Help Net Security
Help Net Security

Splunk 4.1.1 brings 90+ fixes

Splunk provides the ability for users to search, monitor and analyze live streaming IT data as well as terabytes of historical data, all from the same interface.

The following issues have been resolved in this release of Splunk:

Security issues

  • A new configuration option, allowRemoteLogin has been added to server.conf to disallow remote CLI and REST API login access by default. If you are running Splunk Enterprise and have not changed the default password, remote login is disabled by default for the admin user. If you are running Splunk Free, remote access via the CLI is disabled by default and allowRemoteLogin must be set to always to allow remote login.

Search and scheduled alert issues

  • Summary search is executed with different search string when runs from the scheduler or from Splunk Web.
  • HTML results in email alerts does not properly sort fields.
  • A subsearch’s maxresult is limited by [format]’s maxresults setting in limits.conf. Default is 100.
  • Resurrection issue (saved searches, dashboards) with searches that use | sort with multiple arguments. All arguments past first arg are dropped on resurrect.
  • When running several searches in parallel, subsearches in append sometimes die.
  • Searching through a bucket with one or more events in the distant future (such as 2012) can cause no results to be returned unless ‘over all time’ is selected.
  • The audit.log contains random search_ids for saved searches that have been run manually.
  • When you save a top or rare search with the argument showperc, the showperc argument disappears when you run the search.
  • Can’t export csv results when viewing search artifacts.
  • | crawl doesn’t work from the commandline because it’s passed an invalid sessionKey.
  • Scheduled search doesn’t show events/results in RSS feed or on dashboard, but if you look at recent job artifacts, there are events/results.
  • Equality comparisons do not work on _time field.
  • The “outputlookup” search command doesn’t work if var/run/ is on a different volume from etc/apps.
  • Inconsistent results in distributed search environment due to receive Timeout requires display of error in Splunk Web.
  • Real-time search falls behind when handling thousands of events when the time window is >30 seconds.
  • Alert errantly triggered when “Streamed search execute failed”. Search failure should not assume “0 events”.
  • Off by one error involving the earliest time in the dataset when searching across multiple indexes.
  • Fields referenced in a subsearch do not get extracted.
  • Column order not kept in email attachment.

Splunk Web and Manager issues

  • The Indexing Volume view in the Search app has been improved to include a license volume dashboard.
  • Setting the default app for user or role from Splunk Web fails because Splunk creates the setting under the wrong stanza, [general]. The correct stanza setting is [general_default].
  • No warning message is displayed when a license violation is committed.
  • Uploading a too-large ( > 500MB) file (such as a lookup table) via Splunk Web fails without an error.
  • Making any changes to an existing automatic lookup table in Manager (or hitting Save on an existing configuration without making any changes) leaves garbage behind and creates undesired configs in props.conf.
  • When accessing the “Longest Running Logins” and “The Most Frequent Logons” searches from the Windows app, Splunk displays an error about the keepevicted flag being required.
  • Timeline in the Windows app is overly compressed.
  • There is no notification in Splunk Web that a job has expired or been deleted when you try to interact with the job elsewhere in Splunk Web.
  • Chart/table drill down goes to an incorrect follow-on search when using discretized ranges in a chart.
  • When a chart displays an “NULL” bucket of values, drilling down into it adds myfield=”NULL” to the search string.
  • On the Field Transformations page in Manager, “Delete” links are not presented for objects that are deletable but not editable.
  • When using real-time search, various display issues sometimes occur with the timeline, fields picker, and the events view.
  • Drop-down menus are obscured by selected values in fields onscreen on IE6.
  • Clicking on an event term in Splunk Web to add it to the search fails when the term ends with a parenthesis.
  • Event type builder save-window produces strange behavior in Firefox.
  • Pressing Enter on the event type builder “Save Event Type” form closes form and does not save the eventtype.
  • Creating a tag with uncommon characters results in undesired behavior such as duplicate tags.
  • Consistent redirect to login page when running searches in Splunk Web.
  • Running a Nessus scan against the Splunk Web port causes Splunk Web to become unresponsive.
  • Drill down rewrites your “not” to become “NOT”, breaking your search.
  • Users without admin privileges can access some admin-only pages via the URLs.
  • Splunk Web keeps spinning after login and becomes unresponsive, due to bad dispatch_quota-retry logic.
  • “Export results” to CSV from Splunk Web breaks when column names contain spaces.
  • Fields no longer show in events viewer in IE8.

Inputs and indexing issues

  • WinEventLog:Security logs stop indexing with splunkd.log reporting: ERROR WinEventLogChannel – initOld: Failed to initialize checkpoint for Windows Event Log channel ‘Security’.
  • WMI collection time counters are rounded to whole numbers. It’s not possible to improve the precision on the log events time counter, but the performance data can be brought up to sub-second precision.
  • Default auto header extraction (CHECK_FOR_HEADER) is not consistently maintaing sourcetypes when there is no change in the header.
  • The MAX_DAYS_AGO setting sometimes fails to ignore timestamps beyond the set parameter.
  • File system change monitor does not work and generates a “Monitoring file or directory that doesn’t exist at startup time” in splunkd.log when you monitor the root directory.
  • If you configure two different indexes with the same paths to the cold and thawed dbs, Splunk will crash, even if one of the indexes is disabled.
  • Support has been added for parsing epoch timestamps in hex.
  • Monitoring storage with slow stats (eg CIFS/SMB network filesystem Windows) appears to stall.
  • Default value of ‘localhost’ not there anymore for WMI inputs.
  • A “Failed to initialize checkpoint” error for Windows Event Log indexing was resolved.
  • splunk-admon is not collecting baseline events after startup.
  • Windows inputs in Manager are enabled on Unix.

CLI and configuration file issues

  • The locktest utility should produce human-readable output.
  • Version number on all conf/spec/example files is 4.0.
  • The value of maxlen in limits.conf is ignored, which can result in poor performance over long events.
  • Running splunk _internal command rebuild-metadata against non-existent index crashes plunked
  • Generating a diag on a Japanese language OS can generate a “type ‘exceptions.OSError'” error.
  • indexes.conf.spec says the default value for maxMemMB is 50, but actually it’s 5 (20 for main).
  • limits.conf.spec needs to be updated with correct default value for dispatch_quota_retry.
  • splunk add search-server fails if ‘source setSplunkEnv’ not run and SPLUNK_HOME crosses a symlink.
  • splunk diag fails when you have index names with “Path” in the name.
  • Real-time search does not work when SPLUNK_BINDIP configured.
  • KV_MODE is specified in transforms.conf in $SPLUNK_HOME/etc/system/default and should only be in props.conf.

Unsorted issues

  • If the disk Splunk uses fills up, eventually users will not be able to log in because the audit log cannot be written to.
  • If a single scripted authentication request hangs, no other authentication requests can be served until the original process is killed.
  • Splunk Windows services (both splunkweb and splunkd) are installed by default with Startup Type set to “automatic”, which means that if you have deployed light forwarders on Windows and haven’t explicitly set Startup Type to “manual”, the splunkweb process gets started every time you reboot your forwarders.
  • Migration from 3.4.x to 4.1 should handle the enabling/disabling of apps correctly. For example, Splunk Desktop is automatically enabled in 4.1 but was previously disabled.
  • The passwd file is now copied to passwd.old on upgrade.
  • Seeing an error: UnboundLocalError, value: local variable ‘files_to_export’ referenced before assignment when trying to upgrade from 4.1.1 -> 4.1.2.
  • Alerts/PDF reports use an incorrect URL if root_endpoint!=/.
  • A crash in TcpSendThread has been resolved.
  • A crash in HTTPRequestHandlerThread
  • The splunk-forwarder.license has an expiration date of 2011-03-07 22:07:37-0800
  • A user’s default app setting breaks after migration to 4.1.
  • TitleBar module – js error breaks the view if showActionsMenu param is set to False.
  • Upgrade removes 3rd party certificate.
  • Windows: Splunk fails to install with “Service manager failed to open service ‘Splunkd’: The specified service does not exist as an installed service.”
  • Crash: fatal signal 11 (Segmentation fault) No memory mapped at address. thread: CallbackRunnerThread > _ZN21ExpirableNonceManager13removeExpiredEv
  • Crash in HTTPRequestHandlerThread.
  • Distributed search auth keys location not migrated properly.
  • Can’t generate PDFs if scheduled search has no owner.
  • Remote PDF server always returns 404.
  • “ERROR AuthenticationManagerSplunk – Rename failed for file ‘C:tempsplunketcpasswd.tmp’ -> ‘C:tempsplunketcpasswd’ errno=Access is denied” error after upgrading to 4.1.3 on Windows.
  • PDF Server app should exit gracefully if no fonts are installed.
  • Received fatal signal 8 (Arithmetic Exception)” crash on Sparc.
  • Crash in ADmonitor.
  • Poor search head performance due to re-auth requests.
  • Crash in MainTailingThread.
  • splunk-forwarder.license is associated with an expiration date of 2011-03-07 22:07:37-0800.

Featured news

Sponsored

Don't miss