Archive

Splunk 6.6 out now. Features you like the most?

Super Champion

This is not technically a question, but I can see some good enhancements/features as part of the release

  • Search optimizer improvements (Automatically apply Projection Elimination to remove calculations and evals that are not needed in final results . Atlast, I don't need to edit eventtypes.conf and tags.conf) !!
  • Search Head Clustering enhancements (Resilient configuration replication, intelligent captain selection etc.)
  • Indexer clustering enhancements
  • Indexer clustering management
  • Volume-based data forwarding
  • Data quality dashboard

Please let me know your thoughts if you haveimplemented in clustered systems. I will wait for a release or two before implementing into our prod.

Explorer

this is the 6.6 features in Japanese
Ver.6.6 の日本語資料はこちらです。
https://www.macnica.net/splunk/release66.html/

0 Karma

Champion

what is "volume-based data forwarding"?

0 Karma

Ultra Champion

@a212830, or as I lovingly call you, Mr. Lazy Pants 🙂

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/MeetSplunk#What.27s_New_in_6.6

(We know each other IRL. Hence this is teasing, not trolling...yet lol)

0 Karma

Contributor

It sounds like this feature will be my number one reason to move forward to 6.6 sooner rather than later:

"Avoidance of search disruption by automatically ensuring replicated data is available prior to taking a node offline."

We regularly get complaints from users about seeing "Your search results may be incomplete" during a cluster restart. However, the release notes aren't super clear whether this applies to a rolling restart or just "./splunk offline". I reached out to my SE for more info, and I also posted on the blog post iventsekar linked.

I'm also looking forward to line numbers in the SPL -- this will make documenting changes to alerts/reports a little more straight forward. I have had some users beg me to install 6.6 today for the dark themed search bar 🙂

Contributor

I want to note that I heard from my SE and this change is only for taking down a single peer, but will be expanded to rolling-restarts in the future.

0 Karma

Super Champion

Completely agree. There are so much good improvements as per release notes

0 Karma

Super Champion

Good reading -

https://www.splunk.com/blog/2017/05/02/what-s-new-in-splunk-enterprise-6-6-and-splunk-cloud.html?lin...

I am looking for the dataset and dashboard related features, will check them and update.

Next up is the new Trellis Layout, which provides a more efficient way to run the dashboard and saves time building multiple panels! Have you ever needed to create multiple single value indicators across the top of your dashboard? What about multiple timecharts, with each showing a slightly different measure on the same search? To do this you probably had to edit the Simple XML, copy & paste the original chart over and over again and change the search parameters ever so slightly. Now with Trellis, this can be done directly from the GUI. Multiple charts will be created on the fly—all using a single base search. Here’s an example. ( Pic at the blog)

Contributor

I love Trellis Layout. Makes it so much easier to compare trends!

0 Karma

SplunkTrust
SplunkTrust

Trellis graphs are very cool! Love them.

0 Karma

Splunk Employee
Splunk Employee

Docs for Trellis Layout are available here. They describe how you can use trellis layout to split search results over a field or aggregation and generate visualization fragments for each field value:

docs.splunk.com/Documentation/Splunk/6.6.0/Viz/VisualizationTrellis

Splunk Employee
Splunk Employee

And docs for the new drilldown editor UI (as well as new content on using drilldown for dashboard interactivity) are available here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/DrilldownIntro

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!