Splunk Release Notes (Splunk v2.0)

Versions

Version 1.2

Version 1.2 includes many major additions.

Incompatibility

• Solaris versions 1.2 and later cannot read indexes created with versions prior to 1.2. You will need to run the splunk clean command on your 1.1.x index before updating to 1.2 or higher. This will permanently erase all of your indexed data, user info, saved and live splunks, event type tags and global ids, and custom source type names.

Documentation Changes

• The new Splunk Installation Guide replaces the old Splunk Quick Start Guide.
• The Splunk Tutorial is now in the Splunk User's Guide.

Installation Improvements

• Splunk 1.2 can be installed over prior versions. It will retain all indexed data, user accounts, Saved and Live Splunks, event type tags, custom source type names, and your Splunk Professional license key. It backs up the previous version's XML configuration files so your customizations aren't lost.
• Multiple instances of Splunk can run on the same host.
• Non-root users can install and run Splunk in non-privileged directories, such as their home directories.

New Features for Users

• The new Splunk Assistant guides new users through basic Splunking.
• The main index of user-loaded data is now called main instead of default.
• Splunk Base has expanded user profiles and easier tagging.
• The new report:: operator adds structured reporting. It supports SQLite syntax, but there's no relational database to bog things down at the back end. You can use functions like count, min and max on your Splunk results and save report files to your desktop.

New Features for Administrators

• Splunk automatically tags event types as it loads them, using a set of predefined tags. You can then add, edit or delete tags to fit your needs.
• The new syslog module for Splunk Professional emulates a syslog daemon. It listens on port 514 (or whichever port you configure), receives syslog events via UDP, and indexes them into Splunk Professional.
• The new distributed module for Splunk Professional listens on a TCP port. It lets Splunk index log4j and other TCP socket sources directly, rather than requiring them to be written to a file first.
• Improved time zone (or timezone, if you prefer) handling for US time zones is more automatic and easier to configure. International improvements are coming soon in an update.
• The command-line interface (CLI) includes several new or improved commands.
  • The old splunk clean command has been replaced with more specific options to remove indexed data, index metadata (tags, event types, source types) or user info (accounts, Saved Splunks) separately.
  • The new verifyconfig command checks Splunk's configuration files for proper XML syntax without starting the server.
  • The new learn-dates command lets you specify timestamp formats by example.
  • The new learn-fields command lets you specify fields to be created in Splunk results on the fly, for use with the new report:: operator.
  • New commands let you create additional indexes in Splunk Professional, and manage indexes individually.
  • You can change the default index in Splunk Professional from the main index (formerly called default) to any user-created index.
  • The new findlogs command will search for indexable logfiles on your Splunk host.

New Features for Developers

• The all-new Splunk Developer's Guide explains how to extend Splunk through CLI, SOAP, REST, CSS and XSLT, custom Python or C++ processors, and custom configuration modules.
• Splunk modules can define meta-events that summarize data gleaned from multiple events. For example, a meta-event could list every recipient for a mail message transaction that sendmail logs as separate delivery attempts for each recipient.
• Splunk modules can insert custom processors ahead of or behind those in Splunk's universal dynamicautogeneric pipeline. This lets developers add custom processing that won't be disabled by upgrade releases to the universal pipeline.

Description:

Copyright © 2005-2008 Splunk Inc. All rights reserved.