Skip to main content
Version: 3.6.0

Known Issues

AME-1440 TTL behaviour not set to true on "new" status option

The TTL behaviour should default to true on status options of type “new”. Users of the Free Version can run the execute the "Enable apply-TTL on status-options with type-new" Task again under Administration -> Setup -> Update

HEC Indexer Acknowledgement in Splunk Cloud

HEC Indexer Acknowledgment is not supported in Splunk Cloud and enabling this feature will lead to connection timeouts.

See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/AboutHECIDXAck

Users missing when more than 1000 LDAP Users

Splunk only caches 1000 LDAP users by default.

As AME relies on the full user listing, it is recommended to increase the cache size by setting following limits.conf:

[ldap]
max_users_to_precache = <unsigned integer>
* The maximum number of users that are pre-cached from LDAP after
  reloading auth.
* Set this to 0 to turn off pre-caching.

AME-1377 Alert-Data cannot be used as event-column

Event-table fields that are intended to display alert-data fields (non ame.-prefixed) do not display any values.

VirusTotal False Positive

vsw.exe has been identified as malware [1] (false positive). The Go binary is utilized on Windows for license verification and incorporates a cryptographic function. The source code undergoes a review process by Splunk’s Cloud Vetting Process. Vendors have been notified to mark the binary as safe.

[1] https://www.virustotal.com/gui/file/1cb09276e415c198137a87ba17fd05d0425d0c6f1f8c5afef81bac4fede84f6a