This document last updated: 04/13/07 03:04pm

Print Release Notes

Overview

What's New in Splunk 2.1

Home Page

• Saved Splunks are now listed on the home page, just like Live Splunks.
• Host tags, a new feature, are displayed next to their corresponding host names.
• If the server has no events indexed, the home page will explain how to set up data inputs through the new Guided Setup feature.

Search Results

• The search results page has been redesigned to be more legible.
• The results page tabs are different:
  • The Tags tab is gone.
  • A Servers tab will appear if the search results include events from multiple servers in a Splunk-2-Splunk configuration.

Tags

• Hosts can be tagged, just like event types. Host tags also appear on the home page.
• The Tags tab on the search results page is gone. Instead, the Host and Event Type tabs on search results pages each have an option to view by tag. This option appears if and only if there are tags present in the current search results.

Admin Panels

• Many more configuration options have been added to the Admin web interface.
• Data input configurations are now displayed in detail, and can be edited directly in the web interface.
• A Guided Setup option provides step-by-step first time configuration, as shown below.

Splunk-2-Splunk

• Distributed Search lets users search across multiple servers.
• A Servers tab appears on search results pages if there are events from multiple servers in the current search results.
• Users can login to multiple Splunk Server sat once. They must have the same username and password on each Splunk Server.

Saved Splunks & Live Splunks

• Saved Splunks now appear on the home page, just like Live Splunks.
• New schedule options for Live Splunks allow precise scheduling in latency-prone environments.

Time Range Selection

• A new relative time range selector widget allows more precise control of time boundaries.

This time range selector is set to show events from 3 days ago for a duration of 12 hours

Changelogs by Version

Release Notes 2.2.1

Date of Release: April 11, 2007

Splunk 2.2.1 resolves several issues identified in the 2.2 release.

To install Splunk 2.2.1, see the Installation Manual for full instructions.

New Features

• XFS support

The Splunk Server now supports the XFS filesystems on linux. For a complete list of supported filesystems please check here

Resolved Issues

• Upgrading from 2.1.x to 2.2.1 no longer requires a user migration.
• Resolved various crashes attributed to our UTF8 processor.
• Resolved a deadlock issue attributed to Splunk's use of SQLlite.
• Resolved crashes attributed to searching for meta events.
• Corrected the "Last refreshed" time displayed in the upper left-hand corner to work properly with the recent Daylight Savings change.
• Corrected a problem with Splunk's LDAP connection management such that authentication stopped working if the LDAP server times out the connection.

Known Issues

• If the Splunk Server is configured to use LDAP authentication, the amount of time required for Splunk to successfully start will be in direct relation to the number of users stored in the LDAP. Startup can take anywhere between 45-60 seconds.
• LDAP authentication should not use SSL
• When participating in distributed search the report::[ ] operator will need to be enclosed in quotes
• The GroupDN cannot contain an ampersand (&) character if you are configuring LDAP from the GUI. The workaround is to edit the auth.conf file directly.
• Restarting Splunk before a Live Splunk runs for the first time will result in 12/31/1969 being displayed as the Next Run date. This is purely cosmetic, the Live Splunk will run at the scheduled interval.
• An ampersand (&) in the user's Splunk password (e.g., "ch&ngeme") causes an authorization failure for Live Splunks. If you intend to use Live Splunks, choose a password without &.
• We have seen issues migrating 2.1.x users on FreeBSD to 2.2.1. If you are running Splunk on FreeBSD and lose your users on upgrade please contact Splunk Support for assistance in recovering your users.

Release Notes 2.2

Date of Release: February 9, 2007

Splunk 2.2 resolves several issues identified in the 2.1.x branch. In addition to various fixes 2.2 introduces support for LDAP authentication.

To install Splunk 2.2, see the Installation Manual for full instructions.

New Features

• LDAP Authentication support

The Splunk Server now supports authentication via your existing LDAP server. The Splunk Server works with any LDAP v3 server. We've tested with OpenLDAP, Novell eDirectory, and Active Directory. Detailed documentation on configuring Splunk to work with your LDAP server can be found in the $SPLUNK_HOME/etc/bundles/auth.conf.spec file

• ZFS and VXFS support

The Splunk Server now supports the ZFS and VXFS filesystems on Solaris (SPARC and x86). For a complete list of supported filesystems please check here

Resolved Issues

• Multiple fixes for crashes related to memory management, input processors, distributed search, restart, and missing configuration files
• Splunk now prevents users from configuring Splunk-2-Splunk to use the management port. Splunk-2-Splunk must use its own port for communication.
• Report:: now supports querying for raw or * using full SQL
• Saved Splunks can not contain spaces, quotation marks or ampersands in the name
• Splunk server names with spaces will no longer cause the web-server to crash
• Saved Splunks that include the report:: operator will return the appropriate report when called via savedsplunk::
• Saved Splunks search terms are limited to 32,767 characters
• Editing a Saved Splunk via the GUI will no longer result in a duplicate entry being created in your $SPLUNK_HOME/etc/bundles/local/savedsplunks.conf file
• The Live Splunk URL passed in an email is identical to the URL passed in a script
• All Live Splunks run at their appropriate intervals
• Live Splunk next run time and alert history both update accordingly
• All Live Splunk scripts must reside in $SPLUNK_HOME/bin/scripts

Known Issues

• 2.1.x installs with multiple users configured will loose the ability for those users to authenticate on upgrade to 2.2. A workaround is documented in the Updating 2.1.x to 2.2 instructions
• The "Last refreshed" time in displayed in the upper left-hand corner of the browser did not update properly with the recent Daylight Savings change. The time will always be 1 hour behind the current time. In order to correct this issue simply replace your $SPLUNK_HOME/lib/python2.4/site-packages/splunk/search/Query.py with this corrected Query.py and restart Splunk's webserver (./splunk restart splunkweb)
• If the Splunk Server is configured to use LDAP authentication, the amount of time required for Splunk to successfully start will be in direct relation to the number of users stored in the LDAP. Startup can take anywhere between 45-60 seconds.
• LDAP authentication should not use SSL
• When participating in distributed search the report::[ ] operator will need to be enclosed in quotes
• The GroupDN cannot contain an ampersand (&) character if you are configuring LDAP from the GUI. The workaround is to edit the auth.conf file directly.
• Restarting Splunk before a Live Splunk runs for the first time will result in 12/31/1969 being displayed as the Next Run date. This is purely cosmetic, the Live Splunk will run at the scheduled interval.
• An ampersand (&) in the user's Splunk password (e.g., "ch&ngeme") causes an authorization failure for Live Splunks. If you intend to use Live Splunks, choose a password without &.

Release Notes 2.1.3

Splunk 2.1.3 fixes a problem in the installer for 2.1.2 that did not place the correct version of splunkd.xml and multiIndexer.xml into place. There are no other changes from 2.1.2 -- the release notes below are 2.1.2 notes reprinted here for your convenience.

To install Splunk 2.1.3, see the Installation Manual for full instructions.

New Features

• Limited internationalization support

The Splunk Server now converts all incoming log data to UTF-8 prior to indexing. All characters are stored and displayed correctly in results, but search terms with non-ASCII characters are ignored. The specification for the incoming data's character set may vary by source, source type, or host (see the CHARSET property in props.conf.spec). We consider this release suitable for use with log data in any character set so long as the majority of characters convert to the ASCII subset of UTF-8. If you are interested in full internationalization support, please see our roadmap to help you decide which upcoming version of Splunk might be most appropriate for your needs. If you're using the international features of Splunk and run into unexpected behavior, please contact us at support@splunk.com. We're expanding our suite of tests for internationalization and would love your input.

• Positional timestamp extraction

If your event contains more than one timestamp you have the option of telling which one the Splunk Server should extract when setting its timestamp. The directive in props.conf to configure this is:

    TIME_PREFIX = <regex> 

• If the Splunk Server pauses indexing due to a lack of minimum free disk space, it will now post a persistent message at the top of the Web interface.

• Multiple improvements to Splunk's search engine increase the efficiency of search and return more accurate results when using complex NOT searches.

Resolved Issues

• Some users were not able to submit sample events to Splunk Base.

• Splunk did not always respect the removal of events from the index based on the size of the index or the age of events.

• If you configure your Live Splunks to call a script, Splunk will now pass 5 variables to your script:
  • $1 - A results summary in XML.
  • $2 - The search terms for the Live Splunk.
  • $3 - The fully qualified query string for the Live Splunk.
  • $4 - The name of the Live Splunk.
  • $5 - The reason the Live Splunk triggered an alert.

Known Issues

• Pagination is not supported in a distributed search across more than one server. The Web GUI has been updated to alert the user of this if the user tries to navigate to a specific results page.
• Some upgrades from 2.1.x 2.1.3 are not moving the splunk.secret file to $SPLUNK_HOME/etc/auth/ resulting in Splunk not being able to start. Prior to upgrade make a copy of the splunk.secret file
• Live Splunk next run is not being updated correctly
• Live Splunks triggering off a Saved Splunk that contains spaces send a malformed URL in the email results
• Live Splunks will not execute a script that is not contained in the $SPLUNK_HOME/bin/scripts bin directory.
• Editing a Live Splunk via the web interface results in a duplicate entry in your $SPLUNK_HOME/etc/bundles/local/livesplunks.conf file
• In distributed mode searching for eventtype::?servername_3 will cause the host splunkd process to terminate abruptly
• Sending any traffic outside of distributed search requests to Splunk's management port (by default 8089) will cause the host splunkd process to terminate abruptly
• You cannot use an ampersand "&" in the naming of Saved Splunks
• Using the savedsplunk:: search operator will not work correctly if the Saved Splunk has the report:: operator as one of it search terms
• You cannot query for raw or * in full SQL
• Uploading files to your Splunk index via the Web interface will cause your /tmp directory to fill up
• VXFS, ZFS, JFFS, XFS, SSHFS, and GFS filesystems are not supported. For a complete list of supported filesystems please check here

Release Notes 2.1.2

To install Splunk 2.1.2, see the Installation Manual for full instructions.

Warning - Updating from 2.1.x

• The installer misplaces two configuration files that must be manually copied into place. See the update instructions in the Installation Manual for the workaround.

New Features

• Limited internationalization support

In 2.1.2, Splunk converts all incoming log data to UTF-8 prior to indexing. All characters are stored and displayed correctly in results, but search terms with non-ASCII characters are ignored. The specification for the incoming data's character set may vary by source, source type, or host (see the CHARSET property in props.conf.spec). We consider this release suitable for use with log data in any character set so long as the majority of characters convert to the ASCII subset of UTF-8. If you are interested in full internationalization support, please see our roadmap to help you decide which upcoming version of Splunk might be most appropriate for your needs. If you're using the international features of Splunk and run into unexpected behavior, please contact us at support@splunk.com. We're expanding our suite of tests for internationalization and would love your input.

• Positional timestamp extraction

If your event contains more than one timestamp you have the option of telling which one the Splunk Server should extract when setting its timestamp. The directive in props.conf to configure this is:

    TIME_PREFIX = <regex> 

• If the Splunk Server pauses indexing due to a lack of minimum free disk space, it will now post a persistent message at the top of the Web interface.

• Multiple improvements to Splunk's search engine increase the efficiency of search and return more accurate results when using complex NOT searches.

Resolved Issues

• Some users were not able to submit sample events to Splunk Base.

• Splunk did not always respect the removal of events from the index based on the size of the index or the age of events.

• If you configure your Live Splunks to call a script, Splunk will now pass 5 variables to your script:
  • $1 - A results summary in XML.
  • $2 - The search terms for the Live Splunk.
  • $3 - The fully qualified query string for the Live Splunk.
  • $4 - The name of the Live Splunk.
  • $5 - The reason the Live Splunk triggered an alert.

Known Issues

• Pagination is not supported in a distributed search across more than one server. The Web GUI has been updated to alert the user of this if the user tries to navigate to a specific results page.

2.1.1 Release Notes

To install Splunk 2.1.1, see the Installation Manual for full instructions.

New Features

• The automatic update notice can be disabled.
• Splunk's command line can display License & Usage info.
• Splunk-2-Splunk discovered servers can be listed from the command line.

Resolved issues

• The multiple index pulldown menu has been restored.
• Hostname extracton for UDP syslog events will not truncate hostnames.
• Power users are able to create tags and rename sourcetypes without error.
• Adding an extra '/' in the index directory path will no longer cause problems.
• ODBC input now reads beyond the first 999 events on Oracle databases.
• Chained hosts in syslog events will now have the original hostname extracted correctly.
• Some Windows logs had been incorrectly classified as binary format. This is fixed.
• Saved Splunks with long search terms are now displayed properly in the Web interface.
• Under heavy server loads, search results will remain correctly sorted without affecting performance.
• Saved Splunks with spaces next to parentheses in their search terms, such as ( syslogd AND shutdown ), will work correctly.
• Setting the HTTP listening port to 0 disables the service, as intended by most admins.
• The Admin interface error "Unable to create initial Live Splunk" has been fixed.
• Live Splunks running a script as an alert action will now call the script when it resides $SPLUNK_HOME/bin/scripts/.

Known Issues

• Solaris users should not attempt to migrate a 2.0 index to 2.1.1 using the native package installation. Use the tarball installation instead. Native package installation on Solaris works fine, as does updating from 2.1 to 2.1.1. Only 2.0 -> 2.1.1 migration of the index on Solaris requires the tarball installation. Follow the migration instructions.

• Migration of 2.0 indexes over 100 million events will not work. Follow the instructions for a parallel installation instead.

• Internet Explorer 7 users may see "can't connect to splunk.com" notices in the Splunk Web interface. This is because the automatic update notice does not work properly with IE7.

• Internet Explorer 7 users will have problems with Splunk-2-Splunk distributed search mode. Specifically, the host list does not appear properly on the main page of the Splunk interface. Toggling the host list dropdown a few times will not help. We are working on a fix.

• Some customers may find that their splunkweb process terminates abruptly. Use the shell command "splunk restart splunkweb" to restart the Web interface. If the problem recurs, set up a monitor process to watch and restart the splunkweb process (the built-in splunkmon command only monitors the splunkd process.)

• Customers with thousands of .tar.gz files may experience slow performance. We are working on a fix or a workaround.

2.1 GA Release

For installation instructions see the Installation Manual.

If you have an existing Splunk 2.0 installation you wish to upgrade to 2.1, please see the migration instructions.

New Features since 2.0

Splunk-2-Splunk Distributed Search

Users can now search across multiple Splunk servers from a single web or command line interface.

Bundles

A simplified configuration format. Name-value pairs in stanzas replace the old XML structures to configure

• Data inputs
• Processing properties
• Saved & Live Splunks

Bundles create portable, modular configuration. Bundles can be added to or removed from installations, just like Splunk modules. Modules add functionality through new processors or pipelines. If you create custom processor modules for Splunk, you can export their properties into bundles.

Configuration

All input modules, server settings, Splunk-2-Splunk setup, Saved & Live Splunks, and user accounts can be configured either via the GUI or from the command line. You can paste new licenses directly into the GUI. Configuration has been streamlined to be simpler and expanded to be more consistent across configuration areas.

Command Line

Splunk's command-line interface has been enhanced to match the UI nearly feature for feature, complete with built-in help. Command syntax has been made consistent across nearly all commands.

Other features

Search and Navigation

• The search language and GUI support relative as well as absolute time ranges.
• Hosts can be tagged, just like event types. For example, hosts web01, web02 and mail01 could all be tagged "production," while hosts mail01 and eng-smtp could be tagged "mail."
• Meta events can be based on transitive associations. For example, if Event A includes value X, Event B has values X and Y, and event C has value Y, all three events can be clustered in a meta event. This is useful for sendmail logs and other formats where two connected events may not share a common value, but are connected through a third.
• Report Splunk result sets have interactive segments.
• Live Splunk schedules can use relative start and end times, to create reliable reports despite latency in environments.

Processing

• Syslog headers can be stripped from events prior to source typing, multi-line merging and event typing.
• Events can be forked and indexed by different Splunk Servers based on specific content or patterns.
• Admins can tune down or turn off any stage of processing for any or all sources, sourcetypes and/or hosts to trade index richness for speed.
• Timestamps can be extracted from filenames.
• Data can be deleted from the index. An admin can use a search-like command - e.g. delete::sourcetype::syslog - to delete all data from any source, sourcetype, and/or host, optionally within a timerange. The data will no longer appear in search results, typeahead, or statistical summaries. The purpose of this feature is not to recover disk space, but to remove incorrectly indexed or duplicate data from appearing to users. It's an easy way to undo configuration mistakes.

Licenses

• In-product registration lets you buy or upgrade licenses.
• You can paste a new license into the GUI rather than editing the filesystem.

Help

• Built-in product help has been separated into its own pop-up page. Click the (i) buttons on the interface to pop open help.
• A Guided Setup feature helps admins with first-time configuration.
• Many error messages have been edited for clarity.

.

Resolved Issues since 2.1b2

• Browsing events by time now includes the day of the week.
• Many Live Splunk issues resolved.
• Setting seconds in time range no longer shifts the cursor focus.
• License strings with line break characters now work.
• The "splunk learn fields" command no longer returns errors.
• Internet Explorer users on Windows XP can set host tags.
• Configuration file entries for regular expression and linemerge attributes are no longer dependent on order.
• Splunk can now be bound to a specific interface, setting the Splunk environment variable SPLUNK_BINDIP= to the IP address to which Splunk should listen.
• Browser back buttons now work with distributed searches.
• Sending syslog data over UDP to Splunk no longer truncates the host:: value to four characters.

2.1 Beta 2 Release Notes

WARNING: Don't Upgrade 2.0 Servers Yet

If you install 2.1b2 over a 2.0.x server, it may become unusable. Install it as a separate Splunk Server instance for now. These are the supported upgrade paths:

• 2.1b2 can be installed alongside 2.0.x, or over 2.1b1. See the Installation Manual for instructions.
• 2.1b1 can be upgraded to 2.1b2.
• 2.0.x will be able to be upgraded to the final 2.1 GA release later in October.

New Features

• Built-in product help has been separated into its own pop-up page. Click the (i) buttons on the interface to pop open help.
• Guided Setup still appears as a window-in-a-window. It has been revised to be simpler and faster than in Beta 1.
• A set of built-in Saved Splunks appears on the home page if the server has indexed data.
• The License section of the Admin controls has been simplified.
• Many error messages have been edited for clarity.

Known Issues

• Command line options do not specify which are only available with a Splunk Professional license.
• Splunk does not handle non-root permissions well, especially if installed as a package. Instructions on non-root installation and use will be posted before the 2.1 final release.

Resolved issues

Startup

• The server no longer mistakenly prompts to change port assignments when restarted.

Search Results

• Invalid SQL in a report::[] modifier returns an error message about the bad syntax rather than "No Events found."
• Setting a search's start time later than its end time returns a message about the time range rather than "No Events found."

Live Splunks

• Live Splunks now observe schedules correctly. Some ran too often in the Beta 1 release.
• Incorrect Next Run times displayed in the UI have been fixed.
• Bad links in alert times in the UI have been fixed.

Internet Explorer

• The Splunk-2-Splunk server pulldown list now displays correctly.
• The server list stays open during selection.

Splunk-2-Splunk

• Servers without a Splunk Professional license can now forward data to other servers. A Splunk Professional license is only required to receive data from other servers.

Other resolved issues

• The Data Inputs panel for Files & Directories now says "All" instead of "Overview."
• Export now writes data to file correctly.
• Creating a peramalink does not affect further use of Saved Splunks in the same session.
• Non-admin users are no longer shown a message when the server needs to be restarted.

2.1 Beta 1 Release Notes

WARNING: Don't Upgrade 2.0 Servers Yet

Do not upgrade a 2.0 server with the 2.1b1 release. Use this beta release only to create fresh installations. The 2.1 GA final release will safely upgrade 2.0 servers.

To run both versions on the same server, see the Installation Manual for instructions to install the beta release in a different directory.

New Features

Splunk-2-Splunk Distributed Search

Users can now search across multiple Splunk servers from a single web or command line interface.

Bundles

A simplified configuration format. Name-value pairs in stanzas replace the old XML structures to configure

• Data inputs
• Processing properties
• Saved & Live Splunks

Bundles can be added or removed from installations, just like Splunk modules. Bundles create portable, modular configuration. Modules add functionality through new processors or pipelines. If you create custom processors for Splunk, you can expose properties for their behavior that can be configured in bundles.

Configuration

All input modules, server settings, Splunk-2-Splunk setup, Saved & Live Splunks, and user accounts can be configured either via the GUI or from the command line. You can paste new licenses directly into the GUI. Configuration has been both expanded and streamlined to be more simple and more consistent across configuration areas.

Command Line

Splunk's command-line interface has been greatly expanded to nearly match the UI feature for feature, complete with built-in help. Command syntax has been made consistent across nearly all commands.

Other features

Search and Navigation

• The search language and GUI support relative as well as absolute time ranges.
• Hosts can be tagged, just like event types. For example, hosts web01, web02 and mail01 could all be tagged "production," while hosts mail01 and eng-smtp could be tagged "mail."
• Meta events can be based on transitive associations. For example, if Event A includes value X ,Event B has values X and Y, and event C has value Y, all three events can be clustered in a meta event. This is useful for sendmail logs and other formats where two connected events may not share a common value, but are connected through a third.
• Report Splunk result sets have clickable segments.
• Live Splunk schedules can use relative start and end times, to create reliable reports despite latency in environments.

Processing

• Syslog headers can be stripped from events prior to source typing, multi-line merging and event typing.
• Events can be forked to be indexed by different Splunk Servers based on specific content or a pattern.
• Admins can turn off and tune down any stage of processing for any or all sources, sourcetypes, hosts to trade index richness/ metadata for speed
• Timestamps can be extracted from filenames.
• Data can be deleted from the index. An admin can use a search-like command to delete all data from any source, sourcetype, and/or host, optionally within a timerange. The data will no longer appear in search results, typeahead, or statistical summaries. The purpose of this feature is not to recover disk space, but to remove incorrectly indexed or duplicate data from appearing to users. It's an easy way to undo configuration mistakes.

Licenses

• In-product registration lets you buy or upgrade licenses.
• You can paste a new license into the GUI rather than editing the filesystem.

Help

• GUI-guided initial setup.
• Overhauled in-product help with floating Quick Reference page.

Known Issues

These are sorted roughly in descending order of severity. Please don't hesitate to report further issues to support@splunk.com.

Index issues

• Stopping or restarting the server may cause some data to be dropped. This will definitely be fixed before the 2.1 GA release!

Server-side issues

• If the Splunk Server is on a host that returns a null Unix hostname, the Splunk Server may not run.
• Saved Splunks sometimes cannot be saved in the free Splunk Server.
• Shared Saved Splunks do not always get shared or un-shared properly.
• The shell command "splunk stop" or "splunk restart" doesn't always completely shut down the splunkd daemon. Use kill -9 if it is still running after a minute or two.
• Setting the free disk space margin below 1GB can cause index damage.
• You cannot specify "NOT server::web01" or Alt-click to remove a server from results. The search runs but results are not as expected.

Cross-browser UI issues

• There may be some uncaught SOAP exceptions remaining in the admin area. If the Splunk web interface throws an exception to its twistd app server, you'll get what looks like a core dump in your browser window. Please report any error screens to Splunk Support.
• The web interface has many new administrative capabilities. Some them require a restart. In most cases the interface displays a restart message, but there are some instances where it may not.
• You can edit some Splunk Professional settings with the default free license. They won't work.
• Saved and Live Splunks with spaces in their names don't show up in typeahead. They do work.

Firefox UI issues

• Switching to the Admin section while the interface is loading can occasionally crash Firefox.

Internet Explorer UI issues

• Wrapped results don't display properly.
• Clicking on values in tabs doesn't work.
• The server drop-down menu for distributed search displays oddly and can be hard to select.
• Some redraw issues.

Command line issues

• The command line command "splunk start" displays the URL of the web interface. it uses the hostname local to the splunk server. This may not work if DNS is not configured on the Splunk Server host.
• Live Splunks cannot yet be created from the command line, but this is close to being fixed.

Splunk-2-Splunk issues

• You need to restart for Splunk-2-Splunk data forwarding to take effect, but the UI does not tell you.
• Splunk-2-Splunk forwarding is configured outside of the bundle system. Configurations made in the beta 1 release will not survive upgrades to later releases.
• Network port inputs set source::tcp:10.4.99.11:514 instead of source::tcp:514, which prevents search across port 514 on all servers.

Help issues

• The in-product Quick Reference does not yet show all new 2.1 search commands.
• Guided Help does not always display the help page for your current state.
• Guided Help shows you the registration form instead of the current license on the current license step. Click Admin -> Licenses & Usage -> Current License to see the current information.

Release Notes Archive

Version 2.0.15

Resolved Issues

• Relative search times now work with Live Splunks. For example, if you use daysago:: in a Live Splunk, it will always search relative to its run time.
• Searches with mismatched parentheses now fail gracefully.
• Fixed various memory use issues.

Version 2.0.14

Resolved Issues

• Power users can now modify their Saved and Live Splunks.
• Fixed memory leak issues present in 2.0.12.
• Improved stability of TCP connectionsy.
• Added support for displaying extracted metadata segments.
• Live Splunk mailer script now works on every platform.
• Added support for running Splunk on a separate partition from the Splunk DB.

Version 2.0.12

Resolved Issues

• Extracted meta data values in results are now clickable.
• Slow TCP connections no longer hold up the processing of other TCP inputs.
• Adding a separate batchfile directory during installation now works correctly.
• Selecting a non-default index location during installation now works correctly.
• The syslog input module had a typo in its default configuration; this is fixed.
• Permalink behavior has been improved to stay in sync with the current state of the UI.
• Running the splunk command without arguments no longer returns errors on Solaris.
• It is now possible to specify both first and last line markers for multi-line events.
• The Live Splunk alert script passes more variables.
• FreeBSD memory management issues have been eliminated.

Version 2.0.11

2.0.11 was an early build of 2.0.12 for a few customers. It contained some of the fixes in 2.0.12.

Version 2.0.10

Resolved issues

• splunkd now closes its own data files properly on shutdown, so they require no repairs when it restarts.
• The command-line search now works beyond the first 100 events. Below are some example commands.

# splunk search smptd
   # splunk search smptd events::1-2000
   # splunk search smtpd events::9000-10000

• Linux and Solaris versions now create backtraces if splunkd crashes.
• Splunk raises its file descriptor limit to 1024 when possible.
• Show Source now displays all event types properly..

Version 2.0.9

Resolved issue

• splunkd no longer logs INFO level events to its own splunkd.log file. It now only logs WARN and higher level severity events. This prevents Splunk from consuming excessive disk space at problem-free installations.

Version 2.0.8

New Features

• Splunk now supports the Solaris x86 platform.

Resolved Issues

• Tabbed UI rendering is faster.
• Splunk Professional will shut down gracefully if its license expires.
• Events by Time sections with more than 10,000 events and zoomed-out Events by Time views now render correctly.
• A backtrace utility automatically generates stack traces if Splunk crashes.
• Splunk now rejects fields that look like timestamps but can't be correct, such as 1-12-2013 .
• The common log message "Unable to break sourceString into file and directory" is now severity level INFO instead of WARN.

Version 2.0.7

New Feature

• Splunk automatically recognizes Nagios log files and categorizes them as sourcetype::Nagios_log .

Resolved issue

• Splunk had mistakenly presumed all files matching certain pathnames such as /var/log/ftp.log.0* were text logfiles. It now checks explicitly for .gz , .tar and other extensions in all paths.

Version 2.0.6

Resolved Issues

• Results of searches with the report:: operator are now displayed correctly.
• The Data Inputs displays for Batch Files and Tail Files has been restored to the Web interface.

Version 2.0.5

New Features

• A single regular expression statement in overlay-regex-props.xml can now create multiple extractions.
• Users can change or remove portions of events (for example, remove all Social Security numbers from events) before they are indexed by configuring properties in overlay-props.xml and overlay-regex-props.xml . This previously required a custom processor.

Resolved Issues

• Solaris shutdowns caused by splunkd exceeding Solaris' file handle limit have been eliminated.
• Web sessions now time out after one hour instead of 10 minutes.
• Saved Splunks may now include the ampersand (&) character.
• Command-line errors on Solaris have been fixed.
• Empty files are no longer classified as binary.
• Files that begin with a newline are no longer automatically classified as binary.
• The search interface now remains stable if splunkd goes down or gets shut down.
• Toggling between Show and Hide Events by Time no longer resets the search.
• When searching in a non-default index, the index:: search term now persists after refresh.
• Resolved an error that caused Automatic Update Alerts not to be displayed.
• Resolved several issues with typeahead in the search interface, including multiple highlighting of entries.
• Mac OS X Splunk instances forwarding data will now continue to work after the receiving Splunk instance is stopped and restarted.
• The search interface now renders better on Firefox.
• The upload button now renders correctly on IE6.

Version 2.0.4

Resolved issues

• Addressed a problem on very large indexes of homogenous events. It caused some customers to see results with empty event text and incorrect dates.
• Regular expressions in overlay-props.xml now work as documented.
• New user accounts have their creation logged to file correctly.
• The Upload button renders correctly on Internet Explorer.
• Sendmail timestamp parsing problems have been fixed.
• Better event typer performance.

Version 2.0.3

Resolved Issues

• Resolved a problem indexing large amounts of homogenous events.//

• Minor UI fixes.
• All NOT queries are supported.
• Improved timestamp recognition.
• Improved browser rendering in IE.
• Scrolling issues in GUI have been fixed.
• All source types now show up in typeahead.
• Various Time Range GUI bugs have been fixed.
• Timestamps for Cisco syslog data are more accurate.
• Errors on the Admin page now have proper error icons.
• Mac rendering bugs for the anonymizer have been fixed.
• Live Splunk emails can now include Report Splunk output.
• Host name recognition in Cisco syslog events is improved.
• Passwords can now contain non-alphanumeric characters.
• Events loaded through FIFO no longer repeat the last line.
• Browser slowness with deeply nested event segments fixed.
• The command "splunk batch index" is now recognized properly.
• Rolling indexes in multiIndexer.xml now works as documented.
• Single-character search queries such as "a" are now supported.
• Indexing performance is faster, especially regular expression matching.
• Links from the GUI to Splunk Web pages now load in a separate window.
• Splunk recognizes files that it has already indexed if it encounters them again.
• Added the hot key Ctrl-M (Cmd-M on a Mac) for showing and hiding event meta data.
• De -anonymized events are posted correctly (that is, not anonymized) to Splunk Base.
• Splunk Server templates are now in their own subdirectory, etc/myinstall/splunkdtemplates.
• The banner on the Splunk Server home page no longer displays 404 errors if it cannot reach splunk.com.
• Hosts, sources and sourcetypes on Splunk's home page now have the same tooltips that they each have in search results.
• Creating a Saved Splunk with the same name as an existing one no longer creates a duplicate. Instead, it will prompt whether or not to delete the existing version.

Version 2.0.2

Resolved Issues

• After cleaning an index, you can now re-index the same original files without Splunk mistaking them for duplicates.
• Timestamps in TCP and Splunk-2-Splunk input statistics now have formatted dates instead of seconds since the epoch.
• splunkd.xml templates have been moved into their own etc/splunkdtemplates directory to prevent confusion.
• The installer will not stop a running Splunk Server without prompting first.
• Frozen db files are now handled properly for rotation and expiration.
• Eliminated "control reaches end of non-void function" log entries.
• Many minor, non-destructive UI bugs fixed.

Version 2.0.1

Resolved Issues

• Malformed events in some results have been fixed.
• Syslog regular expression extraction is more precise.
• Tailfile module now defaults to configured host:: values instead of "localhost".
• Home page displays full counts for Hosts, Sources and Source Types immediately.
• Mac OS X installer now prevents users from installing two conflicting versions in /opt/splunk .
• An upgrade to a previous installation correctly backs up the etc subdirectory to etc.bak on all platforms.
• Typeahead will now wait up to 10 seconds for results from the server if the user chooses to wait for it. It will not hang.

Version 2.0

New Features

• Splunk-2-Splunk distributed input and processing enables Splunk instances to send data to other Splunk Professional instances for distributed data access and higher indexing performance.
• Single installer for the free Splunk Server and Splunk Professional; can change an installation from one to another with just a license file replacement.
• The installer allows you to configure Splunk-2-Splunk and data inputs.
• The bin/splunk command line interface has been expanded to allow you to view and configure data inputs without editing XML.
• The configuration files / paths, pipeline names, commandline options, and XML tags implement new Splunk language standards. Many module names, paths, and tags have changed.
• A redesigned web interface makes Splunk much more intuitive and easy to use.
• The Splunk Server home page now allows you to view all hosts, sources and sourcetypes in your index sorted by either most recent or most events.
• There are new results display preferences allowing you to toggle between showing and hiding event metadata and various segment selection options.
• You can view status and set up many data inputs via the web interface.
• Report Splunk results are now shown in a clean tabular layout and can be exported to csv.
• Results can be attached to Live Splunks as attachments.
• The report:: operator is accessible from the command-line search tool and SOAP as well as the browser interface.
• Search results can be exported to csv.
• Splunk Base has been expanded significantly.
• Users can create their own Splunk Base wiki pages on any IT or Splunk topic in addition to the current wiki pages on event types and source types.
• Users can start discussions associated with any Splunk Base wiki page.
• Splunk's support forums have been migrated to the new Splunk Base wiki and forum capabilities.
• Splunk Base's wiki editing capabilities have been expanded with new features such as the ability to embed example Splunks that can be tried by other users with a single click.
• Integration with Nagios allows Splunk to be monitored by Nagios, send Live Splunk alerts to Nagios, and be launched from Nagios alert emails.
• Splunk for CA Unicenter NSM, an add-on module, allows Splunk to be launched from the NSM console and index NSM events.
• Binary file checking can be disabled for specific sources, allowing them to be indexed.
• The internal routing of data has been greatly simplified with a new universal pipeline that handles all kinds of data from all input modules.
• Splunk sets its processing parameters, such as multi-line merging (aggregation) settings, custom typers, etc., centrally based on the source type, host and source of incoming data, rather than requiring an admin to configure these settings for each input.
• The new savedsplunk:: modifier lets Saved Splunks be referenced in searches and combined with other terms.
• Search typeahead includes all search language elements, such as hoursago::.
• Customizeable meta events can combine separate events linked by a common value into a single searchable entity. Events of source type sendmail are automatically summarized into meta events; other meta events can be configured.
• The new ODBC input module will read data directly from ODBC-compliant databases on a network.
• There is a separate module predefined for each unique sourcetype that would come in via built-in input processors, i.e. a separate input module for distributed Splunk input, log4j, and other raw TCP even though they all use the same TCP input processor.
• Hitting the stop button in the browser, ctrl+c via the cmdline, or initiating another search from the same browser cancels the execution of the previous search in splunkd.
• All metadata can be exported and imported between Splunk instances and versions including users, saved splunks, live splunks, tags, sourcetype renames, extracted report:: fields.
• TCP and UDP input are now available in both Splunk Professional and Splunk Server.

Resolved Issues

• minFreeSpace now works as advertised to control disk space usage.
• Internet Explorer 6.0 users can now logout cleanly.
• The syslog input module correctly sets 24-hour format timestamps.
• The syslog input module translates IP address to hostname correctly.
• TCP input module properly handles receiving data from multiple hosts.
• Resolved crashes with certain search terms..
• Searches will only run for a predetermined time rather than running indefinitely.
• Multiple stability issues fixed.
• waitForFileToCopy script now executes properly on Solaris.

Supported Platforms

• Linux all flavors 2.4+ kernel

• Solaris 8,9 & 10 / Sparc

• Mac OS X 10.4 / PPC & x86

• FreeBSD 5.4 & 6.0 / x86

• Solaris 10 / x86

Incompatibilities

• Saved Splunks that use count:: must be edited to use maxresults::
• Saved Splunks that use domain:: must be edited to use index::
• Report:: is now available only in Splunk Professional.
• All input module configuration files have changed to take advantage of the universal processing pipeline. Old configurations will not work.
• Custom processors use a new syntax - all pData objects are now passed by reference. See the Developer Manual for an example.

More detail on 2.0 features will be posted throughout the week of May 15th.

Version 1.2.5

• Splunk now allows you to index files that contain more non-ASCII characters.
• The bash shell has been replaced with sh in scripts for better cross-platform support.
• The directory monitor provides more detailed reporting of untar and ungzip errors.
• Timestamps of the form YYYYMMDDHHMMSSSS are now supported.
• Directory monitor picks up all files after restart.
• Improved stability of show source .
• A minor bug that caused typeahead to occasionally miss some events has been fixed.
• The Directory Monitor will now skip over open files in a directory and continue loading others.
• All truncated lines in very long (> 10,000 bytes) events now get a meta::truncated descriptor.
• Splunk Professional's TCP input pipeline ( distributed ) can now read lines longer than 10,000 bytes.
• Splunk's FreeBSD version now correctly handles open files in the directory monitor's sinkhole.

Version 1.2.4

• Improved stability on the Solaris platform.
• Improved stability on indexes larger than 50 GB.
• Windows event types are now classified much more reliably.
• The splunk anonymize command now runs without a path error.
• Timestamps of the form X:20060321012055.753 are now recognized.
• Files indexed through the log4j modules now appear on Splunk's home page.
• Only the first 1,000 segments of each event are displayed, to prevent long delays rendering the results page in the browser window.
• A URLDecoderProcessor is available to break encoded URLs - those that use %26 instead of & to meet XML standards - into individual segments.
• Events longer than 10,000 bytes are now indexed correctly and completely. Only the first 100,000 bytes will appear onscreen in Splunk results, separated every 10,000 bytes by a line break and the descriptor meta::truncated . You can, however, Splunk for segments anywhere within the entire event. You can also Splunk for meta::truncated as you do for meta::all .

Version 1.2.3

• Splunk Professional ships with a log4j module and a corresponding splunkAppender.jar appender for use on J2EE servers.
• New Splunk users on Internet Explorer will no longer see an accidental error message.

Version 1.2.2

• Event type assignments are more exact. Events of the same type are much less likely to be misclassified into separate types.
• splunkd recovers index data better when restarted after an abrupt termination or incomplete shutdown.
• Splunk can now index events that have more than 10,000 characters in a single line.
• Splunk's verifyconfig command now handles zero-length XML files without error.
• Splunk Professional ships with a log4j appender for use on J2EE servers.
• The installer now shuts down splunkd before updating a prior installation.

Version 1.2.1

• Splunk keeps its index optimized automatically. This eliminates the need to manually optimize the index for any reason.
• A generic syslog source type has been added to Splunk's set of built-in known source types.
• Splunk Professional usernames can no longer be changed, either accidentally or intentionally.
• The fifoInput and sysloginputprocessor modules now extract host:: values from events correctly.
• The directory monitor's regular expression parsing of parentheses is much better.
• The fifoInput module now extracts sourcetype:: values from sources correctly.
• User interface rendering issues with Internet Explorer have been fixed.

• The Splunk Assistant now floats correctly over all other interface elements.
• Shift-clicking an item no longer highlights other text on the page.

• The splunk train command once again works as documented.
• Live Splunks can no longer be created without a name.
• A Mac OS X beta version is available.

Version 1.2

Incompatibility

• Solaris versions 1.2 and later cannot read indexes created with versions prior to 1.2. You will need to run the splunk clean command on your 1.1.x index before updating to 1.2 or higher. This will permanently erase all of your indexed data, user info, saved and live splunks, event type tags and global ids, and custom source type names.

Documentation Changes

• The new Splunk Installation Guide replaces the old Splunk Quick Start Guide .
• The Splunk Tutorial is now in the Splunk User's Guide .

Installation Improvements

• Splunk 1.2 can be installed over prior versions. It will retain all indexed data, user accounts, Saved and Live Splunks, event type tags, custom source type names, and your Splunk Professional license key. It backs up the previous version's XML configuration files so your customizations aren't lost.
• Multiple instances of Splunk can run on the same host.
• Non-root users can install and run Splunk in non-privileged directories, such as their home directories.

New Features for Users

• The new Splunk Assistant guides new users through basic Splunking.
• The main index of user-loaded data is now called main instead of default .
• Splunk Base has expanded user profiles and easier tagging.
• The new report:: operator adds structured reporting. It supports SQLite syntax, but there's no relational database to bog things down at the back end. You can use functions like count , min and max on your Splunk results and save report files to your desktop.

New Features for Administrators

• Splunk automatically tags event types as it loads them, using a set of predefined tags. You can then add, edit or delete tags to fit your needs.
• The new syslog module for Splunk Professional emulates a syslog daemon. It listens on port 514 (or whichever port you configure), receives syslog events via UDP, and indexes them into Splunk Professional.
• The new distributed module for Splunk Professional listens on a TCP port. It lets Splunk index log4j and other TCP socket sources directly, rather than requiring them to be written to a file first.
• Improved time zone (or timezone, if you prefer) handling for US time zones is more automatic and easier to configure. International improvements are coming soon in an update.
• The command-line interface (CLI) includes several new or improved commands.
  • The old splunk clean command has been replaced with more specific options to remove indexed data, index metadata (tags, event types, source types) or user info (accounts, Saved Splunks) separately.
  • The new verifyconfig command checks Splunk's configuration files for proper XML syntax without starting the server.
  • The new learn-dates command lets you specify timestamp formats by example.
  • The new learn-fields command lets you specify fields to be created in Splunk results on the fly, for use with the new report:: operator.
  • New commands let you create additional indexes in Splunk Professional, and manage indexes individually.
  • You can change the default index in Splunk Professional from the main index (formerly called default ) to any user-created index.
  • The new findlogs command will search for indexable logfiles on your Splunk host.

New Features for Developers

• The all-new Splunk Developer's Guide explains how to extend Splunk through CLI, SOAP, REST, CSS and XSLT, custom Python or C++ processors, and custom configuration modules.
• Splunk modules can define meta-events that summarize data gleaned from multiple events. For example, a meta-event could list every recipient for a mail message transaction that sendmail logs as separate delivery attempts for each recipient.
• Splunk modules can insert custom processors ahead of or behind those in Splunk's universal dynamicautogeneric pipeline. This lets developers add custom processing that won't be disabled by upgrade releases to the universal pipeline.

Version 1.1

Version 1.1 updates many features - Live Splunks, search history, syslog event processing, multiple index support, file export - with improvements suggested by customers. Our online Splunk Base service has been significantly expanded, too.
In the process we've also reduced the index size for both Splunk Server and Splunk Professional from 3x to 1.2x that of the raw data, and boosted index performance.

User Interface & Search

• Splunk command line tool lets you perform searches from a Unix shell or from within a script.
• Personal user histories on Splunk Professional can be searched by user. Searches in the history can be re-run by clicking on them.
• Export filenames for search results include identifying info about their contents in the filename.
• Many subtle UI improvements make the splunkSearch browser interface more intuitive.

Indexing

• Index size reduced from 3x to 1.2x the size of the data indexed.
• Index performance increased.
• Syslog events identify the originating host for remote events.

Splunk Base

• Source Types are associated with event types.
• Check splunk.com no longer requires users to upload their data to Splunk Base to look up tags and descriptions for specific event types.
• The Anonymizer has an improved UI and greater flexibility.
• SplunkBin handles multi-line events in data samples.
• Tags can be edited at Splunk Base as well as locally.
• Users can subscribe to notifications about updated event type info.
• Export function lets users export Splunk Base entries by tag, user, or source type.
• User profile pages include links to contributions and optional personal info.

Splunk Sync

• Support for Solaris , SuSE and other Linux distros improved.

Administration

• Server-side commands include splunk test and splunk restore for troubleshooting.
• Indexing statistics are displayed in more detail.
• Live Splunk notifications pass search results and other parameters to the notification script.
• New anonymizer command-line tool replaces usernames, IP addresses and other identifying info in event samples to protect privacy and security in shared data.
• Export / Import tool migrates event type and source type information between Splunk installations.

Installation & Configuration

• Improved installer program has fewer steps and automates more of configuration.

Version 1.0.2

• FreeBSD support for the Splunk Server.
• Tabbed results list event types, tags, source types, hosts and sources in descending order with graphic plot when opened.
• Check splunk.com link replaces Look up @ splunk.com .
• New User button and Create Splunk button added to Admin interface.
• History search added to built-in Saved Splunks menu.
• Server can be configured to ignore files with specific filename patterns.
• Clicking the Splunk logo resets all search parameters.
• Opera 9 preview works fairly well. Click Cancel on the "unsupported" dialog to use it.

Version 1.0

Splunk Professional

A premium edition for production IT environments. It includes several features beyond the free Splunk Server.

• Splunk Sync: centralized, secure configuration and collection of remote logs from production Unix and Windows servers.
• Live Splunks: sheduled, configurable execution of saved splunks. Notification via shell command, email and RSS.
• My Splunk: unlimited individual user accounts with user, power user, and admin roles. Individual history and settings.
• Multiple indexes: keep data from different environments, applications or customers in separately searchable indexes on the same Splunk Server host and interface.

User Interface & Search

• Improved usability of home page and search box layouts.
• Tabbed interface with summaries by event type, tag, source, source type, and source host replaces single pane of search tools.
• Significantly faster UI performance.
• Vastly expanded search language.
• Searchable history of splunks, saved as events by the server.
• Splunk Professional adds a separate history for each user.
• Search results can be exported to a file and optionally opened in an application.
• Search language supports standard Boolean AND, OR and NOT operators, plus nested logic. ( foo NOT ( bar OR baz ) )
• Number of results can be limited with count:: for faster searches.
• Unique, searchable ID displayed for each event in the index.
• Searchable source host displayed for each event.
• Source types can be renamed in the UI. (rename unknown-2109263245 to ssl_request_log )
• GUI can be skinned via CSS.
• XSLT plug-ins for custom display of specific results.
• New admin page for server statistics.
• Splunk Professional admin pages to manage users, Saved Splunks, Live Splunks, and license key.

Indexing

• Vastly improved event aggregation, typing, and timestamp discovery for key J2EE, database, web server, VoIP and network data formats.
• Ability to configure processing parameters for specific source types to improve both accuracy and performance.
• Pre-trained recognition of nearly 40 popular data formats as source types.
• Unrecognized source types, like unrecognized event types, are given unique numeric IDs that can be customized with local names.
• Timezone and drift normalization for each source host. Host is now a searchable descriptor.
• Regular expression support for event typing.
• GUI can upload local files from desktop through the browser.
• Event typing can be configured differently for different sources.

Installation and Configuration

• Installer can be re-run later as a configuration tool to change settings.
• Memory and disk usage parameters have been normalized to use megabytes, replacing a mix of bytes and kilobytes.

Supported Platforms

• Linux support is extended to all 2.6+ kernel distros and all 2.4.2+ distros with NPTL.
• Solaris 8, 9, and 10 for SPARC.
• FreeBSD and Mac OS X builds in late November.

Beta 4b

• Internet Explorer 6 for Windows is now supported.
• Columns on the <!a href="/index.php/docs?doc=quickstart.html#login">front door</a> of the search interface have been reordered.
• You can select one or more individual parts of an email address, hostname, pathname, and other terms in search results by mousing over them.
• Events by Type tool has been split into Events by Type and Events by Tag.
• Events by Sourcetype tool has been merged into Events by Source.
• New generic-regagg pipeline improves aggregation of multi-line events.

Beta 4

This release includes many major changes from Splunk Server 1.0 beta 2. Private beta testers should read carefully.

Installation, Platforms & Packaging

• New installer that supports graphical and commandline installation, guides you through initial configuration, and sets up both Splunk and all packaged 3rd party dependencies in a single step (RPMs are still available for RedHat and Fedora platforms only)
• New platform support (Solaris 8 currently available, other additions to be posted shortly)
• The default installation path has been changed from /opt/local/ to /opt/splunk/

User Interface & Search

• Vastly improved UI design and interaction
• UI scales better to both smaller and larger screens
• New Splunk Server home page with shortcuts to common searches, processing statistics, and documentation
• Saved Splunks accessible on home page
• Events summarized by sourcetype as well as source
• Inverted mode turns interface black instead of white
• Tags replace eventtype names
• Type desriptor replaced by more specific eventtype descriptor
• Improved timerange controls are more intuitive
• Timerange values not shown in search box to reduce confusion
• Global tools provide 1-click search for specific sources & sourcetypes
• Soft wrap options fits search results into screen space
• Many search language refinements
• New meta::daysago and meta::hoursago descriptors

Configuration & Administration

• Extensive configuration file cleanup with improved inline examples and guidance
• Directory monitor now requires one (and only one) sinkhole directory
• Bugs in splunkcopy and splunksym are fixed, instructions clarified as well
• Syslog and other modules are now able to work more easily with directory monitor & tailing processor; configuration instructions have changed
• Sourcetype can be set explicitly for files that are directed to the tailingprocessor, or explicitly sent to a pipeline via a substitutions.xml file

Performance

• Significant indexing performance improvements

Splunk Service

• Splunk Service integration to look up specific event types against tags and descriptions posted by the community
• Log anonymization technology that Splunk is about to release via GPL

Indexing & Data Processing

• Eventtype granularity is better aligned with semantics for many sources including Apache, Asterisk VoIP call detail logs, syslog, and sendmail
• Improved segmentation behavior
• Many resolved issues recognizing and normalizing timestamps
• Unexpected descriptor improved; now considers term frequencies

Other Resolved Issues

• Resolved issues with searching by source and sourcetype/li>
• Improved count accuracy for terms in typeahead
• Typeahead will not reveal terms in database before successful login
• Directory monitor looping problems fixed

Documentation

• Administrative tasks documented from customer experience