What's New in Splunk 3.3

Whats New in 3.3

Mark Bagley: [0:07] Hi there. I'm Mark Bagley, Senior Product Manager here at Splunk, and I'm joined by...
crawl
Raffy Marty: [0:11] I'm Raffy. I work in Product Managing with Mark. We're going to talk a little bit about 3.3 and the new things.

Mark: [0:17] Yeah! Lots of great new stuff guys.

Raffy: [0:20] One thing that you've probably have seen lately; we worked on applications pretty heavily. We have Splunk for PCI Application. We have a Splunk for Change Management. There are some things in Mark's area that we have improved in terms of working with the apps.

Mark: [0:34] Yeah. We've built the concept of applications here at Splunk, which can be as simple as configuration, but can be as big as; for example, the PCI Compliance Application that Raffy just talked about. But, one great new thing about 3.3 is that you can install, you can browse for applications and you can install them right inside the Splunk Admin UI.

[0:56] So, it makes it really, really easy to get up and running with PCI Compliance Initiative, simply by downloading Splunk, and then right inside Splunk you can install the new app.

Raffy: [1:07] So, you can basically... All the apps that anyone puts out on SplunkBase in the interface, you can now browse them and when you see them you can install them right away. You don't have to download a TAR.GZ anymore and do that manually. I think, that is really cool and probably going to hopefully help adoption... people using this.

Mark: [1:25] Yeah. We just really want to make it easy for people to get up and running with it. I mean, the whole idea is, let's say you need to put together an application for configuration inside your own environment. Let's say you want to share that with other people. Other people can then get it from SplunkBase really, really quickly and do the whole download and install with a couple of clicks inside the user interface.

Raffy: [1:47] That also brought along some changes technically. If you install the applications now, there is a little bit of different directory structure. People should probably just be aware of that now. It's not in exe bundles anymore. But, there is exe apps and exe systems directory. The configurations are probably good to know for people.

Mark: [2:04] Yeah. So, we use the same configuration layering technology that we've had that allows you to make discreet changes only and then keep defaults. Then, view those inside a hierarchical structure. But, we developed some segmentations. So, we've got configurations for applications now and then configurations you make to the product.

[2:27] So, new change changes the structure of the directories a little bit. That is, if you are under the hood inside of Splunk.

Raffy: [2:37] So, I guess, something else, we have crawlregistry. It's one of our features.

Mark: [2:40] Yeah, we've got crawl. So, you can now automatically discover new data services on your file systems very, very quickly. So, new configuration files as they get changed; somebody installs new software. crawl can go out and find things that look like Splunk data inputs on your file system, and then either automatically add those or interactively show you what those things are as they've changed. Then, allow you to preview what that data would look like inside of Splunk. Great, great, great new feature.

Raffy: [3:11] And I guess; along with that, now we get data, quicker and easier.

Mark: [3:15] Yeah. You've got the ability to get file system oriented data back into Splunk a lot faster and a lot easier than before, where you sort of had to go tell Splunk where to fish in certain directories. Then, say, "I don't want these things."

[3:30] It makes it a lot easier than trying to develop black lists and white lists for every single case. "Here's something that I might not want, but here is something that I really do want." Now, you can just go and tell it to find things and then automatically add them if they meet a certain profile, which is much easier.

Raffy: [3:49] And so, now that we get more data in on the consumer or reporting side. If you have to report a lot of data all the time, we a feature we call summary isummaryndexing. Some people might have heard of this as report caching. We had a little script before that you could use to do this. But, we realized it was such an important feature, we want to really productize and it's called summary isummaryndexing.

[4:12] So, what you can do is you basically set up incremental searches that collect individual smaller pieces of data and intersperse special index. So, let's take an example. You have to report over the last month of all the Website activity. You want to know what are the top ten users everyday hitting that Website.

[4:31] What you do is you run this every day and you save that out into the summary isummaryndex. Then, what you can do instead of going over the entire data every time you want a report on this, you go against the summary isummaryndex and it's much, much quicker to retrieve all that. So, large-scale reports are made much faster by doing this breaking it up into smaller pieces.

Mark: [4:51] Yeah, and you can essentially snapshot search results over time.

Raffy: [4:54] Exactly.

Mark: [4:55] So, I mean, Web analytics is one use case I can think of. I'm interested in performance snapshoting. So, let's say I'm interested in performance counters summarized for a certain class of servers. Let's say I've got that tag. I can do search results by that tag; save those search results, and then look at performance trends over different aspects of my infrastructure instead of having to go and break it down by system.

Raffy: [5:20] Right. Or you look for certain violations from certain sources. You keep those in the summary index so you don't have to hit all the data all the time.

Mark: [5:27] Perfect.

Raffy: [5:28] What else do we have?

Mark: [5:30] We've also got some new data inputs too that are operating system specific. So, we introduced two new capabilities for Splunk 3.3 for Windows users. We introduced the ability to do remote calling over WMI. So now you can get event log data remotely without installing Splunk on a system and you can also get performance data from those systems as well.

[5:53] We also have the ability to customize our WMI input, so that anything you can write in WQL that exists inside of WMIProvider, you can now index that data via Splunk. We've got some good documentation on the Web that allows you to know what permissions you are going to have to turn on to allow this to happen on your Windows systems. But, real easily to get up and running with.

Raffy: [6:17] I guess, it's really interesting right? Because you don't have to install Splunk on the Windows box anymore, but can actually remotely get the event log, which I think is a big deal.

Mark: [6:26] Yeah. No, it's great, especially for dealing with larger numbers of systems where you may not be able to distribute software to them.

Raffy: [6:34] Right.

Mark: [6:36] The other cool thing that we introduced is a registry data input. So, any data that is inside the registry, you can now index inside of Splunk with change detection. So, I can say, "Give me the keys inside a certain hive that have changed." I can say, "Give me a subset of the key path from this hive." Let's say I'm interested in configuration that is being stored inside the registry for a certain software application.

[7:03] I can tell our registry change monitor to index the data and then index the data when the data changes. Then, you can put together saved searches on that to do a wording and all the normal stuff that you would do with any other data type inside of Splunk. So, it's a great way to unlock that registry data that you may have that would be useful either for measuring compliance, doing change detection for operational purposes; a bunch of different use cases all met by this. It's great stuff.

Raffy: [7:38] Yeah, I think, there are a lot of other little things. But, what you should probably do at this point is go, download 3.3 and have some fun. Let us know what you think.

Mark: [7:47] Absolutely. Please do download 3.3. Tell us what you think. Email support at Splunk and happy Splunking guys.