Known and fixed issues for Splunk Cloud Platform

This page lists selected known issues and fixed issues for this release of Splunk Cloud Platform. Use the Version drop-down list to see known issues and fixed issues for other versions of Splunk Cloud Platform.

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective known and fixed issues.

Version 9.3.2411

This version includes the following known issues:

Date filed or added Issue number Description
2025-03-30 SPL-273098 The UI for the "Show Source" field action returns a javascript error message when it should return a 404 error message.
2025-02-04 SPL-270271 Scheduled email exports of large dashboards compress images to approximately 1440 x 960 pixels, leading to blurry PDFs.
Workaround:
Reduce the dimensions of the dashboard, or split up large dashboards into separate smaller dashboards. Scheduled export compresses the studio dashboard to a resolution of approximately 1440 x 960 pixels before it is screenshotted for the PDF. Reducing the dimensions of the dashboard closer to this resolution should improve the visibility and quality of the export. If you split the dashboard into smaller dashboards, and schedule them to export separately, this effectively reduces the dimensions of each dashboard and improves the quality of each exported PDF.
2024-02-02 SPL-270072 Federated Search for Splunk - Proxy bundles are not reaped when external authentication is enabled on the remote deployment.
Workaround:
On the remote search head, turn external authentication on only for token authentication.
  1. On the remote deployment go to Settings, then Authentication methods, then SAML configuration, and then Authentication extensions.
  2. Select For Token Authentication Only.
  3. Set Get User Info time-to-live to 21600s.
2024-12-11 SPL-267847 Federated Analytics - Users cannot remove data lake indexes from a federated provider via the UI. When a data lake index is removed, it is no longer part of a federated provider definition, and it no longer ingests data from a Amazon Security Lake dataset. Removed data lake indexes can still be managed through the Indexes page.
2024-11-19 SPL-266456 Federated Search, Federated Analytics -- > Cannot see or list federated indexes to assign / provide role-based access control

Workaround:
In Splunk Web, you can use a wildcard to identify one or more federated indexes and then assign them as searchable indexes for a role.

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings and then select Roles.
  2. Select the name of a role that you have given to users who run federated searches.
  3. Select 3. Indexes to display the contents of the Indexes tab.
  4. In the Wildcards section, enter a string that begins with Federated*, followed by the name of the federated index you want to assign to the role.
    For example, a string such as Federated*index123 will match an index named Federated:index123. However, note that wildcard strings can match multiple federated indexes. For example, Federated*index123 will also match a federated index named Federated:Myindex123, if it exists.
  5. Select Included for the federated* index that appears in the index list, to allow users with this role to see search results from the index or indexes that match the wildcard string.
  6. Select Save to save the changes you have made.
2024-09-05 SPL-262259 Splunk to Splunk Federated searches do not utilize the dispatch.index_earliest and dispatch.index_latest parameters in the saved search configuration when the search is dispatched to the remote search head, leading to incorrect results.

Workaround:
These parameters can be added as a part of the search string, using the _index_earliest and _index_latest time modifiers. This will send the parameters correctly to the remote search head. See List of time modifiers in the Search Reference.

2024-08-12 SPL-260620 When a dashboard's permissions are changed in Dashboard Studio, this creates a new version of the dashboard. If you revert to a previous version of the dashboard, permissions changes are not automatically reverted. To work around this issue, change permissions manually.
2024-08-09 SPL-260552 Federated Analytics: After creation of a new FA provider, it might take up to 25 minutes for remote ASL data to flow into its data lake indexes, and up to 100 minutes for data ingest to reach full velocity.
2024-08-06 SPL-260273 If you select the tips actions when comparing dashboards in the Monaco editor, the page might fail to render properly. Do not select the tips, represented by a lightbulb icon, in the dashboard version history source comparison view.
2024-06-04 SPL-237180 Saved searches on Splunk Cloud Platform that are owned by nobody are scheduled using the default time zone settings in the user-prefs.conf file instead of the system time zone in Splunk Cloud. But, searches are run internally as splunk-system-user, which is tied to system time in Splunk Cloud Platform and is based on UTC (Coordinated Universal Time).

The mismatch between the default time zone settings in the user-prefs.conf file and Splunk Cloud system time can lead to potential discrepancies in search results under certain conditions when the time zones for nobody and splunk-system-user get out of sync.
If you're experiencing mismatched time zones with nobody owned searches following migration from Splunk Enterprise to Splunk Cloud Platform, reassign searches to a user account attached to a role, so searches aren't assigned to nobody. An alternative workaround is to set the schedules for nobody-owned saved searches to UTC, which ensures that searches are the same as system time.

2024-04-12 SPL-254077 CIDR match for tstats with ipv6 addresses isn't supported.

The tstats command currently doesn't filter events with CIDR match on fields that contain IPv6 addresses. Running tstats searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries: 

Error in 'TsidxStats': WHERE clause is not an exact query
2024-01-05 SPL-240774 The DELIMS setting or the kvdelim option may not be applied correctly when the k/v delim character appears 2 or more times in a field value

Workaround:
Perform field extractions by modifying your searches using other commands, such as the rex command or eval command.
2023-07-26 SPL-242487 Dashboard charts do not support screen reader or keyboard navigation.
2023-07-20 SPL-240969 props and transforms created with 000-self-services (000-self-services/local/transforms.conf) as the destination app get removed during sync triggered by actions such as saving rulesets in Ingest Actions.
Workaround:
Do not save search time field transformations to the 000-self-services app. Move the existing 000-self-services/local/transformations.conf under a different app.
2023-05-30 Not applicable ACS endpoint connections fail after June 4, 2023 or HEC sessions fail after June 14, 2023 with error messages that mention SSL, TLS, or HTTP error 503 or 525. See Cloud Platform Discontinuing support for TLS version 1.0 and 1.1.
2023-05-02 SPL-239436 In federated search, outputlookup existence check on RSH causes search to terminate early although it is not run on RSH in standard mode
Workaround:
Define the lookup on both federated search head and remote search head.
2023-04-24 SPL-237902 Ad hoc searches that specify earliest relative time offset assuming from 'now' should explicitly include 'latest=now' to avoid a potential time range inaccuracy.

Workaround: Ad hoc searches searches that use the earliest time modifier with a relative time offset should also include latest=now in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected: index=main earliest=-10s latest=now.

Running the same search without including latest=now might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches.

2023-04-14 SPL-238738 Federated search does not support the "Show Source" field action in either standard or transparent mode.
2022-08-23 SPL-228969 Federated Search: In Splunk Web federated index UI you cannot provide data model Dataset Name values that contain a dot ( . ) character

Workaround: This is a limitation for users of standard mode federated search who want to set up federated indexes that map to data model datasets. It means that such users cannot set up federated indexes for data model datasets that are subordinate to a root dataset. For example, if the root data model dataset is Network_Traffic, you cannot map a federated index to the subordinate data model dataset Network_Traffic.All_Traffic.

As a workaround, users can run tstats searches that use the nodename argument to filter out data that does not belong to a specific data model dataset: | tstats ... where nodename=Network_Traffic.All_Traffic.

2022-07-29 SPL-227633 Error : Script execution failed for external search command 'runshellscript'
Workaround:
The setting precalculate_required_fields_for_alerts=0 can be set on saved searches that have no other alert actions attached aside from the "Run A Script" action, to quash the error. For saved searches that have multiple alert action attached, this may not be safe as it will disable back propagation of required fields for all alert actions, which might result in the parent search extracting more fields than required, which could negatively impact performance for that search.
2022-06-15 SPL-226877 Federated Search UI Error: Cannot create saved search dataset for federated index if dataset name contains space

Workaround: Use REST API to create the federated saved search instead:

curl -k -u <username>:<password> -X POST https://localhost:8089/servicesNS/nobody/search/data/federated/index -d name=federated:index_kathy -d federated.dataset='savedsearch:ss with space' -d federated.provider=remote_deployment_1.
See Federated search endpoint descriptions in the REST API Reference Manual.

2021-04-30 SPL-205069 onunloadCancelJobs failed to cancel search job on Safari
Workaround:
Use another browser such as Chrome or Firefox

This version fixes the following issues:

Date filed or added Issue number Description
2024-07-24 SPL-259611 Zooming in on a line chart in Dashboard Studio fails, if the chart is downsampled and has a y2 axis.
2024-07-23 SPL-259458 Zooming in on a numerical chart can have unexpected behavior if the chart has been downsampled, because the chart will not be downsampled again after zooming.
2024-07-19 SPL-257366 Using NOT with subsearch is failing with WARN message "Unable to extract et and lt from search with sid".
2024-07-09 SPL-258810 The list of saved searches in Dashboard Studio remains cached in the browser after the sidebar is closed. To update the list of saved searches after adding new ones, refresh the page.