• What's New
  • What's new in Splunk 3.0
    • Interactive reporting
    • Dashboards and personalization
    • Expanded search language
    • Flexible event typing
    • Scripted inputs
    • 64-bit support
    • Multi-processor support
    • Deployment server
    • Advanced data management
    • SplunkBase 3.0
    • Browser toolbar
    • Other features and improvements
• Known Issues
  • Known Issues
    • General
    • Search & Navigation
    • Administration
    • Toolbar
• Changelogs by Version
  • 3.0
    • New features
    • Resolved issues from 3.0 beta 3
    • New issues in this release
  • 3.0 Beta 3
    • New features
    • Resolved issues from 3.0 beta 2
    • New issues in this release
  • 3.0 Beta 2
    • New features
    • Resolved issues from 3.0 beta 1
  • 3.0 Beta 1
    • New features
    • Resolved issues from 2.2.3
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

3.0

New features

• Internet Explorer 6 and 7 support
• Firefox 1.5, 2.0 support
• New Firefox toolbar
• Ctrl-click, alt-click, and ctrl-alt-click behavior has been changed in 3.0. We've made simplifications in the interaction model that should work well for new users (details). However, some old users have told us they like the old way better. You can switch back to the old interaction model by clicking the Preferences link in the upper right of SplunkWeb, and setting click behavior to "Click replaces..."
• Robust LDAP connection support
• Lightweight forwarding capability
• Improved user roles distinction (user, power user, admin)
• Improved Splunk alerting to be able to alert via email or RSS (http or https) feeds
• Added ability to administer through the search bar in SplunkWeb using the admin command
• Added support for TAI64 formatted dates
• Added support for European formatted dates
• Granular access controls available through access_controls.conf
• Added capability to connect to OPSEC LEA to access Checkpoint firewall logs
• Added usage of REST API to perform searches
• Added ability to execute distributed report and search of related events across multiple Splunk servers
• SplunkBase 3.0
• Added 64-bit and multi-CPU support
• Improved data cloning and routing
• Advanced data management capabilities
• Expanded search language (over 20 search commands) that can be piped together
• Flexible event typing
• Homepage and dashboard customization
• Time-based scrolling and navigation
• Interactive reporting and interactive summaries and filters (any search results can be viewed in a tabular report mode)
• Some configuration file names have changed:
  • modules.conf is now deployment.conf
  • regexes.conf is now transforms.conf
  • savedsplunks.conf is now savedsearches.conf
  • cleaners.xml is now indexes.conf

Resolved issues from 3.0 beta 3

• Fixed issue requiring setting of LD_LIBRARY_PATH for Solaris installations
• Resolved issue of "report on results" link floating in SplunkWeb while a search is loading
• Added tool tips for timeline links in SplunkWeb
• Added tool tips on mouse over for fields menu link in SplunkWeb
• Dsnct renamed to distinct fields/frequency in report display
• Added functionality to report charts in SplunkWeb
• FIxed errors with starting on Red Hat 9, SunOS Sparc 5.9 and 5.10
• Fixed Ironport cored on FreeBSD
• Fixed disable/enable local indexing error "File path not readable" in Splunk CLI
• Fixed saving a tag to a hostname issue
• Fixed syslog UDP issue with host name characters
• timerange operators no longer included in search language – drop down is used to choose time range in SplunkWeb
• Fixed link to all in-product documentation
• Fixed issue related to scheduling using cron-style inputs
• select operator no longer fails when there are no spaces around a WHERE clause
• Fixed issue where clicking on the logo in SplunkWeb to properly redirect to login after a restart of splunkd
• Added scrolling with pgUp/pgDn to scroll through events and vi-style J/K/S/T key commands for scrolling
• Fixed scrolling issues while timeline still loading
• Improved graph by field list to shows all fields
• Fixed Permalink with report issue, not linking correctly to report
• Searching on parentheses now supported
• Added support for the creation of unlimited number of Splunk users
• Improved tailing processor can handle a more robust variety of files
• Added username and password configuration before start-up control in user-seed.conf
• Added VXFS support for Linux
• Added configurable time stamps for different date stamp formats
• Added hash character support for time stamps
• Added ability to change the default maxevents:: setting
• New relative search time modifiers: startminutesago:: ; starthoursago:: ; startdaysago:: ; startmonthsago:: ; endminutesago:: ; endhoursago:: ; enddaysago:: ; endmonthsago:: ; timeformat:: added to search language
• Improved searching an index with distributed search by forcing it to ignore servers that do not have the specified index

New issues in this release

• The related operator is very slow when processing large events
• The last refresh time on the home page will always be in PST