Splunk 4.1.6 brings numerous fixes

Splunk provides the ability for users to search, monitor and analyze live streaming IT data as well as terabytes of historical data, all from the same interface.

The following issues have been resolved in this release of Splunk:

  • OpenSSL has been upgraded to 0.9.8p to address CVE-2010-3864.
  • Splunk can lose track of “source” information when monitoring compressed files. The splunkd.log file will show an error similar to “The event is missing source information”.
  • Pressing Enter on the interactive field extractor (IFX) “Save Field Extraction” form closes the form and does not save the field extraction.
  • Alt+Click does not include the escape character “\” when it’s needed.
  • Splunk Web may gradually degrade in performance if the number of concurrent active requests is greater than the thread threshold’s earlier default value of 10. This can result in users being unable to log into a new web session. (The value of server.thread_pool under the [settings] stanza in $SPLUNK_HOME/etc/system/local/web.conf has been raised to 50.)
  • Setting a large number of role attributes via Splunk Web may remove settings for that role. Setting of capabilities is not affected.
  • PDF printing is limited to only the admin user.
  • Using the CLI to perform a distributed search to Windows Server 2008 R2 with a bundle having more than 8 lookup files fails. The same operation hangs when you use Splunk Web.
  • The xmlkv command limited to 50K results.
  • There’s a misleading success message if you edit a field alias and you don’t have the correct permissions (and your changes are not saved).
  • Splunk Web audit log now logs username when they log out.
  • The diff command no longer supports the -tofile argument.
  • A crash in Splunk Web/CherryPy that writes “root:120 – ENGINE: Error in HTTP server” in the web-service.log has been resolved.
  • ADmon does not retrieve all the contents if the number of records in Active Directory is more than ~1000.
  • Unauthorized users can create Windows Event Log inputs; an error message stating the addition failed is displayed, but the input is created.
  • Users with edit_user capability can now list users.
  • Running a real-time search that uses a lookup table over a long period (<5 min) can sometimes result in an error because the in-use info is reaped.
  • Forwarders crashing after propagation of new outputs.conf changes deployment topology from single indexer to two indexers with autoLB.
  • The formatting of EULA (license-eula.txt) has been improved, and minor clarifications made. No changes have been made to the terms of the agreement.
  • The default value of maxvalues in limits.conf has been set to 0 so that distinct count searches return an unlimited number of values.
  • Preview of large sets of results when using the concurrency search command is not working correctly and will ultimately display 0 results when the search completes.
  • A per-index serviceMetaPeriod option has been added to indexes.conf so you can set how often metadata files (mappings of host, source, sourcetype to numeric IDs) get written to disk. This is intended to resolve performance bottlenecks in situations where there is a large amount of metadata being processed.
  • The interactive field extractor (IFX) now works correctly in IE7 and IE8.
  • The preview_freq setting in limits.conf (which controls how frequently the real-time window of a search is updated) was not being honored.
  • Command arguments are now output in crash logs for easier diagnosis.
  • Some strings in the “Build event type” screen are not localizable.
  • A crash in the splunk-optimize process with “Integer Divide by Zero” in the crash dump has been resolved.
  • Erroneous “non-SSL content” warnings on login screen.
  • Dynamic, time-sensitive lookup table is not returning expected results.
  • Splunk fails to hide the job progress indicator on some dashboard panels even after the search job has completed. The panel correctly shows the results (under the progress indicator) but the progress indicator shows that the search has not yet completed (even though it has).
  • Buckets are occasionally named with an incorrect timerange, which makes them unsearchable.
  • The message displayed on a dashboard when a scheduled hidden saved search is run should be more clear and explain that why results are not shown.
  • When upgrading to 4.1.5 on Windows, two instances of Splunk are shown in the Windows “Add or Remove Programs” utility.
  • Bus error when running show license from the CLI.
  • When a file is rolled, the TailingProcessor default behavior of holding the FD open for 3 seconds can result in duplicate events being indexed.
  • Forwarders crash on shutdown.
  • The machineTypes setting in serverclass.conf does not support wildcards.
  • The splunkd_stderr.log can grow too large because log-debug.cfg logs unnecessary data to it.
  • Restarting during the indexing of an archive file sometimes drops events.
  • A crash (ERROR TcpOutputProc – Exception thrown (runtime_error) in TCP consumption thread – can’t change non-blocking setting: Bad file number – will reconnect) resulting from autoLB closing a connection early was resolved.
  • If you choose an alert trigger condition when defining an alert in Manager, switching back to another alert trigger condition doesn’t work.
  • When a light forwarder is configured to monitor and forward a directory of bz2 files, occasionally they end up without source=filename but rather tcp:port.
  • PDF Server on Fedora 12 sends only the header/title of the report and no content.
  • Upgrading on Windows removes 3rd party certificates.
  • The diff command used to have a hard limit of 9K, which has been raised to 100KB.
  • The splunk list forward-server cli command claims there are no forwarding instances, but it lies.
  • The random search function returns the same value for the same event in every run on Ubuntu 8.
  • PDF server 1.2 on Ubuntu 10.10 fails to start Firefox with “ERROR Execution of Firefox for x86_64 failed” because of incompatibility with libgconf-2.so.4.
  • Splunk’s intentions.log doesn’t contain timestamps.
  • Diff output mangles the header and crops the file range of the output.
  • After deleting data with the | delete command, hosts to which the data was associated still show up in the metadata.
  • The diag utility doesn’t handle long file paths on Windows and fails with Exception: .
  • SSO configuration settings in web.conf not documented in web.conf.spec.
  • The paginator widget doesn’t work on page load.
  • Add example to props.conf.example for extracting from source field.
  • Manually invoked searches should not block scheduled searches from running when the value of max_concurrent.
  • Comparing the bytes of the objectGuid from ADexplorer output and Splunk’s ADmon output shows that some of the GUID numbers are different and some have curly brackets.
  • Time selector misaligned to search bar.
  • The TitleBar module inherits from Module in .conf, but from DispatchingModule in .js.
  • Behavior during throttling has been improved to reduce file status requests during unusually heavy I/O load.
  • The per-saved search action.email.maxresults doesn’t work.
  • The savedsearches.conf.spec file is missing the attribute dispatch.reduce_freq.
  • Searching on a tag of the form tag::tag::tag results in an error displayed in Splunk Web “ValueError: too many values to unpack”.
  • There are two instances of lib.local_app on the Windows version.