Splunk Release Notes (Splunk v2.0)

Versions

Version 2.0

Splunk 2.0 keeps all the functionality of Splunk 1.2 and adds many new features.

More detail on 2.0 features will be posted throughout the week of May 15th.

New Features

• Splunk-2-Splunk distributed input and processing enables Splunk instances to send data to other Splunk Professional instances for distributed data access and higher indexing performance.
• Single installer for the free Splunk Server and Splunk Professional; can change an installation from one to another with just a license file replacement.
• The installer allows you to configure Splunk-2-Splunk and data inputs.
• The bin/splunk command line interface has been expanded to allow you to view and configure data inputs without editing XML.
• The configuration files / paths, pipeline names, commandline options, and XML tags implement new Splunk language standards. Many module names, paths, and tags have changed.
• A redesigned web interface makes Splunk much more intuitive and easy to use.
• The Splunk Server home page now allows you to view all hosts, sources and sourcetypes in your index sorted by either most recent or most events.
• There are new results display preferences allowing you to toggle between showing and hiding event metadata and various segment selection options.
• You can view status and set up many data inputs via the web interface.
• Report Splunk results are now shown in a clean tabular layout and can be exported to csv.
• Results can be attached to Live Splunks as attachments.
• The report:: operator is accessible from the command-line search tool and SOAP as well as the browser interface.
• Search results can be exported to csv.
• Splunk Base has been expanded significantly.
• Users can create their own Splunk Base wiki pages on any IT or Splunk topic in addition to the current wiki pages on event types and source types.
• Users can start discussions associated with any Splunk Base wiki page.
• Splunk's support forums have been migrated to the new Splunk Base wiki and forum capabilities.
• Splunk Base's wiki editing capabilities have been expanded with new features such as the ability to embed example Splunks that can be tried by other users with a single click.
• Integration with Nagios allows Splunk to be monitored by Nagios, send Live Splunk alerts to Nagios, and be launched from Nagios alert emails.
• Splunk for CA Unicenter NSM, an add-on module, allows Splunk to be launched from the NSM console and index NSM events.
• Binary file checking can be disabled for specific sources, allowing them to be indexed.
• The internal routing of data has been greatly simplified with a new universal pipeline that handles all kinds of data from all input modules.
• Splunk sets its processing parameters, such as multi-line merging (aggregation) settings, custom typers, etc., centrally based on the source type, host and source of incoming data, rather than requiring an admin to configure these settings for each input.
• The new savedsplunk:: modifier lets Saved Splunks be referenced in searches and combined with other terms.
• Search typeahead includes all search language elements, such as hoursago::.
• Customizeable meta events can combine separate events linked by a common value into a single searchable entity. Events of source type sendmail are automatically summarized into meta events; other meta events can be configured.
• The new ODBC input module will read data directly from ODBC-compliant databases on a network.
• There is a separate module predefined for each unique sourcetype that would come in via built-in input processors, i.e. a separate input module for distributed Splunk input, log4j, and other raw TCP even though they all use the same TCP input processor.
• Hitting the stop button in the browser, ctrl+c via the cmdline, or initiating another search from the same browser cancels the execution of the previous search in splunkd.
• All metadata can be exported and imported between Splunk instances and versions including users, saved splunks, live splunks, tags, sourcetype renames, extracted report:: fields.
• TCP and UDP input are now available in both Splunk Professional and Splunk Server.

Resolved Issues

• minFreeSpace now works as advertised to control disk space usage.
• Internet Explorer 6.0 users can now logout cleanly.
• The syslog input module correctly sets 24-hour format timestamps.
• The syslog input module translates IP address to hostname correctly.
• TCP input module properly handles receiving data from multiple hosts.
• Resolved crashes with certain search terms..
• Searches will only run for a predetermined time rather than running indefinitely.
• Multiple stability issues fixed.
• waitForFileToCopy script now executes properly on Solaris.

Supported Platforms

• Linux all flavors 2.4+ kernel
• Solaris 8,9 & 10 / Sparc
• Mac OS X 10.4 / PPC & x86
• FreeBSD 5.4 & 6.0 / x86
• Solaris 10 / x86

Incompatibilities

• Saved Splunks that use count:: must be edited to use maxresults::
• Saved Splunks that use domain:: must be edited to use index::
• Report:: is now available only in Splunk Professional.
• All input module configuration files have changed to take advantage of the universal processing pipeline. Old configurations will not work.
• Custom processors use a new syntax - all pData objects are now passed by reference. See the Developer Manual for an example.

More detail on 2.0 features will be posted throughout the week of May 15th.

Description:

Copyright © 2005-2008 Splunk Inc. All rights reserved.