Limitations
Following are some of the limitations in Splunk Enterprise Security version 8.x:
- Finding-based detections created prior to Splunk Enterprise Security version 8.4 might stop working or need updates to use new macros in version 8.4. For more information, see Changes in detection macros in Splunk Enterprise Security version 8.4
- Splunk Enterprise Security supports only HTTPS connections.
- Splunk Enterprise Security does not support field filters using Splunk Web.
- Splunk Enterprise Security version 8.x supports search head clustering only on Linux operating systems. On Windows, Splunk Enterprise Security 8.x is supported only on standalone systems.
- Incident Review row expansion is no longer available. Use the side panel view to review information on findings and investigations.
- The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) is replaced by the Mission Control UI. Data from Mission Control incidents are migrated to Splunk Enterprise Security version 8.x. See Migrating Splunk Mission Control incident data to Splunk Enterprise Security 8.x
- Investigation data from Splunk Enterprise Security versions 7.3.2 or prior are not migrated to investigations in Splunk Enterprise Security version 8.x. See Review and finish legacy investigations in Splunk Enterprise Security.
Note: To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
- Sequence templates are "read-only" in Splunk Enterprise Security version 8.x and higher.
- Service level agreements (SLAs) and role-based incident type filtering is not available in Splunk Enterprise Security 8.x.
- Adaptive response actions are not available for investigations.
- The Comments feature available in prior versions of Splunk Enterprise Security is now replaced by an enhanced capability to add notes.
Note: Splunk Enterprise Security does not support the ability to enforce a note when editing a feature or investigation.
- If you customized your navigation bar in previous versions of Splunk Enterprise Security, you need to reset it in order to see the new navigation bar pages for version 8.x.
-
When you upgrade Splunk Enterprise Security to version 8.x or higher for the first time, the summary fields in your findings or investigations are not automatically ported upon upgrade. Summary fields are user-defined key-value pairs that you can manually create or populate for specific findings or investigations. To ensure that summary fields are ported, you must add the summary fields in the event attributes table when you create any new summary fields.
-
When you upgrade Splunk Enterprise Security to version 8.x and higher for the first time, the custom fields in your findings and investigations are not ported automatically upon upgrade. Before you upgrade Splunk Enterprise Security, you must add all the custom fields in the event attributes table so that it displays in the Additional fields section.Note: Custom fields can be added before and after you upgrade Splunk Enterprise Security. If you update the custom fields after the upgrade, then the custom fields are displayed in the Investigations Overview.
-
For limitations with hybrid pairing, see Splunk SOAR compatibility