Splunk Changelog

What's new in Splunk 6.4.2

Jul 27, 2016

New Distributed Management Console Views:
New Distributed Management Console Views for Search Scheduler, HTTP Event Collector, Splunk TCP Performance, Distributed Search Performance, System Wide Search Performance, and System Resources I/O.
Most of the information shown in the System Activity view in earlier versions of Splunk Enterprise is now included in Distributed Management Console views. The System Activity view is removed from this version of Splunk Enterprise.
Custom Visualizations:
Install visualization apps from a new visualization library on Splunkbase. Available visualizations include the following:
Horizon chart
Sankey diagram
Status indicator
Timeline
Treemap
These visualizations can be used instead of or in addition to the standard Splunk platform visualizations. They work with Search, Dashboards, and Reports.
A new extensibility API is also available for partners, customers, and third party developers to create and package custom visualizations.
Data Sampling Mode for Dashboard Searches:
Efficiently evaluate trends and patterns using sample ratio within search.
Tsidx Retention Policy:
Allows customers to reduce the storage requirements for older data by approximately 50% by removing the tsidx indexing information. The data remains searchable but at a reduced performance level. The retention policy is configurable by data age per index.
SAML Providers :
New support for Okta, Azure AD, and ADFS.
Indexer Cluster Enhancements:
Option to force roll specific hot buckets. Ability to quarantine a search peer.
Search Head Clustering Enhancements:
Search peer replication.
Universal Forwarder on Docker:
Universal Forwarder is available on Docker Hub.
Universal Forwarder support for Linux on Power Little Endian (LE):
Universal Forwarder platform support includes Linux on Power on the Little Endian architecture.
Additional features:
Splunk Enterprise on-premises customers also get access for the first time to features that were introduced in the cloud-only version 6.3.1511.
Summary Replication:
Ability to replicate data model acceleration and report acceleration summaries on an indexer cluster.
SAML:
Ability to connect with Okta SAML provider.
Log Event Alert Action:
Ability to create a custom log event that is sent back to the Splunk platform for indexing, searching, and reporting.
User / Role Replication:
Ability to replicate Splunk software users and roles on a search head cluster.
Event Sampling:
A probabilistic sampling function for ad-hoc searches and saved reports. Use event sampling to perform quick searches to ensure the correct events are returned and to determine the characteristics of a large data set without processing every event.
UI Control for Global Default Time Range:
Administrators can now define a default time range value for all search pages by using a UI control in Splunk Web.
HTTP Event Collector: Indexer Acknowledgement (Splunk Cloud self-service only):
Allows token administrators to enable indexer acknowledgements. When enabled, clients can poll a new REST endpoint to check whether or not events have been indexed, in a secure and scalable manner.
HTTP Event Collector: Raw Endpoint:
A new token-based endpoint that allows customers to send raw events directly to Splunk software. Removes the need to format customer data into Splunk JSON event format. Also supports batching of events.
HTTP Event Collector: Dedicated SSL and CORS settings:
HTTP Event Collector now uses dedicated settings for SSL and CORS which are independent of the Splunk REST API configuration. These settings can be found in inputs.conf under the http stanza and are required for enabling SSL and CORS in Splunk Enterprise 6.4.
Documentation Updates:
Splunk universal forwarder documentation has moved from the Splunk Enterprise Forwarding Data manual to a new Universal Forwarder Manual in the Splunk universal forwarder documentation set. This change makes installation, upgrade, and usage information about the universal forwarder easier to find and navigate for Splunk Enterprise, Splunk Cloud, and Splunk Light customers.
The Search Tutorial has been updated to be more clear and concise. Additionally, steps that are different between Splunk Cloud and Splunk Enterprise are highlighted.
The spec and example files in the Admin Guide are now formatted with subheadings that enable inline navigation.
REST API updates:
This release includes the following new and updated REST API endpoints:
authentication/providers/SAML
authentication/providers/SAML/{stanza_name}
cluster/master/control/control/roll-hot-buckets
data/inputs/tcp/splunktcptoken
saved/searches
server/status/resource-usage/iostats
Splunk Enterprise on-premises customers also get access for the first time to the following endpoints that were introduced or updated in the cloud-only version 6.3.1511:
authorization/grantable_capabilities
cluster/master/buckets
cluster/config
data/inputs/http/{name}/rotate
data/ui/views
data/ui/views/{name}
services/admin/SAML-user-role-map
services/admin/SAML-user-role-map/{name}
services/collector
services/collector/ack
services/collector/event
services/collector/mint
services/collector/raw
services/data/inputs/tcp/splunktcptoken
services/data/inputs/tcp/splunktcptoken/{name}
services/data/summaries
services/data/summaries/{summary_name}
services/server/status/resource-usage/iostats
services/server/status/resource-usage/splunk-processes

New in Splunk 6.3.2 (Dec 17, 2015)

Platform:
Search Parallelization. Optimized CPU utilization for faster search execution. See "Manage report acceleration", "Accelerate data models", and "Configure batch mode search" in the Knowledge Manager Manual.
Index Parallelization. Optimized CPU utilization for faster data ingestion.
Intelligent Job Scheduling. Intelligent job scheduling provides improved system utilization and predictable performance. See "Configure the priority of scheduled reports" in the Reporting Manual.
Data Integrity Control. Data integrity control ensures that indexed data has not been modified. See "Manage data integrity" in the Securing Splunk Enterprise manual.
Single Sign-On Using SAML. Support for SAML 2.0 for single sign-on using PingFederate as the Identity Provider. See "About single sign-on using SAML" in the Securing Splunk Enterprise manual.
Search Head Clustering Improvements. Performance optimization, scalability, and management improvements. Support for Windows OS.
Indexer Clustering Improvements. Ability to turn off search affinity. See "Implement search affinity in a multisite indexer cluster" in the Managing Indexers and Clusters of Indexers manual.
HTTP Event Collector. Indexing of high-volume JSON-based application and IOT data sent directly via a secure, scalable HTTP endpoint. No Forwarder required. See "Use the HTTP Event Collector" in the Getting Data In manual.
Custom Alert Actions. Customizable alert actions and packaged integrations with popular third-party applications or messaging systems. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.
Management and Administration:
HTTP Event Collector Configuration. Create and manage configurations for the HTTP Event Collector. See "Use the HTTP Event Collector" in the Getting Data In manual.
Source Type Manager. Create and manage source type configurations independent of getting data in, and search within the source type picker. See "Manage source types" in the Getting Data In manual.
Powershell Input. Native support for ingesting data retrieved by Powershell scripts. See the Splunk Add-on for Microsoft PowerShell manual.
App Browsing Interface. Automates and simplifies app and add-on discovery within Splunk Web.
Indexer Auto-Discovery. Forwarders now dynamically retrieve indexer lists from cluster master to enable elastic deployments. See "Use indexer discovery to connect forwarders to peer nodes" in the Managing Indexers and Clusters of Indexers manual.
Distributed Management Console. New topology views, status, and alerting for Splunk platform deployments including: indexers, search heads, forwarders, and storage utilization. See "About the distributed management console" in the Distributed Management Console Manual.
Field Extractor Enhancements. Simplified field extraction via delimiter and header selection. Displays field extractions within the event preview. See "Build field extractions with the field extractor" in the Knowledge Manager Manual.
Search Process Memory Usage Threshold. New configuration parameters to specify the maximum physical memory usage that a single search process can consume. See the search_process_memory_usage_threshold and search_process_memory_usage_percentage_threshold stanzas in "limits.conf" in the Admin Manual.
Usability:
Single Value Display. Support for at-a-glance, single-value indicators with historical context and change indicators. See the "Single value visualizations" section of "Visualization Reference" in the Dashboards and Visualizations manual.
Geospatial Visualization. Support for choropleth maps to visualize how a metric varies across a customizable geographic area. See "Mapping data" in the Dashboards and Visualizations manual.
Dashboard Enhancements. More powerful dashboards with extended search and token management. See "Token usage in dashboards" in the Dashboards and Visualizations manual.
Search History. View and interact with ad-hoc search command history. See "View and interact with your Search History" in the Search Manual.
Anomaly Detection. New SPL command that offers histogram based approach for detecting anomalies. Also includes the capabilities of existing anomalousvalue and outlier SPL commands. See "anomalydetection" in the Search Reference manual.
Search Helper Improvements. Re-architected to improve responsiveness.
Developer:
Java logger Support for HTTP Event Collector. Adds support for log4j, logback and java.util.logging to allow logging from Java apps over HTTP.
.NET Logger support for HTTP Event Logger. Adds support for the .NET Trace Listener API and SLAB (Semantic Logging Application Block) to allow logging from apps over HTTP.
Custom Alert Actions. Allows developers to build, package, and integrate custom alert actions as native to Splunk software. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.
Documentation:
The Splunk Enterprise 6.3 release includes one new manual and several enhancements to key areas of existing content.
The Distributed Management Console Manual provides dedicated information on the distributed management console that was introduced in Splunk Enterprise 6.2.
The Distributed Deployment Manual has been substantially expanded to provide enhanced guidance on implementing, maintaining, and expanding a distributed deployment. In particular, it now features a set of end-to-end implementation frameworks for common deployment scenarios.
The Getting Data In manual has been reorganized to provide faster access to the information you need to get your data into Splunk Enterprise. The manual includes information on updated features, and content within the book has been reorganized to make procedures easier to understand and follow.
The Forwarding Data manual has been updated to make the installation instructions for the universal forwarder more accessible, and to better group and clarify universal forwarder concepts and activities in deployments of the Splunk platform.
New REST APIs:
This release includes the following updates to the REST API.
data/inputs/http
data/inputs/http/{name}
data/inputs/http/{name}/disable
data/inputs/http/{name}/enable
licenser/usage
services/collector/event
services/collector/mint
services/data/ui/alerts
servicesNS/{user}/{app}/data/ui/alerts
services/server/introspection/search/dispatch/Bundle_Directory_Reaper
services/server/introspection/search/dispatch/Dispatch_Directory_Reaper
services/server/introspection/search/dispatch/Search_StartUp_Time
services/server/introspection/search/distributed
services/server/introspection/search/saved
services/search/scheduler
services/search/scheduler/status

New in Splunk 6.2.2 (Feb 25, 2015)

New in Splunk 6.2.1 (Feb 25, 2015)

Windows installer fails on non-English Windows systems.
web.conf setting for updateCheckerBaseURL=0 now displays "Your Browser could not connect to Splunk.com...need to be connected to the Internet to find out when updates to your Splunk software are available". It does not disable Splunk automatic checking for new versions.
Batch reader picks up files that have already been rolled
Index list is incomplete under Input Settings, not all index names display.
Username containing a "." or "@"character fails to create private dashboard
workaround: creating non-private dashboards continues to work, if the role allows it
the return search command does not support field names that contain a period.
Splunk Web presents incorrect list of field alias entries.
Password is not removed from alert_actions.conf when user is deleted.
Splunk Web updated to reflect new timezones for Moscow and Yekaterinburg.
When user edits a server class via Splunk Web Forwarder Management, Splunk Web may fail to update with the latest list.
Auto key-value based field extraction may fail.
Upon completion of setup in distributed mode, the setup page fails to display instances due to a javascript error.
Report Acceleration Summaries don't work in shared context.
Messaging errors for failed upgrade to 6.2 are confusing.
When drilling-down in a JSON object (using Internet Explorer), the object disappears behind checkbox panel
After an upgrade from 6.0.3, the splunkd service main thread crashes on start-up.
Rename Splunk Web service description to Splunk Web Service Legacy. Splunkd now handles all Web Service operations and the Splunk Web Service is no longer used. For more information, see "Start Splunk Enterprise on Windows in legacy mode" in the Admin manual.
In Windows, if a user specifies a monitor input that uses a wildcard at WinEventLog Modular inputs do not respect the _meta and _TCP_ROUTING params specified in inputs.conf.
Input created via REST API on a universal forwarder does not honor disabled=true setting.
/services/data/indexes endpoint outputs blank value for tsidxstatshomepath attribute
The time range preset in web-framework view is ignored.
The app key value store (KV store) is not available with a free license.
If user manually adds a new indexer while Splunk with bootstart is enabled, Splunk may crash due to OS user permissions mismatch.
Splunk command line displays errors regarding /etc when the rebuild command is initiated. These errors can be disregarded.
Universal Forwarders that use ACK receive acknowledgments out of order.
Issues installing and starting Splunk as a non-root user.
Setting cipherSuite to most ciphers results in a failed session.
datetime.xml may not recognize AM and PM properly.
Splunk 6.2 appears to break reverse proxy.
KV store does not run if FIPS is enabled.

New in Splunk 6.1.2 (Jul 2, 2014)

New in Splunk 6.0.1 (Apr 24, 2014)

New in Splunk 6.0 (Apr 24, 2014)

New Home screen
Splunk Home is your portal to the apps and data accessible from your Splunk Enterprise instance. The new home screen includes a search bar and panels that provide an overview of and navigation for your apps and data. For more information, see:
"About Splunk Home" in the Search Tutorial.
Enhanced search experience
This release provides a new interface that brings search and reporting together. We've built in new ways to interact with your data and fields. In addition, we've added the ability to edit reports in the search page, making it easier than ever to create and edit.
The search page redesign brings together a collection of UI changes to improve the usability of the search interface and enable simpler report authoring and editing.
For more information, see:
"About the Search app" in the Search Tutorial.
Data model
Data models drive Splunk Enterprise's Pivot tool. They enable users of Pivot to realize compelling reports and dashboards without first going through the sometimes complex step of designing the searches that generate them. Data models can have other uses as well, especially for application developers.
You can also use the Splunk Enterprise High Performance Analytics Store to accelerate your data models. With an accelerated data model, your pivots, reports, and dashboard panels that use that data model will return results faster, greatly improving the speed of analytical operations over large data sets.
For more information, see:
"About data models" in the Knowledge Manager Manual.
Pivot
The new Pivot tool is a drag-and-drop interface that enables non-technical and technical users alike to build complex reports without using the search language. Using Pivot, you can quickly build queries and display results through an easy-to-use interface.
For more information, see:
"Welcome to the Pivot Tutorial" in the Pivot Tutorial.
Native maps
You can now display geographic data and summaries on maps directly within Splunk Enterprise without relying on another app. For more information, see:
"Visualization reference" in the Visualizations and Dashboards Manual.
The element in the Simple XML Reference.
The geostats command in the Search Reference.
Predictive analytics
Using historical data as the baseline, you can use predictive analytics to forecast the future needs of key system resources.
Predictive analytics can be used in a number of ways. For example:
It aids in determining future hardware requirements for virtual environments and forecasting energy consumption.
It enables enhanced root cause analysis to detect abnormal patterns in events and prevent security attacks.
It enables enhanced monitoring of key components to detect system failures and prevent outages before they occur.
For more information, see:
"About predictive analytics with Splunk" in the Search Manual.
Forwarder management
The forwarder management feature is a Splunk Web interface that provides an easy, visual way to configure the deployment server and monitor the status of deployment updates. Although its primary purpose is to deploy apps and configurations to large groups of forwarders, you can use forwarder management to configure the deployment server for any update purposes, including deploying apps to non-clustered indexers and search heads. For most purposes, the capabilities of forwarder management and the deployment server are identical.
For more information, see:
"Forwarder management overview" in the Updating Splunk Instances Manual.
Simplified cluster management
The main focus of this feature set is to make it easier to configure and operate large-scale clusters. Key improvements include:
Enhanced cluster monitoring UI: Monitor the health of a cluster through a centralized dashboard.
Auto rebalancing of peers: Distribute loads evenly among cluster peers.
Faster recovery: Recover from peer failures quickly by copying index files instead of regenerating them.
App management: Manage and distribute fully functional apps to peers through the cluster master UI.
For a general introduction to clusters, see:
"About clusters and index replication" in the Managing Indexers and Clusters manual.
Simple XML enhancements
The dashboard creation process has been enhanced to enable more powerful views without requiring the use of advanced XML, including improved support for form inputs, token substitution, and more.
For more information, see the following topics in the Visualizations and Dashboards Manual:
Create and edit dashboards from Splunk Web
Simple XML Reference
Chart Configuration Reference
Integrated web framework
For custom dashboard creation, this release offers a much more web-developer-friendly method to customize apps and dashboards. We now enable developers to convert dashboards directly to HTML and JavaScript, where they can more easily modify the layout and style, integrate custom JavaScript and more. As part of this feature, we have packaged many of the core dashboard objects and controls into a JavaScript component library that enables developers to use them more readily as they build these custom views. This library is also shared with our new web framework, giving developers full portability to build apps external to Splunk Enterprise, and incorporate many of the elements and controls familiar to Splunk Enterprise customers.
For more information, see "Splunk Web Framework" on the Splunk developer portal.
Windows inputs
This release includes the following new Windows inputs:
Host Inventory (Hardware, Software, Applications, Services)
Print Monitoring (who printed what and when; resource utilization on printers, and so on)
In addition, Splunk Enterprise 6 provides additional filtering capabilities as part of event log collection which you can use for more efficient security audit log monitoring. For more information, see "Monitor Windows event log data" in the Getting Data In manual.
Automatic header-based field extraction
For files that have headers that contain field information, such as CSV, this feature enables you to configure Splunk Enterprise to extract these fields automatically during index-time event processing. For more information, see:
"Extract fields from file headers at index time" in the Getting Data In manual.
License Usage Report View
The new License Usage Report View provides a fast and easy approach to determine the consumption of your Splunk Enterprise license. Directly from the Splunk Licensing page, get immediate insight into your daily Splunk Enterprise indexing volume as well as any license warnings. In addition, get a comprehensive view into the last 30 days of your Splunk license usage with multiple reporting options.
"About Splunk's license usage report view" in the Admin Manual.
New search commands
This release includes the following new search commands:
cofilter returns a count of events that contain the two specified fields.
datamodel returns JSON for all or a specified data model and its objects.
foreach runs a templated streaming subsearch for each specified field.
geostats returns geographical data in summaries that can be rendered on a world map.
iplocation extracts location information from IP addresses using 3rd-party databases.
pivot enables you to run pivot searches against a particular data model object.
tstats performs statistical queries on indexed fields in tsidx files, which could come from normal index data, tscollect data, or accelerated datamodels.
Documentation improvements
The Splunk Enterprise 6.0 release includes two tutorials and several new manuals.
The Search Tutorial guides you through adding data, searching your data, saving reports and creating simple dashboards.
The Data Model and Pivot Tutorial guides you through adding data, building simple data models, and creating new Pivots.
The new manuals include:
Pivot Manual: decribes how to use the Pivot tool and provides tips on how to create useful data visualizations using Pivot.
Reporting Manual: covers reports and report management in Splunk Enterprise, including report acceleration, report scheduling, and printing reports as PDFs.
Forwarding Data: describes how to use forwarders to get data into Splunk Enterprise.
Distributed Search: describes how to use search heads to distribute searches across multiple indexers.
Updating Splunk Enterprise Instances: describes how to use deployment server and forwarder management to update Splunk Enterprise distributed instances such as forwarders and indexers.
The Distributed Deployment Manual is now focused on the conceptual background for distributed deployment, an overview of common deployment architectures, information about hardware requirements and capacity planning, and instructions for upgrading a distributed environment.
In addition, the Module System User Manual and the Module System Reference have moved from dev.splunk.com to docs.splunk.com.

New in Splunk 5.0.2-149561 (Mar 26, 2013)

Index replication:
Splunk indexers can now be grouped together to replicate each other’s data, maintaining multiple copies of all data – preventing data loss and delivering highly available data for Splunk search. Using index replication, if one or more indexers fail, incoming data continues to get indexed and indexed data continues to be searchable.
Report acceleration:
Accelerating search for reporting over large datasets is now as easy as clicking a checkbox and setting a time range. Summaries are stored on the indexers rather than the search head to allow map reduce parallelism for any search that uses reporting and/or streaming commands. You can enable report acceleration for an eligible search when you save it or add it to a dashboard in the Splunk Web UI. You can also enable report acceleration for an eligible search in Manager > Searches and Reports.
Integrated PDF generation:
You can now create PDF files from your simple XML dashboards, views, searches, or reports on any OS running on an Intel-compatible platform. All PDF features in Splunk Web work without the need to install the PDF Report Server app. Non-UI PDF reporting functionality also uses Integrated PDF generation.
Dynamic drilldown:
Create custom drilldown behavior for any simple XML table or chart. Specify custom drilldown behavior on a per-field basis. Drill down within one dashboard, from a dashboard to form, or to any third-party tool that accepts URLs. Form searches built in simple XML also accept drilldown information so you can connect one form to send information to another.
Modular inputs:
Enable any data inputs installed by a Splunk App, making them easier to manage and deploy. Inputs appear automatically on the Splunk Manager > Data Inputs page and are accessible from REST API endpoints for advanced management.
REST API versioning and JSON support:
Beginning with this release, the REST API is fully versioned, so that if developers embed the version number in a URL, they are guaranteed a particular endpoint behavior. In addition, REST endpoints optionally can now return JSON instead of XML.
Splunk JavaScript SDK integrated into core
The Splunk JavaScriot SDK is now completely integrated into the core Splunk product and no longer requires a separate download.
JSChart enhancements
JSChart now supports more configurations, so you can build more charts that show up on iOS devices. Configure custom colors for charts using SeriesColors, rearrange fields in a legend, and more. Additional enhancements increase browser performance.
New search commands:
This release includes some new search commands:
fieldsummary returns a summary of values for all or a subset of fields.
multisearch runs multiple searches at the same time.
predict uses forecasting algorithms to predict future values of fields.
x11 removes a seasonal pattern so that you can see the trend.
Documentation improvements:
The Splunk documentation set has been reorganized for the 5.0 release. This reorganization makes the tutorial a stand-alone document, gives more visibility to key product areas (indexing, search, visualization, alerting, and security), provides better browsing structure in the tables of contents, and creates tighter context for search results. The new content design reflects new Splunk features and addresses customer feedback we have received via doc comments, email, and IRC.
Resolved highlighted issues:
Significant increase in indexer latency and reduction in throughput of up to 75% related to execution of MaxDataSize settings in indexes.conf, which can result in the indexer(s) refusing forwarder connections. This issue is more likely to manifest in deployments with slower storage volumes. (SPL-58689)
A 500 Internal Server Error is displayed when using Manager to edit or create a saved search, add a data input, list or edit indexes, or edit user roles. (SPL-58872, SPL-58650).
Resolved data input issues:
In Australia, with devices set to Australia/Sydney (Australia Eastern), logs get generated as 11/16/11 10:30:00 EST, and Splunk (or the machine) interprets EST as US Eastern. (SPL-56076)
WARNs about "Endpoint has not specified a type for val=auto, will return this as a string in JSON API." in splunkd.log when adding an index via the CLI. (SPL-53640)
Indexer throttled and indexing paused with "...too many tsidx files in bucket=* Is splunk-optimize working? if not, low disk space may be the cause..." message displayed in Splunk Web. (SPL-58922)
Indexing processor spends too much time hot bucket metadata files, resulting in slowed indexer performance. (SPL-58859)
Indexed host name will become "$decideOnStartup" when uploading data via Splunk Web. (SPL-57073)
Summary index fields that contain characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_). (SPL-58300)
Scripted inputs defined in Manager do not work with search head pooling configurations. (SPL-57429)
splunk-admon.exe consumes excessive amount of memory. (SPL-57409)
Cannot update fields in a disabled index. (SPL-56752)
A warning should be issued when indexes are set to write to a volume's path without referencing the volume in homePath or coldPath. (SPL-56031)
Resolved charting issues:
The "Edit report" link is missing when you load a saved report from Splunk Web. (SPL-59182)
JSChart should choose _time as the x-axis field even if it is not the first field in the results. (SPL-56805)
Resolved index replication issues:
Rename the 'cluster' special app to '_cluster', which is more indicative of its special nature and migration requirements. (SPL-57536)
Allow multiple apps to be pushed onto peers from master-apps. Refer to this topic in Managing Indexers and Clusters for information on cluster app limitations. (SPL-57373)
Replication connection failures show up as "WARN BucketReplicator - Failed to replicate warm bucket" in splunkd.log (but the bucket is still replicated). (SPL-55413)
Setting sslVerifyServerCert=true is not being picked up and no validation takes place when clients are replicated. (SPL-56368)
The splunk list cluster-master-generation command does not list peer list for generation. (SPL-53096)
Clustering peers get stuck at the license agreement prompt when restarting the first time after an upgrade if you run a rolling restart. (SPL-52871)
If an invalid active bundle exists on the master, slave keeps downloading it every second and spams splunkd.log. (SPL-51320)
Lots of "Examining bucket" debug messages in web_service.log when viewing index replication dashboard. (SPL-56240)
"A splunktcp forwarder port is not configured in inputs.conf" error message appears on forwarder/search head/master when it should only appear on the affected slave. (SPL-56019)
Crash in ReplicationDataReceiverThread, no space left on disk. (SPL-56817)
Searching directly on a slave only works on searchable & primary bucket. (SPL-57197)
Running ./splunk edit cluster-config does not allow 'max_peer_build_load' and 'max_peer_rep_load' to be edited. (SPL-57193, SPL-56665)
Peer unable to handle failed replication (reason: state mismatch for bucket status on target, actual=Complete expected=NonStreamingTarget). (SPL-56671)
If a primary peer's connection is interrupted and the master node is restarted before it comes back up, another peer can be designated the primary, which causes problems when the original primary peer comes back up. (SPL-56515)
Off by one error for max outstanding build jobs parameter (we allow 6 when max is set to 5). (SPL-56246)
Deletes not handled properly on buckets that are already searchable if the peer from which the events were deleted fails. (SPL-51974, SPL-58208)
CLI help for index replication topics is missing. (SPL-57455)
Shutting down a peer can hang/time out if the master is down. (SPL-57144)
Running splunk list peer-buckets and cluster-buckets commands fail to to display all buckets. (SPL-56104)
A peer shouldn't be green/searchable when status is pending. (SPL-55876)
The default value of max_peer_build_load in server.conf.spec is incorrectly stated as 5, should be 2. (SPL-56640)
Resolved integrated PDF generation issues:
When a PDF is generated of a dashboard that includes one or more panels with table visualizations, it's possible that the PDF versions of the tables will include columns for fields that are not seen in the original dashboard tables. The PDF table columns may also appear in a different order than they do in the original dashboard tables. Splunk adds any field in the original stats results of the search to the PDF version of a table, even if the field is restricted from showing in the original dashboard table by the dashboard XML. (SPL-56255)
PDF wizard uses "admin_xxxx" name for non-English dashboards. (SPL-56279)
Row numbers are missing in PDF of simple results tables. (SPL-56248)
PDF generation does not work on HPUX or the PowerPC architecture. (SPL-56049)
Rendering reports broken with error referencing "searchFieldList". (SPL-56809)
Print to PDF doesn't include panels that have an ampersand (&) character in the title. (SPL-57419)
When on non-x86 system, if a remote report server is available, we should be using that. Otherwise, no PDF support should be provided. (SPL-57359)
If you create a search in manager with an email alert for pdf results (or edit an existing search to add pdf) you get only csv. (SPL-58921)
When disabled, the Generate PDF button still responds to clicks. (SPL-58231)
Sparklines can sometimes extend off the right side of a table. (SPL-58207)
PDF report should not print empty charts when there are no results. (SPL-56189)
Resolved report acceleration issues:
In Manager, report names appearing on the Report Acceleration Summaries and Report Acceleration Summary Details pages (under Reports using this summary) may be followed by a period. (SPL-56540)
Under very specific conditions Splunk can erroneously summarize data in a manner that causes subtle charting errors. This happens when you accelerate a search with an unbounded time range (earliest and/or latest time not set) and a timechart without an explicit span setting. (SPL-56001)
Numeric calculations in prestats mode don't emit precision. (SPL-56070)
When you switch to Free and then create a summarization (which is not supported in Free), the following error is shown "TSUM: LicenseRestriction: [HTTP 402] Current license does not allow the requested action" (SPL-56339)
If two summaries from searches in two different apps have the same hash, the link to each of them in Manager goes to the same search. (SPL-56040)
Status of a summary is always pending unless it's building. (SPL-56451)
Show source fails intermittently with "DispatchSearch - Could not find target event on the remote server, unable to form the proper distributed search". (SPL-55970)
The values() command doesn't work in non-prestats mode. (SPL-56081)
Configured namespace data is not cleaned when running ./splunk clean all. (SPL-55894)
Resolved search, saved search, alerting, scheduling, and job management issues:
Killed or otherwise 'zombie' search jobs are not flagged as such in Splunk Web, and are displayed differently on different tabs. (SPL-54026)
Summary index file header gets indexed when using the collect command. (SPL-58176)
Searches do not match with numeric values for indexed fields with uppercase characters. (* Searches do not match with numeric values for indexed fields with uppercase characters. (SPL-60142)
Searches using _indextime consume large amounts of RAM. (SPL-58601)
Using loadjob on a large search artifact can use a large amount of memory. Loadjob now handles the data on disk instead of in memory, however, for large artifacts access performance may be reduced. (SPL-58653)
Searches can time out when fetching full events due to remote timelining where the search head->indexer connection is unstable. (SPL-57454)
Running a timechart command with the span option, such as "index=_internal | timechart span=1h count by clientip" returns the error "Error in 'bin' command: Option 'span' should not be specified more than once." (SPL-57184)
Sorting in postprocess search broken for more than 50k results. (SPL-56641)
Scheduled RT search creates too many preview dispatch directories. (SPL-57584)
Using the name option with a value of "*" in the summary indexing backfill script will not capture any searches with criteria: are enabled, scheduled, and has summary indexing action. (SPL-56841)
No way to make a saved search use action.email.inline=1 from Manager. (SPL-56830)
Setting [searchresults] max_mem_usage_mb in limits.conf improperly overrides maxresultrows. (SPL-56815)
Search queued message shown even afte the search starts running. (SPL-56433, SPL-56435)
Resolved Splunk Web and Manager interface issues:
The "Edit report" link is missing when you load a saved report from Splunk Web. (SPL-59182)
Restart Splunk link is broken in Chinese Splunk Web. (SPL-49823)
The Send to background button tooltip is truncated. (SPL-58426)
Strings in the App dropdown are not localized in Manager pages. (SPL-57403)
Changing the source type setting for any input in Manager is not saved. (SPL-57022)
Uploading a lookup file in manager fails with "Encountered the following error while trying to save: In handler 'lookup-table-files': Source file is outside of staging area". (SPL-56835)
Error "ERROR AdminManager - Invalid Link hostname" when adding port value to link hostame under Manager » System settings » Email alert settings. (SPL-56833)
Edit dashboard options not localized in Splunk Web. (SPL-56484)
Strings in Field Picker are not localized. (SPL-56207)
"Save & share results" is not localized. (SPL-56204)
Resolved Windows-specific issues:
On Windows 8 and Windows Server 2012, nothing happens when you click on the "Browse Server" button when adding files or directories to monitor from the "Add data" wizard page. This is due to an issue with Internet Explorer 10, which comes with these operating systems. (SPL-55994)
Performance monitor (perfmon) stanzas not created in inputs.conf on fresh install of universal forwarder. (SPL-57560)
Indexes defined on Windows as volumes with forward slashes cause Splunk to fail to restart. (SPL-56868, SPL-56832)
Windows server 2008 R2 VM crashes w/blue screen when pre-installed (as a system image) splunkd service starts on first boot. (SPL-56861)
Changing the case of a hive name causes regmon to re-checkpoint. (SPL-37647)
Resolved unsorted issues:
Splunk can experience intermittent crashes in different threads on AIX due to a unresolved gcc bug in AIX. (SPL-49004)
On startup splunkd says "My newly generated GUID is X", then "My newly generated GUID is Y", X ≠ Y. (SPL-57592)
Errors on startup about "Possible typo in stanza [distributedSearch]" due to removal of invalid parameter. (SPL-57577, SPL-58095)
CLI command error: 'local-index' is not a valid argument for the 'enable/disable/display' command. (SPL-57501)
CLI command error: 'jobs' is not a valid argument for the 'list' command. (SPL-57500)
The diag command should not include tsidxstats files. (SPL-57543)
External REST handlers can't handle unicode. (SPL-57103)
When an index has been disabled, but splunkd hasn't yet been restarted (as is required), a REST request to delete it should return a clearer error message. (SPL-56819)
btool inputs list ignores --dir argument, returns results from live instance. (SPL-56626)
After configuring a new universal forwarder, the splunk list forward-server sometimes takes a short while to list correct forward server status. (SPL-55793)
If you create a dropdown with a populating search where the results include a back-slash, you cannot then use that token in a search. (SPL-58362)
Setting phoneHomeIntervalInSecs on a Linux deployment client to a high number (10 minutes) causes client to not download updated changes from deployment server. (SPL-57589)
In dynamic drilldown, Japanese characters are passed as UTF-16, expected UTF-8. (SPL-57534)
Text fields ignore seed value in simple XML. (SPL-57532)
Email alert sent, but no warning in the logs or scripted alerts when a search peer is missing. (SPL-57391)
Splunk's bin/python doesn't start up on HP/UX 11.11i machines without /dev/urandom. (SPL-57317)
Crash in TcpOutEloop thread during shutdown. (SPL-56875)
License slave master-uri incorrectly parsed with a trailing slash. (SPL-56836)
Rebuilding archived bucket throws error ERROR - Error opening The process cannot access the file because it is being used by another process. (SPL-56834)
Username with embedded space running existing saved search fails with 404 error in SimpleResultsTable module. (SPL-56587)
Splunk diag fails to exclude files with --exclude command in universal forwarder. (SPL-56399)
" WARN AdminManager - Endpoint has not specified a type for val=openLDAP" errors in splunkd.log when mapping LDAP groups via Splunk Web. (SPL-55928)
Splunk lacks date parser support for AM/PM for Japanese and Korean. (SPL-55733)
The default outputs.conf/forwardedindex blacklist targeting _internal make no sense for a search head. (SPL-52440)
When provided with an invalid value for the 'count' argument, the 'rest' search command produces an error that does not correctly explain what the expected value for 'count' should be. (SPL-57148)

New in Splunk 4.3.1-119532 (Mar 27, 2012)

Splunk 4.3 includes substantial improvements to the user interface and workflow.
Enhancements include:
Charting controls integrated with timeline view
Drag-and-drop dashboard editing
Simplified workflow for saving searches
Unified "Create" button for alerts, reports, and dashboard panels
New "digest" field for grouping alert notifications
Integrated time range picker and search button
More accessible job control and job inspector buttons
Improvements to message banners
Non-Flash UI:
To improve support of iOS hand-held devices, Splunk Web now provides non-Flash chart and timeline display. This also improves printing quality. For more information about the non-Flash charts, as well as the circumstances that might cause Splunk to render charts in Flash, see:
"Advanced charting options" in Developing Dashboards, Views, and Apps for Splunk Web.
Dashboard panel editor:
Splunk 4.3 exposes charting controls in a consistent UI that is accessible both from the dashboard and from the report builder UI, allowing you to discover and use this important feature more effectively. For information on how to use the dashboard panel editor, refer to:
"Edit dashboard panel visualizations" in the User Manual.
Sparklines:
Sparklines are a technique to increase information density in tables by adding inline charts to specific cells. They are most commonly used to show time-based trends associated with the primary key of a given row.
"Add sparklines to your search results" in the User Manual.
Per-result alerting:
Per-result alerting allows you to define alerts that trigger based on single events rather than a group of events.
"Create an alert" in the User Manual.
Real time backfill:
When you run a real-time windowed search, you can specify that Splunk backfill the initial window with historical data. This ensures real-time dashboards seeded with data on actual visualizations and statistical metrics over time periods are accurate from the start. For more information, refer to:
"Search and report in real time" in the User Manual.
Bloom filters:
Bloom filters speed up keyword searches by ruling out buckets where a searched-for keyword doesn't exist before incurring the overhead of searching the buckets. For more information, check out:
"Bloom filters" in the Search Reference Manual.
Data preview (single file):
See what data sources are about to be indexed, to where, and preview how their event extractions will be handled by Splunk. Data preview makes it easy to test new sourcetypes and troubleshoot how Splunk will handle them. Data preview lets you see what you're getting, before you commit to an indexing strategy. For more information on data preview, check out:
"Overview of data preview" in the Getting Data In Manual.
Structured data field extraction (JSON, XML)
Increasingly, machine data is being generated in structured data formats such as XML and JSON. We've extended the Splunk search language to allow users to extract data from these structures in a straightforward way. For more information, check out:
The "spath" search command in the Search Reference Manual.
Per-user time zones:
Large deployments often include users in different timezones. These users want to see the data in the timezone they're in. Splunk now supports setting a time zone for each user. For more information, check out:
"Add and edit users" in the topic "Set up user authentication with Splunk's built-in system" in the Admin Manual.
Multi-domain LDAP:
Multiple domain authorization helps large IT departments overcome the challenges of expanding Splunk across departments where different AAA systems are in use. This also resolves issues where, due to the risk of circular references, Splunk isn't able to follow referrals from one LDAP system to another safely. For more information, check out:
"Use multiple LDAP strategies" in the topic "Set up user authentication with LDAP" in the Admin Manual.
IPv6:
Splunk supports using IPv6 addresses for all network activity, including data forwarding and splunkweb. Users can use Splunk transparently as they migrate their network to IPv6 and can leverage their existing IT Search deployment and experience for problem solving, alerting and reporting even during changes to the core networking technologies that run their environments. Check out
"Configure Splunk for IPv6" in the Admin Manual for more information.
508 Compliance:
We've done some work to make Splunk Web more accessible for the visually-impaired. For more details, refer to:
"Accessibility options" in the Installation Manual.
Splunk Developer Portal and REST API Reference:
Splunk for Developers is live. Learn how to extend Splunk with the App Framework and how to build your own applications using the Splunk REST API and SDKs. The Splunk REST API Reference is also available as part of the Splunk doc set.

Splunk Changelog

What's new in Splunk 6.4.2

New in Splunk 6.3.2 (Dec 17, 2015)

New in Splunk 6.2.2 (Feb 25, 2015)

New in Splunk 6.2.1 (Feb 25, 2015)

New in Splunk 6.1.2 (Jul 2, 2014)

New in Splunk 6.0.1 (Apr 24, 2014)

New in Splunk 6.0 (Apr 24, 2014)

New in Splunk 5.0.2-149561 (Mar 26, 2013)

New in Splunk 4.3.1-119532 (Mar 27, 2012)

New in Splunk 4.2.3-105575 (Aug 10, 2011)