• Overview
  • What's New in Splunk 2.1
    • Home Page
    • Search Results
    • Tags
    • Admin Panels
    • Splunk-2-Splunk
    • Saved Splunks & Live Splunks
    • Time Range Selection
• Changelogs by Version
  • Release Notes 2.2.6
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.2.3
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.2.1
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.2
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.1.3
    • New Features
    • Resolved Issues
    • Known Issues
  • Release Notes 2.1.2
    • Warning - Updating from 2.1.x
    • New Features
    • Resolved Issues
    • Known Issues
  • 2.1.1 Release Notes
    • New Features
    • Resolved issues
    • Known Issues
  • 2.1 GA Release
    • New Features since 2.0
    • Resolved Issues since 2.1b2
  • 2.1 Beta 2 Release Notes
    • WARNING: Don't Upgrade 2.0 Servers Yet
    • New Features
    • Known Issues
    • Resolved issues
  • 2.1 Beta 1 Release Notes
    • WARNING: Don't Upgrade 2.0 Servers Yet
    • New Features
    • Known Issues
  • Release Notes Archive

2.1 Beta 1 Release Notes

WARNING: Don't Upgrade 2.0 Servers Yet

Do not upgrade a 2.0 server with the 2.1b1 release. Use this beta release only to create fresh installations. The 2.1 GA final release will safely upgrade 2.0 servers.

To run both versions on the same server, see the Installation Manual for instructions to install the beta release in a different directory.

New Features

Splunk-2-Splunk Distributed Search

Users can now search across multiple Splunk servers from a single web or command line interface.

Bundles

A simplified configuration format. Name-value pairs in stanzas replace the old XML structures to configure

• Data inputs
• Processing properties
• Saved & Live Splunks

Bundles can be added or removed from installations, just like Splunk modules. Bundles create portable, modular configuration. Modules add functionality through new processors or pipelines. If you create custom processors for Splunk, you can expose properties for their behavior that can be configured in bundles.

Configuration

All input modules, server settings, Splunk-2-Splunk setup, Saved & Live Splunks, and user accounts can be configured either via the GUI or from the command line. You can paste new licenses directly into the GUI. Configuration has been both expanded and streamlined to be more simple and more consistent across configuration areas.

Command Line

Splunk's command-line interface has been greatly expanded to nearly match the UI feature for feature, complete with built-in help. Command syntax has been made consistent across nearly all commands.

Other features

Search and Navigation

• The search language and GUI support relative as well as absolute time ranges.
• Hosts can be tagged, just like event types. For example, hosts web01, web02 and mail01 could all be tagged "production," while hosts mail01 and eng-smtp could be tagged "mail."
• Meta events can be based on transitive associations. For example, if Event A includes value X ,Event B has values X and Y, and event C has value Y, all three events can be clustered in a meta event. This is useful for sendmail logs and other formats where two connected events may not share a common value, but are connected through a third.
• Report Splunk result sets have clickable segments.
• Live Splunk schedules can use relative start and end times, to create reliable reports despite latency in environments.

Processing

• Syslog headers can be stripped from events prior to source typing, multi-line merging and event typing.
• Events can be forked to be indexed by different Splunk Servers based on specific content or a pattern.
• Admins can turn off and tune down any stage of processing for any or all sources, sourcetypes, hosts to trade index richness/ metadata for speed
• Timestamps can be extracted from filenames.
• Data can be deleted from the index. An admin can use a search-like command to delete all data from any source, sourcetype, and/or host, optionally within a timerange. The data will no longer appear in search results, typeahead, or statistical summaries. The purpose of this feature is not to recover disk space, but to remove incorrectly indexed or duplicate data from appearing to users. It's an easy way to undo configuration mistakes.

Licenses

• In-product registration lets you buy or upgrade licenses.
• You can paste a new license into the GUI rather than editing the filesystem.

Help

• GUI-guided initial setup.
• Overhauled in-product help with floating Quick Reference page.

Known Issues

These are sorted roughly in descending order of severity. Please don't hesitate to report further issues to support@splunk.com.

Index issues

• Stopping or restarting the server may cause some data to be dropped. This will definitely be fixed before the 2.1 GA release!

Server-side issues

• If the Splunk Server is on a host that returns a null Unix hostname, the Splunk Server may not run.
• Saved Splunks sometimes cannot be saved in the free Splunk Server.
• Shared Saved Splunks do not always get shared or un-shared properly.
• The shell command "splunk stop" or "splunk restart" doesn't always completely shut down the splunkd daemon. Use kill -9 if it is still running after a minute or two.
• Setting the free disk space margin below 1GB can cause index damage.
• You cannot specify "NOT server::web01" or Alt-click to remove a server from results. The search runs but results are not as expected.

Cross-browser UI issues

• There may be some uncaught SOAP exceptions remaining in the admin area. If the Splunk web interface throws an exception to its twistd app server, you'll get what looks like a core dump in your browser window. Please report any error screens to Splunk Support.
• The web interface has many new administrative capabilities. Some them require a restart. In most cases the interface displays a restart message, but there are some instances where it may not.
• You can edit some Splunk Professional settings with the default free license. They won't work.
• Saved and Live Splunks with spaces in their names don't show up in typeahead. They do work.

Firefox UI issues

• Switching to the Admin section while the interface is loading can occasionally crash Firefox.

Internet Explorer UI issues

• Wrapped results don't display properly.
• Clicking on values in tabs doesn't work.
• The server drop-down menu for distributed search displays oddly and can be hard to select.
• Some redraw issues.

Command line issues

• The command line command "splunk start" displays the URL of the web interface. it uses the hostname local to the splunk server. This may not work if DNS is not configured on the Splunk Server host.
• Live Splunks cannot yet be created from the command line, but this is close to being fixed.

Splunk-2-Splunk issues

• You need to restart for Splunk-2-Splunk data forwarding to take effect, but the UI does not tell you.
• Splunk-2-Splunk forwarding is configured outside of the bundle system. Configurations made in the beta 1 release will not survive upgrades to later releases.
• Network port inputs set source::tcp:10.4.99.11:514 instead of source::tcp:514, which prevents search across port 514 on all servers.

Help issues

• The in-product Quick Reference does not yet show all new 2.1 search commands.
• Guided Help does not always display the help page for your current state.
• Guided Help shows you the registration form instead of the current license on the current license step. Click Admin -> Licenses & Usage -> Current License to see the current information.