Known issues
The following tables include issues and workarounds for releases of Splunk Enterprise Security. Issues are listed in all relevant sections. Some issues appear more than once.
Splunk Enterprise Security 8.2.3 known issues
| Date filed | Issue number | Description |
|---|---|---|
| 2025-08-06 | SPL-282727 | Cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI.Workaround: Install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line. |
| 2025-09-22 | BLUERIDGE-19262 | The analyst queue does not re-use previous results when the setting for "Hide findings" is turned on. Workaround:Go to the settings for analyst queue and turn off the Hide Findings to turn on the re-use of previous results and improve load times on the analyst queue. |
| 2025-09-09 | BLUERIDGE-19067 | Suppression Not Working on Saved Views After Upgrading from 7.3.4 to 8.2.1 |
| 2025-08-27 | BLUERIDGE-18769 | Markdown links are not clickable |
| 2025-08-20 | BLUERIDGE-18694 | Custom Fields values assigned in an Investigation does not show up in the Analyst Queue. |
| 2025-07-31 | BLUERIDGE-17978 | ES SOAR API Endpoint "ES get notes in findings or investigation" intermittently returns URI encoded content Workaround We wrote a Custom Function to convert URI Encoded back to plain text for use in the relevant playbook(s). |
| 2025-07-16 | BLUERIDGE-17923 | Workflow actions are not able to be used correctly from within the incident review dashboard with multi value fields (duplicate of SOLNESS-45320) |
| 2025-07-16 | BLUERIDGE-17699 | Changing the status of a Finding or Investigation is not reflected in Analyst Queue without a refresh |
| 2025-07-16 | BLUERIDGE-17698 | Removing Findings from an Investigation is buggy |
| 2025-07-10 | BLUERIDGE-17532 | Refresh AQ Table Needed to see the manually added Finding |
| 2025-07-09 | BLUERIDGE-17527 | ES blocks fail when the finding does not exist on Splunk SOAR Workaround Use `refresh finding or investigation` before using `get finding or investigation` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues. Workaround Change all hostname references (non-FQDN) to FQDN in the <code>server.conf</code> configuration file. However, this might increase the load on the DNS. Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command: <br> curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2024-10-18 | BLUERIDGE-13121 | Users with the ess_user cannot view saved views Workaround Assign the 'edit_filter_sets' capability to the user |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Splunk Enterprise Security 8.2.2 known issues
| Date filed | Issue number | Description |
|---|---|---|
| 2025-08-06 | SPL-282727 | Cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI.Workaround: Install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line. |
| 2025-09-22 | BLUERIDGE-19262 | The analyst queue does not re-use previous results when the setting for "Hide findings" is turned on. Workaround:Go to the settings for analyst queue and turn off the Hide Findings to turn on the re-use of previous results and improve load times on the analyst queue. |
| 2025-09-26 | BLUERIDGE-19326 | All searches don't run if the analyst queue uses the default time of 30 seconds since all searches run for over 30 seconds. Workaround: Set the value of max_time to 0 instead of None. |
| 2025-09-09 | BLUERIDGE-19067 | Suppression Not Working on Saved Views After Upgrading from 7.3.4 to 8.2.1 |
| 2025-08-27 | BLUERIDGE-18769 | Markdown links are not clickable |
| 2025-08-20 | BLUERIDGE-18694 | Custom Fields values assigned in an Investigation does not show up in the Analyst Queue. |
| 2025-07-31 | BLUERIDGE-17978 | ES SOAR API Endpoint "ES get notes in findings or investigation" intermittently returns URI encoded content Workaround We wrote a Custom Function to convert URI Encoded back to plain text for use in the relevant playbook(s). |
| 2025-07-16 | BLUERIDGE-17923 | Workflow actions are not able to be used correctly from within the incident review dashboard with multi value fields (duplicate of SOLNESS-45320) |
| 2025-07-16 | BLUERIDGE-17699 | Changing the status of a Finding or Investigation is not reflected in Analyst Queue without a refresh |
| 2025-07-16 | BLUERIDGE-17698 | Removing Findings from an Investigation is buggy |
| 2025-07-10 | BLUERIDGE-17532 | Refresh AQ Table Needed to see the manually added Finding |
| 2025-07-09 | BLUERIDGE-17527 | ES blocks fail when the finding does not exist on Splunk SOAR Workaround Use `refresh finding or investigation` before using `get finding or investigation` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues. Workaround Change all hostname references (non-FQDN) to FQDN in the <code>server.conf</code> configuration file. However, this might increase the load on the DNS. Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command: <br> curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2024-10-18 | BLUERIDGE-13121 | Users with the ess_user cannot view saved views Workaround Assign the 'edit_filter_sets' capability to the user |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Splunk Enterprise Security 8.2.1 known issues
| Date filed | Issue number | Description |
|---|---|---|
| 2025-08-06 | SPL-282727 | Cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. Workaround: Install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line. |
| 2025-09-09 | BLUERIDGE-19067 | Suppression Not Working on Saved Views After Upgrading from 7.3.4 to 8.2.1 |
| 2025-08-27 | BLUERIDGE-18769 | Markdown links are not clickable |
| 2025-09-18 | BLUERIDGE-19211 | Filtering on the analyst queue returns incorrect results. |
| 2025-08-20 | BLUERIDGE-18694 | Custom Fields values assigned in an Investigation does not show up in the Analyst Queue. |
| 2025-07-31 | BLUERIDGE-17978 | ES SOAR API Endpoint "ES get notes in findings or investigation" intermittently returns URI encoded content Workaround We wrote a Custom Function to convert URI Encoded back to plain text for use in the relevant playbook(s). |
| 2025-07-16 | BLUERIDGE-17923 | Workflow actions are not able to be used correctly from within the incident review dashboard with multi value fields (duplicate of SOLNESS-45320) |
| 2025-07-16 | BLUERIDGE-17699 | Changing the status of a Finding or Investigation is not reflected in Analyst Queue without a refresh |
| 2025-07-16 | BLUERIDGE-17698 | Removing Findings from an Investigation is buggy |
| 2025-07-10 | BLUERIDGE-17532 | Refresh AQ Table Needed to see the manually added Finding |
| 2025-07-09 | BLUERIDGE-17527 | ES blocks fail when the finding does not exist on Splunk SOAR Workaround Use `refresh finding or investigation` before using `get finding or investigation` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues. Workaround Change all hostname references (non-FQDN) to FQDN in the <code>server.conf</code> configuration file. However, this might increase the load on the DNS. Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command: <br> curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2024-10-18 | BLUERIDGE-13121 | Users with the ess_user cannot view saved views Workaround Assign the 'edit_filter_sets' capability to the user |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Splunk Enterprise Security 8.2.0 known issues
A list of key known issues in this version of Splunk Enterprise.
See also
For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).