Known issues
The following tables include issues and workarounds for releases of Splunk Enterprise Security. Issues are listed in all relevant sections. Some issues appear more than once.
Splunk Enterprise Security 8.5.x known issues
Known issues in Splunk Enterprise Security 8.5.1
Following are some of the known issues in Splunk Enterprise Security version 8.5.1:
Known issues in Splunk Enterprise Security 8.5.0
Following are some of the known issues in Splunk Enterprise Security version 8.5.0:
| Date filed | Issue number | Description |
|---|---|---|
| 2026-03-09 | SECHELP-341 |
Environments with detection versioning turned on might result in the DA-ESS-ContentUpdate (ESCU) and other apps stuck "in-progress" for updating version information. This can prevent you from editing the detections in the UI. Splunk Cloud workaround: Detection versioning is turned off for impacted customers. This action reverts detection management to a non-versioned status until a permanent fix is provided.
On-premises workaround:
|
| 2026-04-13 | SECHELP-448 |
After upgrading to ES version 8.4 or ES version 8.5, ad-hoc searches that are launched from the ES app are run under the Mission Control app context, instead of the ES app context. Knowledge objects such as lookups are based on the search app context.
This can cause the following issues for any customer-configured ES knowledge object that is app-scoped, such as lookups:
|
| 2026-03-16 | SECHELP-363 | Configuration settings in the local/savedsearches.conf file lost or changed after an ES 8.x upgrade. Workaround: Disable the modular input by running the following curl command:
CODE
curl command on the ES Search Head. If using a search head cluster, run the curl command on the primary node. |
See also
For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).