Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

2.1 GA Release

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6

2.1 GA Release

For installation instructions see the Installation Manual.


If you have an existing Splunk 2.0 installation you wish to upgrade to 2.1, please see the migration instructions.


New Features since 2.0

Splunk-2-Splunk Distributed Search

Users can now search across multiple Splunk servers from a single web or command line interface.


Bundles

A simplified configuration format. Name-value pairs in stanzas replace the old XML structures to configure


  • Data inputs
  • Processing properties
  • Saved & Live Splunks

Bundles create portable, modular configuration. Bundles can be added to or removed from installations, just like Splunk modules. Modules add functionality through new processors or pipelines. If you create custom processor modules for Splunk, you can export their properties into bundles.


Configuration

All input modules, server settings, Splunk-2-Splunk setup, Saved & Live Splunks, and user accounts can be configured either via the GUI or from the command line. You can paste new licenses directly into the GUI. Configuration has been streamlined to be simpler and expanded to be more consistent across configuration areas.


Command Line

Splunk's command-line interface has been enhanced to match the UI nearly feature for feature, complete with built-in help. Command syntax has been made consistent across nearly all commands.


Other features

Search and Navigation

  • The search language and GUI support relative as well as absolute time ranges.
  • Hosts can be tagged, just like event types. For example, hosts web01, web02 and mail01 could all be tagged "production," while hosts mail01 and eng-smtp could be tagged "mail."
  • Meta events can be based on transitive associations. For example, if Event A includes value X, Event B has values X and Y, and event C has value Y, all three events can be clustered in a meta event. This is useful for sendmail logs and other formats where two connected events may not share a common value, but are connected through a third.
  • Report Splunk result sets have interactive segments.
  • Live Splunk schedules can use relative start and end times, to create reliable reports despite latency in environments.

Processing

  • Syslog headers can be stripped from events prior to source typing, multi-line merging and event typing.
  • Events can be forked and indexed by different Splunk Servers based on specific content or patterns.
  • Admins can tune down or turn off any stage of processing for any or all sources, sourcetypes and/or hosts to trade index richness for speed.
  • Timestamps can be extracted from filenames.
  • Data can be deleted from the index. An admin can use a search-like command - e.g. delete::sourcetype::syslog - to delete all data from any source, sourcetype, and/or host, optionally within a timerange. The data will no longer appear in search results, typeahead, or statistical summaries. The purpose of this feature is not to recover disk space, but to remove incorrectly indexed or duplicate data from appearing to users. It's an easy way to undo configuration mistakes.

Licenses

  • In-product registration lets you buy or upgrade licenses.
  • You can paste a new license into the GUI rather than editing the filesystem.

Help

  • Built-in product help has been separated into its own pop-up page. Click the (i) buttons on the interface to pop open help.
  • A Guided Setup feature helps admins with first-time configuration.
  • Many error messages have been edited for clarity.

.


Resolved Issues since 2.1b2

  • Browsing events by time now includes the day of the week.
  • Many Live Splunk issues resolved.
  • Setting seconds in time range no longer shifts the cursor focus.
  • License strings with line break characters now work.
  • The "splunk learn fields" command no longer returns errors.
  • Internet Explorer users on Windows XP can set host tags.
  • Configuration file entries for regular expression and linemerge attributes are no longer dependent on order.
  • Splunk can now be bound to a specific interface, setting the Splunk environment variable SPLUNK_BINDIP= to the IP address to which Splunk should listen.
  • Browser back buttons now work with distributed searches.
  • Sending syslog data over UDP to Splunk no longer truncates the host:: value to four characters.
Retrieved from "http://www.splunk.com/base/Documentation/2.2.1/Releasenotes/21GARelease"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.