This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.
The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.
| New feature, enhancement, or change | Description |
|---|
| Ingest Actions available on Splunk Cloud Platform on GCP | This unlocks the nearly full suite of Ingest Actions capabilities including 'filter' 'mask' and 'set index' to Splunk Cloud Platform customers on GCP. Routing support to S3 or GCP are not included as part of this release. |
| Schedule PDF exports for Dashboard Studio | You can schedule a PDF export of your dashboards for email delivery. For more details, see Download and schedule email exports of dashboard content for sharing. |
Removed file command | The previously disabled filecommand is now removed for all customers as of 8.2.2202. |
| Navigation link to Edge Processor service | You can now navigate from Splunk Cloud Platform to the Edge Processor service by opening the Settings menu and then selecting Edge Processor from the Data section. This Edge Processor link is available only when both of these conditions are met:- You are logged in as a user that has the edit_edge_processor capability.
- You are working in a Splunk Cloud Platform deployment that is associated with a cloud tenant that has the Edge Processor service available.
|
| Automatic removal of users on a Splunk platform instance that uses Okta as a Security Assertion Markup Language (SAML) protocol identity provider for authentication | When you connect your Splunk platform instance to an Okta SAML identity provider (IdP) for authentication, you can configure the platform so that if you remove a user from the IdP, the platform also removes the Splunk user that is associated with the SAML user. See Configure the Splunk platform to remove users on Okta in the Securing Splunk Cloud Platform Manual. |
| Role-based field filters do not work upon upgrade to this or later releases | Role-based field filters that released as a preview feature in previous versions of Splunk Cloud Platform do not work in this or subsequent releases. Role-based field filters have been replaced by field filters. |
| Preview feature: Addition of field filters in Splunk Web to protect sensitive information | Now you can use field filters in Splunk Web to obfuscate or redact data such as personal identifiable information (PII) and protected health information (PHI), and control which users can see that sensitive information. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters. ---
READ THIS FIRST: Should you deploy field filters in your organization? Field filters is a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on any indexes if field filters are in use in the Securing Splunk platform manual.
--- To turn on field filters in your Splunk Cloud environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
If you used the preview feature, role-based field filters, in a previous release of Splunk Cloud Platform, you must create new field filters to protect your sensitive data. Role-based field filters do not work in this or subsequent releases, and are not compatible with field filters. |
| Federated Search - Turn all federated providers off or on in batch mode | Turn all federated providers for federated search off or on with one REST API call. You can turn off federated search capability for troubleshooting or other reasons, and turn it back on when you are ready to restore federated search service.
This feature applies to Federated Search for Splunk as well as Federated Search for Amazon S3. You can turn off all federated providers for both types of federated search with one REST call. Alternatively, you can turn off all Federated Search for Splunk federated providers while leaving all Federated Search for Amazon S3 federated providers up and running, or vice versa. See Federated search endpoint descriptions.
|
| Federated Search - Turn individual federated indexes off or on | Turn a single federated index off or on with one REST API call. If you determine that there may be problems with a specific federated index, turn it off while leaving other federated indexes associated with the same federated provider up and running. When the issues affecting the federated index are resolved, turn the federated index back on.
This feature applies to both Federated Search for Splunk and Federated Search for Amazon S3. See Federated search endpoint descriptions.
|
| Interactive search for Settings menu | The Settings menu in Splunk Web now provides an interactive search bar that lets you easily find nested pages up to two levels deep. For example, you can use interactive search to access sub-pages on the Server Settings page, such as the Webhook allow list page, which were previously only accessible by clicking on the parent page. |
Use of the _reload action with the rest search command is disabled | Do not use the _reload action with the rest command. |
| Workload Management enhancements | Enhanced search_time_range predicate functionality now lets you match workload rules and admission rules to specific search time ranges to improve search efficiency over large amounts of data.
For more information, see Configure workload rules in the Splunk Cloud Platform Admin Manual. Also see Splunk Ideas.
|
The relevancy command is removed. | Do not use the relevancy command. |
The /services/search/commands REST API endpoint is deprecated. | The undocumented /services/search/commands REST API endpoint is deprecated and will be removed in a future release. If you have been inadvertently using this endpoint, stop using it. |
The timeout argument for the append command is removed. | Do not use the timeout argument. It has no effect on searches. |
FAQs
How search types affect Splunk Enterprise performance
| Search type | Ref. indexer throughput | Performance impact |
|---|
| Dense | Up to 50,000 matching events per second. | CPU-bound |
| Sparse | Up to 5,000 matching events per second. | CPU-bound |
| Super-sparse | Up to 2 seconds per index bucket. | I/O bound |
| Rare | From 10 to 50 index buckets per second. | I/O bound |
General performance improvements in Splunk V9 include: Indexing performance: In V8, some customers reported slow indexing performance, especially when indexing large volumes of data. Version 9 has addressed this issue by introducing various indexing optimisations, resulting in faster and more efficient indexing.
Is Splunk still relevant? ›
Whether unraveling complex security incidents or unlocking insights from machine-generated data, Splunk remains at the forefront, empowering organizations to turn data into decisive action.
What are some of the most important configuration files in Splunk? ›
List of Splunk Configuration Files
| Configuration file | Purpose |
|---|
| app.conf | Configure app properties |
| authentication.conf | Toggle between Splunk's built-in authentication or LDAP, and configures LDAP |
| authorize.conf | Configure roles, including granular access controls. |
| collections.conf | Configure KV Store collections for apps. |
15 more rowsMar 21, 2023
Target your search to a narrow dataset
Limit the timeframe of your search to 15 minutes or less. Reduce the amount of data the Splunk platform needs to search through by specifying specific index names in your searches. Typically, you want to store like data that is commonly searched together in the same index.
What are the three default roles in Splunk? ›
The predefined roles are: admin : This role has the most capabilities. power : This role can edit all shared objects and alerts, tag events, and other similar tasks. user : This role can create and edit its own saved searches, run searches, edit preferences, create and edit event types, and other similar tasks.
What are the three main Splunk components? ›
Splunk Components. The primary components in the Splunk architecture are the forwarder, the indexer, and the search head.
What is Splunk secret? ›
The splunk. secret file is located in the $SPLUNK_HOME/etc/auth directory. It is used to encrypt and decrypt the passwords in the Splunk configuration files. If the splunk. secret file is removed, a new one is automatically generated.
What makes Splunk better? ›
A Splunk log is highly scalable and easy for organizations to implement. It is able to find useful information within organizations' data without users having to identify it themselves. It saves searches and tags that it recognizes as important information, which helps organizations make their systems smarter.
Who is Splunk's main competitor? ›
Top Competitors and Alternatives of Splunk
The top three of Splunk's competitors in the Log Management category are Datadog with 60.93%, Logstash with 5.21%, Loggly with 4.58% market share.
A connection establishes a link between NASA and Splunk nodes (or vice versa) to route data through the workflow. A connection between two nodes passes data from one node's output to another node's input. Each node can have one or multiple connections.
Who is buying Splunk? ›
Cisco Systems. "Cisco Completes Acquisition of Splunk." Cisco Systems. “Cisco to Acquire Splunk, to Help Make Organizations More Secure and Resilient in an AI-Powered World.”
What is the best use of Splunk? ›
Splunk Use Cases
- Detecting Brute Force Attacks.
- Detecting Network and Port Scanning.
- Detecting Unencrypted Web Communications.
- Measuring Memory Utilization by Host.
- Measuring Storage Speed I/O Utilization by Host.
- Measuring Storage I/O Latency.
- Log Volume Trending.
- Basic TOR Traffic Detection.
The top Command:
The top command in Splunk serves as a tool for identifying the most frequent or highest-ranking values within a dataset. By specifying fields and criteria, users can pinpoint the top values, facilitating trend analysis, anomaly detection, and performance monitoring.
Can Splunk connect to a database? ›
Splunk DB Connect connects your relational database data to Splunk Enterprise and makes that data consumable by Splunk Enterprise. In addition, Splunk DB Connect can do the reverse, writing Splunk Enterprise data back to your relational database.
What are different search modes in Splunk? ›
Comparing search modes
| Search mode | Optimized for | Displays |
|---|
| Fast | Search Performance Transforming searches | Only results |
| Smart | A healthy compromise between data discoverability and search performance. | Events Results |
| Verbose | Data discoverability Event searches | Events Results |
It is generally accepted that there are three main search types: transactional searches, navigational searches and informational searches. Most modern search engines are able to determine the type of search based on the search query entered and the format of that query.
What is the most efficient order in filtering for searches in Splunk? ›
A few things to remember about filters: time is the most efficient filter (smaller windows = faster results) and inclusion is better than exclusion (field=foo is better than field!= bar or NOT field=bar). Filtering using default fields is very important. Adding index, source, sourcetype, etc.
What are the three primary types of Internet searches? ›
In digital marketing, the 3 essential types of search queries — navigational, informational and transactional — play a crucial role. These aren't just buzzwords; they're the foundation for users' interaction with search engines. Understanding them is vital for anyone looking to make an impact online.
