timezone offsets. This database has been updated. (SPL-14347)
Eventtypes with complex phrasing are now searchable and reportable. (SPL-11340)
Event type attribute values are no longer case-sensitive. (SPL-13577)
If you are using IE6, you will no longer see an error dialog saying Error: Can't move focus to the control because it is invisible, not enabled or of a type that does not accept the focus. (SPL-13331)
Issues with assigning multiple graph types to a saved search have been resolved. (SPL-9893)
Dashboard loading issues arising from a security fix in the 3.2.3 release of Splunk have been resolved. (SPL-13639, SPL-13656)

Splunk Changelog

What's new in Splunk 6.4.3

New in Splunk 6.4.2 (Jul 13, 2016)

New in Splunk 6.3.3 (Feb 6, 2016)

New in Splunk 6.3.2 (Dec 17, 2015)

New in Splunk 6.3.1 (Nov 21, 2015)

New in Splunk 6.3.0 (Sep 28, 2015)

New in Splunk 6.2.5 (Aug 12, 2015)

New in Splunk 6.2.4 (Aug 4, 2015)

New in Splunk 6.2.3 (May 2, 2015)

New in Splunk 6.2.2 (Feb 25, 2015)

New in Splunk 6.2.0 (Nov 10, 2014)

New in Splunk 6.1.4 (Oct 2, 2014)

New in Splunk 6.1.3 (Aug 5, 2014)

New in Splunk 6.1.2 (Jul 2, 2014)

New in Splunk 6.1.1 (Jul 2, 2014)

New in Splunk 6.1.0 (May 6, 2014)

New in Splunk 6.0.3 (Apr 12, 2014)

New in Splunk 6.0.2 (Feb 25, 2014)

New in Splunk 6.0.1 (Dec 18, 2013)

New in Splunk 6.0 (Oct 3, 2013)

New in Splunk 5.0.5 (Sep 24, 2013)

New in Splunk 5.0.4 (Jul 30, 2013)

New in Splunk 5.0.3 (May 29, 2013)

New in Splunk 5.0.2 (Feb 7, 2013)

New in Splunk 5.0.1 (Nov 16, 2012)

New in Splunk 5.0 (Oct 30, 2012)

New in Splunk 4.3.4 (Sep 11, 2012)

New in Splunk 4.3.3 (Jun 29, 2012)

New in Splunk 4.3.2 (May 11, 2012)

New in Splunk 4.3.1 (Mar 6, 2012)

New in Splunk 4.3 (Jan 10, 2012)

New in Splunk 4.2.5 (Dec 16, 2011)

New in Splunk 4.2.3 (Aug 10, 2011)

New in Splunk 4.2.1 (Apr 20, 2011)

New in Splunk 4.2 (Mar 15, 2011)

New in Splunk 4.1.7 (Feb 12, 2011)

New in Splunk 4.1.6 (Dec 2, 2010)

New in Splunk 4.1.5 (Sep 11, 2010)

New in Splunk 4.1.4 (Jul 21, 2010)

New in Splunk 4.1.3 (Jun 8, 2010)

New in Splunk 4.1.2 (May 3, 2010)

New in Splunk 4.1.1 (Apr 20, 2010)

New in Splunk 4.1 (Apr 6, 2010)

New in Splunk 4.0.10 (Mar 19, 2010)

New in Splunk 4.0.9 (Jan 27, 2010)

New in Splunk 4.0.6 (Nov 10, 2009)

New in Splunk 4.0.5 (Oct 27, 2009)

New in Splunk 4.0.4 (Sep 29, 2009)

New in Splunk 4.0.3 (Aug 21, 2009)

New in Splunk 4.0 (Jul 21, 2009)

New in Splunk 3.4.10 (Jun 6, 2009)

New in Splunk 3.4.8 (Mar 31, 2009)

New in Splunk 3.4.6 (Feb 21, 2009)

New in Splunk 3.4.4 (Jan 8, 2009)

New in Splunk 3.4.3 (Dec 15, 2008)

New in Splunk 3.4.2 (Dec 3, 2008)

New in Splunk 3.4 (Nov 11, 2008)

New in Splunk 3.3.4 (Oct 15, 2008)

New in Splunk 3.3.3 (Oct 4, 2008)

New in Splunk 3.3.2 (Sep 6, 2008)

New in Splunk 3.3.1 (Jul 31, 2008)

New in Splunk 3.3 (Jul 1, 2008)

New in Splunk 3.2.6 (Jun 18, 2008)

New in Splunk 3.2.5 (Jun 14, 2008)

New in Splunk 3.2.4 (May 24, 2008)

New in Splunk 3.1.4 (Dec 28, 2007)

New in Splunk 3.1.2 (Nov 16, 2007)