• What's New
  • What's new in Splunk 3.3
    • Summary Indexing
    • Application browser and manager
    • Continuous crawling
    • Windows Registry input
    • WMI input
    • New directory structure and nomenclature for custom bundles/applications
    • New developer tools
• Known Issues
  • Known Issues for release 3.3.3
    • General issues and considerations
    • Search issues, including deprecated commands
    • Splunk Web issues and considerations
    • Windows-specific considerations and known issues
    • Distributed search issues and considerations
    • Configuration considerations and issues
    • Splunk Toolbar considerations and issues
    • API considerations and issues
  • Workaround for SSL configuration for users of Firefox 3
    • Background
    • Symptoms
    • Workaround
• Changelogs by Version
  • 3.3
  • 3.3.1
    • Windows-specific issues
  • 3.3.2
  • 3.3.3
    • Windows-specific issues
• Credits
  • Credits
  • APSW
  • boost
  • elementree
  • expat
  • fpconst
  • gadfly
  • libarchive
  • libiconv
  • libxml2
  • libxslt
  • log4py
  • numeric
  • openLDAP
  • OpenSSL
  • pcre
  • popt1.7
  • pyopenssl
  • pysqlite
  • python
  • pyxml
  • SOAPppy 0.11.6
  • sqlite
  • twisted
  • xmlwrapp 0.5.0
  • zope
  • zlib

What's new in Splunk 3.3

Summary Indexing

Splunk's new summary indexing features solves many common problems associated with running aggregate reports over long periods of time. Before summary indexing, Splunk had to access your entire data set for each report. For example, to generate a daily report of access statistics over the last 30 days, Splunk had to access the data for the 30 days every day. In this particular example, summary indexing eliminates this redundancy and overhead by automatically running a search every day that stores the result for that day in a summary index. Then, you run your report for the last 30 days using the much smaller and more focused dataset to generate overall statistics. Summary indexing decreases the impact of running the report on your system and increases the speed significantly. If you must keep your data for long periods of time for the purposes of running summary reports, use summary indexing to aggregate results and discard the original events, saving you space.
For more information, refer to the documentation for summary indexing.

Application browser and manager

The Splunk Application Manager allows authorized users to install and upgrade Splunk Applications directly from Splunk Web. Authorized users are able to view and manage their installed Splunk Applications at a glance, significantly improving usability of an extended Splunk deployment. Users can also browse and install applications available on SplunkBase from within Splunk Web.
For more information, refer to the documentation for the application manager.

Continuous crawling

Splunk continuously crawls your IT infrastructure and notifies or adds new data sources based on configurable settings. You can also preview what new data sources would look like inside Splunk before adding them to your index. Preview is fully integrated into Crawl to ensure you only index the new data sources you're interested in.
Beyond black/whitelisting: Crawl and its ability to automatically identify and configure new data sources combined with the expressiveness of the Splunk search language offer great new capability to ensure that all IT data gets indexed regardless of when your Splunk deployment is configured, without the tedium and constant review required by blacklisting and whitelisting specific files and directories.
For more information, refer to the documentation for crawl.

Windows Registry input

Baseline, track and audit Windows Registry changes using Splunk's new Registry tracking feature. You can choose to collect the entire Registry, filter by hive, or just track changes. By adding Registry data to your Splunk index, you can now track installations, configuration changes, and address complex application failures on Windows directly from a single console.
For more information, refer to the Windows Registry input documentation.

WMI input

Splunk can now tap directly into one of the most important Windows management data sources: Windows Management Instrumentation, or WMI. WMI provides Splunk with performance and system health information, as well as method for polling servers remotely for data (such as Event Logs). WMI inputs expand your options for scaling your data collection.
For more information, refer to the WMI input documentation.

New directory structure and nomenclature for custom bundles/applications

Starting with version 3.3, Splunk's custom bundle directory structure and terminology have both changed. Bundles are now referred to as applications. The existing directory structure and nomenclature are supported in version 3.3, but will be deprecated in a future release. Splunk provides a script for migrating your existing bundles directories to the new structure. Refer to these instructions for more information on how to migrate your applications.
For detailed information about the new applications directory structure, refer to the documentation about configuration files.

New developer tools

Splunk 3.3 ships with a complete REST API. SDKs providing wrappers for Splunk's REST endpoints are available in several different languages. For information on the new REST API (with links to the SDKs), refer to the Developer Manual.

Python SDK

Splunk's Python SDK allows for simpler application creation with one of the world's easiest-to-use object-oriented programming languages.

.NET SDK

Splunk's .NET SDK allows for simpler application creation with the widely-used Microsoft .NET development framework.