Softpedia >Linux >Internet >HTTP (WWW) >Splunk >  Changelog

Splunk Changelog

What's new in Splunk 6.0

Oct 4, 2013
  • Powerful analytics for everyone—at amazing speeds
  • Completely redesigned user experience
  • Richer developer environment to easily extend the platform

New in Splunk 4.2 (Mar 16, 2011)

  • This is the next evolution of Splunk: real-time alerting, a faster data engine, many performance improvements, improved charting and reporting capabilities, easier license management, deployment monitoring, and more.

New in Splunk 4.1.4 (Aug 4, 2010)

  • Security issues:
  • A new configuration option, allowRemoteLogin has been added to server.conf to disallow remote CLI and REST API login access by default. If you are running Splunk Enterprise and have not changed the default password, remote login is disabled by default for the admin user. If you are running Splunk Free, remote access via the CLI is disabled by default and allowRemoteLogin must be set to always to allow remote login. (SPL-31301)
  • Search and scheduled alert issues:
  • Summary search is executed with different search string when runs from the scheduler or from Splunk Web (SPL-31729)
  • HTML results in email alerts does not properly sort fields. (SPL-28474)
  • A subsearch's maxresult is limited by [format]'s maxresults setting in limits.conf. Default is 100. (SPL-31669)
  • Resurrection issue (saved searches, dashboards) with searches that use | sort with multiple arguments. All arguments past first arg are dropped on resurrect (SPL-30980)
  • When running several searches in parallel, subsearches in append sometimes die. (SPL-31686, SPL-31791)
  • Searching through a bucket with one or more events in the distant future (such as 2012) can cause no results to be returned unless 'over all time' is selected. (SPL-28444)
  • The audit.log contains random search_ids for saved searches that have been run manually. (SPL-29566)
  • When you save a top or rare search with the argument showperc, the showperc argument disappears when you run the search. (SPL-27694)
  • Can't export csv results when viewing search artifacts. (SPL-31534)
  • | crawl doesn't work from the commandline because it's passed an invalid sessionKey. (SPL-31148)
  • Scheduled search doesn't show events/results in RSS feed or on dashboard, but if you look at recent job artifacts, there are events/results. (SPL-32166)
  • Equality comparisons do not work on _time field. (SPL-31953, SPL-28698)
  • The "outputlookup" search command doesn't work if var/run/ is on a different volume from etc/apps. (SPL-31765, SPL-31130)
  • Inconsistent results in distributed search environment due to receive Timeout requires display of error in Splunk Web. (SPL-31659)
  • Real-time search falls behind when handling thousands of events when the time window is >30 seconds. (SPL-31380)
  • Alert errantly triggered when "Streamed search execute failed". Search failure should not assume "0 events". (SPL-31318)
  • Off by one error involving the earliest time in the dataset when searching across multiple indexes. (SPL-32727)
  • Fields referenced in a subsearch do not get extracted. (SPL-32669)
  • Column order not kept in email attachment. (SPL-31698)
  • Splunk Web and Manager issues:
  • The Indexing Volume view in the Search app has been improved to include a license volume dashboard. (SPL-31447, SPL-32195)
  • Setting the default app for user or role from Splunk Web fails because Splunk creates the setting under the wrong stanza, [general]. The correct stanza setting is [general_default]. (SPL-31580,SPL-30790)
  • No warning message is displayed when a license violation is committed. (SPL-29454)
  • Uploading a too-large ( > 500MB) file (such as a lookup table) via Splunk Web fails without an error. (SPL-30595)
  • Making any changes to an existing automatic lookup table in Manager (or hitting Save on an existing configuration without making any changes) leaves garbage behind and creates undesired configs in props.conf. (SPL-30617)
  • When accessing the "Longest Running Logins" and "The Most Frequent Logons" searches from the Windows app, Splunk displays an error about the keepevicted flag being required. (SPL-30350)
  • Timeline in the Windows app is overly compressed. (SPL-29932)
  • There is no notification in Splunk Web that a job has expired or been deleted when you try to interact with the job elsewhere in Splunk Web (SPL-30114)
  • Chart/table drill down goes to an incorrect follow-on search when using discretized ranges in a chart. (SPL-29571, SPL-30553)
  • When a chart displays an "NULL" bucket of values, drilling down into it adds myfield="NULL" to the search string. (SPL-30400)
  • On the Field Transformations page in Manager, "Delete" links are not presented for objects that are deletable but not editable. (SPL-30899)
  • When using real-time search, various display issues sometimes occur with the timeline, fields picker, and the events view. (SPL-29400)
  • Drop-down menus are obscured by selected values in fields onscreen on IE6. (SPL-30056)
  • Clicking on an event term in Splunk Web to add it to the search fails when the term ends with a parenthesis. (SPL-30465)
  • Event type builder save-window produces strange behavior in Firefox. (SPL-30104, SPL-30103)
  • Pressing Enter on the event type builder "Save Event Type" form closes form and does not save the eventtype. (SPL-30407)
  • Creating a tag with uncommon characters results in undesired behavior such as duplicate tags. (SPL-26414)
  • Consistent redirect to login page when running searches in Splunk Web. (SPL-31268)
  • Running a Nessus scan against the Splunk Web port causes Splunk Web to become unresponsive. (SPL-30877)
  • Drill down rewrites your "not" to become "NOT", breaking your search. (SPL-31862)
  • Users without admin privileges can access some admin-only pages via the URLs. (SPL-31838)
  • Splunk Web keeps spinning after login and becomes unresponsive, due to bad dispatch_quota-retry logic. (SPL-31643)
  • "Export results" to CSV from Splunk Web breaks when column names contain spaces. (SPL-30825)
  • Fields no longer show in events viewer in IE8. (SPL-31511)
  • Inputs and indexing issues:
  • WinEventLog:Security logs stop indexing with splunkd.log reporting: ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security'. (SPL-31339)
  • WMI collection time counters are rounded to whole numbers. It's not possible to improve the precision on the log events time counter, but the performance data can be brought up to sub-second precision. (SPL-28456)
  • Default auto header extraction (CHECK_FOR_HEADER) is not consistently maintaing sourcetypes when there is no change in the header. (SPL-30466)
  • The MAX_DAYS_AGO setting sometimes fails to ignore timestamps beyond the set parameter. (SPL-27817)
  • File system change monitor does not work and generates a "Monitoring file or directory that doesn't exist at startup time" in splunkd.log when you monitor the root directory. (SPL-27107)
  • If you configure two different indexes with the same paths to the cold and thawed dbs, Splunk will crash, even if one of the indexes is disabled. (SPL-29281)
  • Support has been added for parsing epoch timestamps in hex. (SPL-32183)
  • Monitoring storage with slow stats (eg CIFS/SMB network filesystem Windows) appears to stall. (SPL-31702)
  • Default value of 'localhost' not there anymore for WMI inputs. (SPL-31619)
  • A "Failed to initialize checkpoint" error for Windows Event Log indexing was resolved. (SPL-31339)
  • splunk-admon is not collecting baseline events after startup. (SPL-32393)
  • Windows inputs in Manager are enabled on Unix. (SPL-32287)
  • CLI and configuration file issues:
  • The locktest utility should produce human-readable output. (SPL-27664)
  • Version number on all conf/spec/example files is 4.0. (SPL-30714)
  • The value of maxlen in limits.conf is ignored, which can result in poor performance over long events. (SPL-30080)
  • Running splunk _internal command rebuild-metadata against non-existent index crashes splunkd (SPL-31072, SPL-31284)
  • Generating a diag on a Japanese language OS can generate a "type 'exceptions.OSError'" error. (SPL-27271)
  • indexes.conf.spec says the default value for maxMemMB is 50, but actually it's 5 (20 for main). (SPL-31882)
  • limits.conf.spec needs to be updated with correct default value for dispatch_quota_retry. (SPL-31681)
  • splunk add search-server fails if 'source setSplunkEnv' not run and SPLUNK_HOME crosses a symlink. (SPL-31476)
  • splunk diag fails when you have index names with "Path" in the name. (SPL-30804, SPL-32740)
  • Real-time search does not work when SPLUNK_BINDIP configured. (SPL-32549)
  • KV_MODE is specified in transforms.conf in $SPLUNK_HOME/etc/system/default and should only be in props.conf. (SPL-32254)
  • Unsorted issues:
  • If the disk Splunk uses fills up, eventually users will not be able to log in because the audit log cannot be written to. (SPL-30162)
  • If a single scripted authentication request hangs, no other authentication requests can be served until the original process is killed. (SPL-30265)
  • Splunk Windows services (both splunkweb and splunkd) are installed by default with Startup Type set to "automatic", which means that if you have deployed light forwarders on Windows and haven't explicitly set Startup Type to "manual", the splunkweb process gets started every time you reboot your forwarders. (SPL-22434)
  • Migration from 3.4.x to 4.1 should handle the enabling/disabling of apps correctly. For example, Splunk Desktop is automatically enabled in 4.1 but was previously disabled. (SPL-31280)
  • The passwd file is now copied to passwd.old on upgrade. (SPL-31724, SPL-31975)
  • Seeing an error: UnboundLocalError, value: local variable 'files_to_export' referenced before assignment when trying to upgrade from 4.1.1 -> 4.1.2. (SPL-31457)
  • Alerts/PDF reports use an incorrect URL if root_endpoint!=/. (SPL-31082)
  • A crash in TcpSendThread has been resolved. (SPL-30687)
  • A crash in HTTPRequestHandlerThread, (SPL-31860, SPL-31718)
  • The splunk-forwarder.license has an expiration date of 2011-03-07 22:07:37-0800
  • A user's default app setting breaks after migration to 4.1. (SPL-31580)
  • TitleBar module - js error breaks the view if showActionsMenu param is set to False. (SPL-31338)
  • Upgrade removes 3rd party certificate. (SPL-31335)
  • Windows: Splunk fails to install with "Service manager failed to open service 'Splunkd': The specified service does not exist as an installed service." (SPL-31306)
  • Crash: fatal signal 11 (Segmentation fault) No memory mapped at address. thread: CallbackRunnerThread > _ZN21ExpirableNonceManager13removeExpiredEv (SPL-32654, SPL-32468)
  • Crash in HTTPRequestHandlerThread. (SPL-32208, SPL-32243, SPL-31777, SPL-31718)
  • Distributed search auth keys location not migrated properly. (SPL-32394)
  • Can't generate PDFs if scheduled search has no owner. (SPL-32276)
  • Remote PDF server always returns 404. (SPL-32271)
  • "ERROR AuthenticationManagerSplunk - Rename failed for file 'C:\temp\splunk\etc\passwd.tmp' -> 'C:\temp\splunk\etc\passwd' errno=Access is denied" error after upgrading to 4.1.3 on Windows. (SPL-31652)
  • PDF Server app should exit gracefully if no fonts are installed. (SPL-32699)
  • Received fatal signal 8 (Arithmetic Exception)" crash on Sparc. (SPL-32427)
  • Crash in ADmonitor. (SPL-32188, SPL-32197)
  • Poor search head performance due to re-auth requests. (SPL-32191)
  • Crash in MainTailingThread. (SPL-31894, SPL-32075)
  • splunk-forwarder.license is associated with an expiration date of 2011-03-07 22:07:37-0800. (SPL-31628)

New in Splunk 4.0.10 (Mar 24, 2010)

  • As of Splunk version 4.0.10, summary index searches do not count towards your indexed data volume. (SPL-29515)
  • Events generated by the internal auditing feature, which creates events for user-actions such as fired searches are no longer counted against the license. (SPL-28462)
  • Summary indexing now works if var/run/splunk and var/spool/splunk are on different filesystems. (SPL-26631)
  • Summary index searches that are suspended due to exceeding disk or concurrent search quotas now resume when the quota is available again, and do not require a restart to resume. (SPL-28999)
  • Splunk search is no longer limited to lists of OR terms around 415 long, eg "1 OR 2 OR 3.... OR 415". (SPL-28301)
  • Deploying apps that do not contain a local directory will no longer cause Splunk to crash on the client. (SPL-29019, SPL-30225)
  • Deploying apps to a location outside of $SPLUNK_HOME/etc/apps will no longer cause a crash on the deployment client. (SPL-29484)
  • Quotes in saved searches are now correctly being escaped and are no longer returning zero results. (SPL-28734)
  • Show source is now available for monitor inputs specified as a UNC path on a remote volume. (SPL-28455)
  • Accessing a search from a link sent in an email alert will no longer display an error. (SPL-29420)
  • Scheduled saved searches that have never been run from inside Splunk Web now work correctly in email alerts. (SPL-29483, SPL-28302)
  • Searches with NOT field="value" are now correctly escaped. (SPL-29353, SPL-29121)
  • An issue with LDAP anonymous bind and squashing of uppercase characters in the failsafe username has been resolved. (SPL-28902, SPL-28874)
  • Indexing memory leaks have been addressed. (SPL-28772, SPL-30101)
  • The string "head 1" no longer gets converted to "head true" in search. (SPL-30058)
  • The tailing_proc_speed setting is now available in limits.conf. Refer to limits.conf.spec for details.
  • An issue with stats/chart/timechart values of min/max/first when calculated using summary index data generated using sistats/sichart/sitimechart has been resolved. (SPL-29643)
  • An error is no longer generated when disabling/clearing Windows Event Log inputs. (SPL-29568)
  • A STOP exception related to converting the _time field to non-epochTime in Windows evt files has been resolved. (SPL-29453)
  • All available roles are now available for permissions assignments in Manager. (SPL-28338, SPL-29328)
  • An issue with inconsistent numbers of results displayed when changing the results per page setting on IE browsers has been resolved. (SPL-29314)
  • An issue with report count and result count displaying differing values in IE has been resolved. (SPL-28976)
  • An issue involving SSL errors on deployment clients after upgrade to 4.0.9 has been resolved. (SPL-29284)
  • Some issues with multi-byte character handling in substr() and len() have been resolved. (SPL-29233)
  • An issue involving KV_MODE=auto not working correctly on data converted from SHIFT-JIS to UTF-8 has been resolved. (SPL-29151)
  • A locale setting issue reporting "Message:"null" is null or not an object" when using the Windows app has been resolved. (SPL-28458)
  • Specifying index=* when forcing a roll from hot to warm works correctly and does not generate an error. (SPL-29049)
  • A crash related to searches with multiple append strings has been resolved. (SPL-28636)
  • The block signing functionality now recognizes events deleted from within Splunk as potential gaps. (SPL-28508)
  • The sendemail script now sends only one email regardless of whether a preview has been generated or not. (SPL-29500)
  • A crash involving "No memory mapped" has been resolved. (SPL-29468, SPL-28854)
  • An issue with Solaris /etc/timezone value not being recognized, resulting in incorrect display timestamps, has been resolved. (SPL-29460)
  • Search assistant command link now handles doublequotes correctly. (SPL-26977)

New in Splunk 4.0.3 (Aug 28, 2009)

  • General issues:
  • An issue in which some saved searches were not correctly reflecting the entered string has been resolved. Known situations were when using top for multiple fields as in |top field1, field2 or top x by x. The error was appearing as "Unknown search operator: Undefined" (SPL-25447), or was displaying different search (SPL-25446).
  • Upon migration from an earlier version, saved searches are now moved correctly to the Search App and promoted to globally available status. (SPL-25311)
  • The search documentation cheatsheet is now updated for version 4.x. (SPL-23986)
  • Various issues around resurrecting search jobs and search clause ordering have been resolved. (SPL-21740)
  • An issue with incorrect character set detection when certain combinations of Unicode characters appear in an active file has been resolved. (SPL-20780)
  • Running ./splunk list forward-server in the CLI now correctly reflects the status of the forwarders. (SPL-25626)
  • The listtails command now runs to completion. (SPL-25587)
  • An issue with slow Splunk startup has been resolved. (SPL-25572)
  • Automatic header-based field extraction now displays correctly when defining report content (SPL-25544)
  • The path for results sent to scripts via alerts is now correct. (SPL-25512)
  • The 'always' alert condition now triggers correctly. (SPL-25504)
  • The splunkmon.log file now reports restarts accurately. (SPL-24928)
  • The admin role now sees all non-internal indexes by default. (SPL-24962)
  • Subsearch clauses are now resurrected when running a saved search with a subsearch. (SPL-24957)
  • The schedule for a scheduled saved search is now preserved when that saved search is disabled. (SPL-25073)
  • A crash involving groupmappingattribute when configuring LDAP settings has been resolved. (SPL-25089)
  • Editing a saved search no longer causes chart formatting settings to be lost. (SPL-24750)
  • Renaming a source type is now reflected correctly in search assistant (SPL-24672)
  • An issue with being unable to log into Splunk Web when it starts before splunkd has been resolved. (SPL-24141)
  • Searching for a single Japanese character no longer requires double quotes ("). (SPL-23697)
  • An issue with data retirement policy not being respected has been resolved. (SPL-23415)
  • New source types are now created correctly when a /learned directory is present in /etc/bundles. (SPL-25556)
  • The CLI no longer gives a permissions exception when it can't write to authToken. (SPL-25347)
  • The isReadOnly option for indexes.conf now works correctly. (SPL-25233)
  • The CLI and search command to roll buckets has been changed to: splunk search "| debug cmd=roll index=index_name" (SPL-25227)
  • When using an Enterprise Trial license, the same license can be used on multiple distributed search heads. (SPL-24892)
  • The addcoltotals operator now works correctly. (SPL-24628)
  • Web/Manager issues:
  • The browser's selected locale will now always be respected; and Splunk Web will no longer fall back to en_US. (SPL-25432)
  • Splunk Web will no longer hang when selecting the "Manager" link from the Launcher or Search App if Splunk cannot connect to splunk.com. (SPL-25520, SPL-24670)
  • Linewrapping now works correctly in Firefox 3.5. (SPL-24856)
  • The 'next' pagination link is now localizable. (SPL-25378)
  • The UDP inputs page now displays the data correctly (does not show all IPs that have forwarded data to the UDP port). (SPL-25465)
  • Views with modules that include Flash items now load correctly even when scrolled down. (SPL-25476)
  • Setting source type manually in Manager now works correctly. (SPL-25549)
  • Semicolons are now correctly handled in field names in Splunk Web. (SPL-17300)
  • Non-UTF-8 inputs are now handled correctly in Splunk Web, and do not generate an "[SimpleResultsTable module] Input is not proper UTF-8" error. (SPL-25529)
  • The report builder now handles more complex searches properly. (SPL-25322)