In some circumstances, (specifically with lookups and the dedup command), there were huge memory, performance and crashing issues.
I had cases open through many of the 7.1 -7.2x branches, all of which have cleared up with 7.2.4
I would encourage you to test 7.1 throughly to see if you will suffer from these issues, or consider jumping to the latest 7.2.4.2
Btw, ldap request paging is only available in Splunk 7.2.x.
Many thanks @somesoni2.
Our sales engineer referred me now to -
https://docs.splunk.com/Documentation/Splunk/7.1.6/Installation/AboutupgradingREADTHISFIRST
https://docs.splunk.com/Documentation/Splunk/7.1.6/ReleaseNotes/Knownissues
https://docs.splunk.com/Documentation/Splunk/7.1.6/ReleaseNotes/Deprecatedfeatures
In some circumstances, (specifically with lookups and the dedup command), there were huge memory, performance and crashing issues.
I had cases open through many of the 7.1 -7.2x branches, all of which have cleared up with 7.2.4
I would encourage you to test 7.1 throughly to see if you will suffer from these issues, or consider jumping to the latest 7.2.4.2
Much appreciated @nickhillscpl
Support said -
-- What you were told in Answers is true!
There were quite a few issues with memory throughout 7.X -- the most stable release in all of 7.X would be indeed 7.2.4; If you are utilizing SmartStore(s2), then the .2 (7.2.4.2) patch is recommended as well.
Our Sales Engineer said -
That’s a really generic complaint. I’d need bug tracker numbers (usually SPL-XXXXXX) to find out.
Actually, I THINK I managed to find it. It was addressed by 7.1.4 and 7.2.0. You’re fine.
My bugs were SPL-162166 and SPL-162548 (fixed in 7.2.4) and SPL-156444 which I think was patched out in 7.1.4 (although it escaped the release notes)
Very very kind @nickhillscpl !!!!
Interesting thing. Looking at https://docs.splunk.com/Documentation/Splunk/7.2.4/ReleaseNotes/Knownissues
And I don't see there SPL-162166 and SPL-162548. Where are they documented?
From Support -
It is in the known issues page for 7.2.0
https://docs.splunk.com/Documentation/Splunk/7.2.0/ReleaseNotes/Knownissues
and for the SPL mentioned in the email prior to your last (SPL-156444):
https://docs.splunk.com/Documentation/Splunk/7.1.4/ReleaseNotes/Fixedissues
From the Sales Engineer -
SPL-162166 only affects 7.2.x branches, 7.1.6 will be unaffected.
SPL-162548 only affects 7.2.x branches. 7.1.6 will be unaffected.
If 7.2.4 is not palatable, 7.1.6 looks like a solid release. Of course, extensive testing for your usecases is important with any deployment. Please let us know if you encounter unexpected issues.
As an aside https://docs.splunk.com/Documentation/Splunk/7.2.0/ReleaseNotes/Knownissues
SPL-162166, SPL-162548 gives this lovely search to find the largest lookups and in our environment, naturally the largest ones are ITSI's -
index=_* sourcetype=audittrail path=*lookups* size=*
| stats max(size) AS size BY host, path
| append
[| rest services/server/introspection/kvstore/collectionstats
| mvexpand data
| table splunk_server title data
| spath input=data
| fields splunk_server size ns ]
| eval host=coalesce(host,splunk_server)
| fields host path ns size
| sort size
They are in 'fixed' issues - not 'known' https://docs.splunk.com/Documentation/Splunk/7.2.4/ReleaseNotes/Fixedissues
2019-01-16 SPL-162166, SPL-162548 splunkd: /opt/splunk/src/search/processors/lookup/IndexedCsvDataProvider.cpp:165: virtual void IndexedCsvDataProvider::lookupBatch(UnpackedResults&, const SearchResultsInfo&, const LookupDefinition&): Assertion `!_parse_only' failed.
Although I have no idea what any of that means, and they were my bugs 🙂