Splunk released version 4.0.8 of the Splunk IT search and analysis engine.
- When you save a top or rare search with the argument showperc, the showperc argument disappears when you run the search.
- On shutdown, many WARN lines are displayed in splunk.log that should actually be INFO. These lines can be safely ignored.
- You must manually distribute certificates to a host before you can successfully add it as a distributed search peer using the CLI.
- If you expand the view of a large event to the full event and back again to the summary view, subsequent attempts to expand to view the entire event will be restricted to 500 lines.
- web_access.log and web_service.log grow forever, and consume unbounded disk space.
- Summary indexing does not work if var/run/splunk and var/spool/splunk are on different filesystems.
- The SplunkLightForwarder app *requires* an outputs.conf-style choice of server to forward to. If SplunkLightForwarder is configured on while no target server to transmit data to is specified, the Splunk instance will not forward the data, nor block, it will null-route the dataflow.
- Splunk search is limited to lists of OR terms around 415 long, eg “1 OR 2 OR 3…. OR 415”. If more cases than this are needed, a lookup may be an effective workaround.
- For events which contain literal asterisks, there are some search irregularities. An event that contains “*foo*bar*” can be found with a search for ‘foo’, but cannot be found with ‘sourcetype=thesourcetype foo’. A workaround is ‘sourcetype=thesourcetype *foo*”
- CLI help is missing some commands
- Custom alert scripts that do not complete will stall further scheduled searches. Be sure your alert scripts will complete promptly.