Known issues

The following tables include issues and workarounds for releases of Splunk Enterprise Security. Issues are listed in all relevant sections. Some issues appear more than once.

Splunk Enterprise Security 8.4.0 known issues

A list of key known issues in this version of Splunk Enterprise Security.

Date filed Issue number Description
03-09-2026 SECHELP-341

Environments with detection versioning turned on might result in the DA-ESS-ContentUpdate (ESCU) and other apps stuck "in-progress" for updating version information. This can prevent you from editing the detections in the UI.

Splunk Cloud workaround: Detection versioning is turned off for impacted customers. This action reverts detection management to a non-versioned status until a permanent fix is provided.

On-premises workaround:
  1. Disable detection versioning on each of the search heads by disabling the CMS modular input using the API: curl -k -X POST https://{STACK_URL}/servicesNS/nobody/SA-ContentVersioning/data/inputs/cms_parser/main/disable
  2. Restart Splunk.
  3. Disable detection versioning: curl -k https://{STACK_URL}:8089/servicesNS/nobody/SA-ContentVersioning/properties/feature_flags/general \ -X POST \ -d versioning_init="0" \ -d versioning_activated="0"

Date filed Issue number Description
2025-09-15 UEBA-3027 Some events are not showing up for the "Unusual Unlock Time" detection
2025-09-16 UEBA-3039 Irrelevant artifacts are showing up in the "Unusual Volume Of Blocked Connections Per User" detection