3.1

New features

"=" is now interchangeable with "::" when using search fields in a search.
Users can now type values in a form search.
New commands resurrect , unresurrect, and export are available in the CLI:
- resurrect: makes data available that has previously been archived.
- unresurrect: used to delete directories that have been resurrected.
- export: exports user data, global data, or event data for archiving.
- For help with these commands, access the CLI help pages through the command line: ./splunk help resurrect or ./splunk help unresurrect or ./splunk help export.

Resolved issues from 3.0.x

SplunkWeb now performs searches faster with smaller result sets.
SplunkWeb no longer elevates user privileges without warning.
Whitelisting and blacklisting now work correctly.
Distributed searches now access events in parallel across all servers.
SplunkWeb show source now displays correctly.
Dashboard Saved searches in SplunkWeb now display correctly.
When selecting fields in a search in SplunkWeb, the selected fields show correctly.
Splunk no longer suffers a performance loss when extracted and search fields are enabled.
Unprintable characters no longer cause errors in the CLI.
- Unprintable characters return as "?".
- Original data is not lost. Use the extract command to retrieve the raw data.
Entries are no longer dropped for LDAP servers running Active Directory.
Splunk's log volume is now significantly smaller.
Setting sourcetypes of archived files works properly.
Fixed small bugs with saved searches and alerts in distributed search deployments.
Splunkd is more efficient.
Event type tagging works correctly in SplunkWeb.
Deleting events while a source is being indexed no longer causes an incorrect event count to be reported.
Splunk runs correctly on AIX 5.2 and 5.3.
Splunk has Improved handling of TCP inputs.
Shutting down Splunk does not cause TCP event loss.
Splunk functions correctly with the gzip environment variable set.
CSV files with common headers no longer cause Splunk's tail to miss events.
Splunk has increased functionality with Internet Explorer 6.
Fixed cosmetic bugs in SplunkWeb.
eventtypetag:: typeahead is corrected.
hosttag:: tyepahead is corrected.
Runtime field extraction works with host::.
Improved user role capabilities.
Enhanced search performance on 64-bit systems.
Dashboard creation now works correctly in SplunkWeb.
Selecting "table" from drop-down in the SplunkWeb dashboard does not produce both a chart and a table.
Alerts created by power users now can perform all actions as expected
Compressed files now correctly handle sourcetypes manually set in inputs.conf
Dashboard no longer displays duplicate sets of example searches for every distributed data source.
Full TCP input queues no longer drops events.
The search command outputcsv outputs fields in the proper order.

New issues in this release

In a distributed search cluster, it is recommended that you have every node upgraded to an identical version of Splunk.
- You can never mix 3.1.x and 3.0.x nodes in a distributed search cluster. You must upgrade all 3.0.x nodes to 3.1.x.
When shutting down Splunk, there is a risk that network inputs can experience event loss.
Having too many LDAP roles set might cause searching to suffer a performance loss.
Using time-based search modifiers in the format: modifier::value in a saved search will break links that are sent in alerts via RSS or email.
- Fix this by changing all custom time-based modifiers used in savedsearches.conf to: timebasedmodifier=value or timebasedmodifier="value" format.
Searches using a literal equal sign (=) will no longer work due to changes in the search syntax. This may cause saved searches to fail.
- Fix this by enclosing the search expression in double quotes. For example, "user=foo" .

Previous: Known Issues | Next: Credits

Comments

No comments have been submitted.