Splunk Enterprise

What's new in Splunk Enterprise 6.3.1?

edrivera3
Builder

Hi everyone

What's new in Splunk Enterprise 6.3.1? I already have Splunk Enterprise 6.3.0.
Where can I find the changes in this new version?

Thanks,

Tags (2)
0 Karma
1 Solution

mporath_splunk
Splunk Employee
Splunk Employee

6.3.1 was a maintenance release that includes recent bugfixes
You can find all changes in the Release Notes for 6.3.1

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

In case anyone comes here and wants to know what's new in 6.3...

Here are some excerpts from this blog post here.

  • The HTTP Event Collector directly onboards data from applications, DevOps and IoT devices in real-time, scaling to millions of events per second. Developers can use a standard HTTP/JSON API or logging libraries. Those that are using Docker or creating microservices with AWS Lambda can use Event Collector directly from those environments too. IoT device software can use the same direct API or send events via a growing list of integrated IoT services like AWS Kinesis, Xlively, and Citrix Octoblu.
  • Custom Alert Actions make it simple for 3rd party or custom developers to create rich integrations or actions that can be automatically triggered by Splunk alerts. The user has a simple pull-down menu to choose among the integrations installed. Splunk and partners have already created a dozen integrations including ServiceNow, Slack, Big Panda, Citrix Octoblu, Webhook and more.

  • Geospatial Visualizations and Single-Value Displays allow customers to use widely-available Choropleth maps and context-rich KPI displays to easily visualize, understand and communicate results. And the new Anomaly Detection command now brings histogram-based analysis to the Splunk analytics arsenal.

It all depends on your workload and configuration but 6.3 can:

  • Double or more the speed of many common search and reporting activities
  • Index data at double the rate
  • And increase the overall capacity of your deployment by 20% or more

What can it mean?

  • A critical report can be completed in as little as ¼ the time
  • Real-time data can be ready for analysis in half the time
  • And increased capacity means that you can get more from you hardware investment
  • In fact, Splunk now requires just 1/3 the hardware it did two years ago, lowering Splunk deployment TCO by over 50%

Upgrade readme has a list of known issues and changes.


Release notes here

Platform

  • Search Parallelization. Optimized CPU utilization for faster search execution. See "Manage report acceleration", "Accelerate data models", and "Configure batch mode search" in the Knowledge Manager Manual.
  • Index Parallelization. Optimized CPU utilization for faster data ingestion.
  • Intelligent Job Scheduling. Intelligent job scheduling provides improved system utilization and predictable performance. See "Configure the priority of scheduled reports" in the Reporting Manual.
  • Data Integrity Control. Data integrity control ensures that indexed data has not been modified. See "Manage data integrity" in the Securing Splunk Enterprise manual.
  • Single Sign-On Using SAML. Support for SAML 2.0 for single sign-on using PingFederate as the Identity Provider. See "About single sign-on using SAML" in the Securing Splunk Enterprise manual.
  • Search Head Clustering Improvements. Performance optimization, scalability, and management improvements. Support for Windows OS.
  • Indexer Clustering Improvements. Ability to turn off search affinity. See "Implement search affinity in a multisite indexer cluster" in the Managing Indexers and Clusters of Indexers manual.
  • HTTP Event Collector. Indexing of high-volume JSON-based application and IOT data sent directly via a secure, scalable HTTP endpoint. No Forwarder required. See "Use the HTTP Event Collector" in the Getting Data In manual.
  • Custom Alert Actions. Customizable alert actions and packaged integrations with popular third-party applications or messaging systems. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
  • Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
  • Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.

Management and Administration

  • HTTP Event Collector Configuration. Create and manage configurations for the HTTP Event Collector. See "Use the HTTP Event Collector" in the Getting Data In manual.
  • Source Type Manager. Create and manage source type configurations independent of getting data in, and search within the source type picker. See "Manage source types" in the Getting Data In manual.
  • Powershell Input. Native support for ingesting data retrieved by Powershell scripts. See the Splunk Add-on for Microsoft PowerShell manual.
  • App Browsing Interface. Automates and simplifies app and add-on discovery within Splunk Web.
  • Indexer Auto-Discovery. Forwarders now dynamically retrieve indexer lists from cluster master to enable elastic deployments. See "Use indexer discovery to connect forwarders to peer nodes" in the Managing Indexers and Clusters of Indexers manual.
  • Distributed Management Console. New topology views, status, and alerting for Splunk platform deployments including: indexers, search heads, forwarders, and storage utilization. See "About the distributed management console" in the Distributed Management Console Manual.
  • Field Extractor Enhancements. Simplified field extraction via delimiter and header selection. Displays field extractions within the event preview. See "Build field extractions with the field extractor" in the Knowledge Manager Manual.
  • Search Process Memory Usage Threshold. New configuration parameters to specify the maximum physical memory usage that a single search process can consume. See the search_process_memory_usage_threshold and search_process_memory_usage_percentage_threshold stanzas in "limits.conf" in the Admin Manual.

Usability

  • Single Value Display. Support for at-a-glance, single-value indicators with historical context and change indicators. See the "Single value visualizations" section of "Visualization Reference" in the Dashboards and Visualizations manual.
  • Geospatial Visualization. Support for choropleth maps to visualize how a metric varies across a customizable geographic area. See "Mapping data" in the Dashboards and Visualizations manual.
  • Dashboard Enhancements. More powerful dashboards with extended search and token management. See "Token usage in dashboards" in the Dashboards and Visualizations manual.
  • Search History. View and interact with ad-hoc search command history. See "View and interact with your Search History" in the Search Manual.
  • Anomaly Detection. New SPL command that offers histogram based approach for detecting anomalies. Also includes the capabilities of existing anomalousvalue and outlier SPL commands. See "anomalydetection" in the Search Reference manual.
  • Search Helper Improvements. Re-architected to improve responsiveness.

Developer

  • Java logger Support for HTTP Event Collector. Adds support for log4j, logback and java.util.logging to allow logging from Java apps over HTTP.
  • .NET Logger support for HTTP Event Logger. Adds support for the .NET Trace Listener API and SLAB (Semantic Logging Application Block) to allow logging from apps over HTTP.
  • Custom Alert Actions. Allows developers to build, package, and integrate custom alert actions as native to Splunk software. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
  • Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
  • Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.

Documentation

The Splunk Enterprise 6.3 release includes one new manual and several enhancements to key areas of existing content.

  • The Distributed Management Console Manual provides dedicated information on the distributed management console that was introduced in Splunk Enterprise 6.2.
  • The Distributed Deployment Manual has been substantially expanded to provide enhanced guidance on implementing, maintaining, and expanding a distributed deployment. In particular, it now features a set of end-to-end implementation frameworks for common deployment scenarios.
  • The Getting Data In manual has been reorganized to provide faster access to the information you need to get your data into Splunk Enterprise. The manual includes information on updated features, and content within the book has been reorganized to make procedures easier to understand and follow.
  • The Forwarding Data manual has been updated to make the installation instructions for the universal forwarder more accessible, and to better group and clarify universal forwarder concepts and activities in deployments of the Splunk platform.

New REST APIs

This release includes the following updates to the REST API.

  • data/inputs/http
  • data/inputs/http/{name}
  • data/inputs/http/{name}/disable
  • data/inputs/http/{name}/enable
  • licenser/usage
  • services/collector/event
  • services/collector/mint
  • services/data/ui/alerts
  • servicesNS/{user}/{app}/data/ui/alerts
  • services/server/introspection/search/dispatch/Bundle_Directory_Reaper
  • services/server/introspection/search/dispatch/Dispatch_Directory_Reaper
  • services/server/introspection/search/dispatch/Search_StartUp_Time
  • services/server/introspection/search/distributed
  • services/server/introspection/search/saved
  • services/search/scheduler
  • services/search/scheduler/status

mporath_splunk
Splunk Employee
Splunk Employee

6.3.1 was a maintenance release that includes recent bugfixes
You can find all changes in the Release Notes for 6.3.1

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...