TIPS & TRICKS

What's New in Splunk Enterprise 6.6 and Splunk Cloud

Today we are excited to announce the release of Splunk Enterprise 6.6 and Splunk Cloud! This new release makes it easier than ever for a wide range of users to leverage datasets, build dashboards, get answers and share insights. Also, indexer and search head clustering enhancements make the platform easier to manage at scale. In this blog post we’ll discuss these features in more detail.

More specifically, we'll go over the following:

  • Datasets Explorer which allows you to use a pre-prepared dataset to create/schedule a report and export it in CSV format.
  • Dashboard Drilldown makes it easier to build a guided dashboard navigation experience, without writing any Simple XML.
  • Search Productivity enhancements such as dynamic formatting, improved search optimization and a new SPL command "union."
  • Trellis Layout builds multiple visualizations powered by a single search to compare different segments of a dataset.
  • Indexer and Search Head Clustering improvements make clusters easier to manage and more resilient to network and hardware failures.
  • Admin Productivity enhancements like the new data quality dashboard and knowledge object management.
  • App Management improvements for Splunk Cloud customers.

We’ve also made improvements in the app development space which will be posted in another blog in the next couple of days.  

Be sure to download the Splunk Enterprise 6.6 Overview App for examples of how to use these new features, and to learn about other features not mentioned in this post.

Let's get started with the new Datasets Explorer. In Splunk Enterprise 6.5 we introduced "Datasets", and, more specifically, several types of datasets: Tables (new in 6.5 as well), Lookup files and Data Models. Now the Datasets Explorer makes dataset management much easier with a new interface. Users can explore these prepared datasets with a time-range picker, schedule a report, investigate in search, visualize in pivot and export to CSV‑all from one central place! Check out docs or the Splunk Enterprise 6.6 Overview App for more information.

On to one of my favorite new additions, the Dashboard Drilldown UI Editor which can be extremely useful when building your dashboards. You can use the drilldown editor to set up linking to a search, dashboard, URL or even update token values in your dashboard.  Previously, these drilldown behaviors required editing the source XML. With the new drilldown editor, you can set up these actions right in the GUI. Additionally Simple XML can still be used to expand on these actions with conditional or other advanced configurations.

Let's look at a few examples!

Exciting, right? XML is no longer required for most drilldown actions! I, for one, can't wait to try it out. Learn more and see examples with the Splunk Enterprise 6.6 Overview App.

We’re always looking to improve your Search Productivity. With Splunk Enterprise 6.6, we’ve optimized Splunk’s Search Processing Language (SPL) to make both understanding and constructing queries easier. We’ve also added even more syntax highlighting options, line numbers, dynamic line formatting (instead of having to use a hotkey) and expanding macros from the search bar (use CMD+Shift+E)! You can enable these options from the Account Settings dropdown underneath the user.

Additionally, we’ve made the Search Optimizer even smarter to speed up your search queries. First introduced in Splunk Enterprise 6.5, the optimizer now supports predicate splitting and projection elimination. In plain english, that means faster query run times by automatically shifting commands around as well as removing unnecessary ones.  Learn more about the latest optimizer.

And the last updated search capability is a new SPL command called union. union lets you merge two or more discrete datasets together. It is similar to the append command but more performant in that it can be parallelized and run on your indexers as opposed to append which only runs on the search head. Learn more about the union command and how to use it.

Next up is the new Trellis Layout, which provides a more efficient way to run the dashboard and saves time building multiple panels! Have you ever needed to create multiple single value indicators across the top of your dashboard? What about multiple timecharts, with each showing a slightly different measure on the same search? To do this you probably had to edit the Simple XML, copy & paste the original chart over and over again and change the search parameters ever so slightly. Now with Trellis, this can be done directly from the GUI.  Multiple charts will be created on the fly—all using a single base search. Here’s an example.  

We’re always looking to improve the performance and scalability of the Splunk platform. With this release we are excited to announce Indexer and Search Head Clustering improvements that make clusters easier to manage and more resilient to network and hardware failures.

A few of these scalability and performance enhancements for Indexer Clustering are:

  • Avoidance of search disruption by automatically ensuring replicated data is available prior to taking a node offline.
  • A new manual detention option to selectively stop incoming and replication data traffic to specific indexers, which allows better disk growth management and easier hardware migration tasks.
  • Faster indexer recovery through performance improvements.
  • The ability to push new apps (with reloadable configs) without having to restart the cluster.

Search Head Clustering (SHC) improvements include:

  • A new Search Head Clustering management UI.
  • Continuous replication of knowledge objects across the SHC members.
  • Intelligent captain selection which avoids out-of-sync SHC members from becoming captain.
  • New independent controls for user/role and system-wide quota management.
  • Performance improvements for bundle pushes and replication.

How about some productivity enhancements for the almighty admin?

Splunk is all about knowledge objects—these objects include field extractions, dashboards, reports, scheduled searches and much more. Each of these can exist in different apps, and have different permissions and different owners. This can make relocating or changing ownership of these objects in a large, complex environment tedious and unnecessarily time-consuming. No longer! We’re excited to have added a new capability for re-assigning knowledge objects in bulk right from the GUI!

In addition, we’ve added a new data quality dashboard to help admins uncover data onboarding and quality issues faster and easier. Specifically, users can find timestamp, linebreaking, and aggregation issues with incoming data, find event processing issues grouped by sourcetype and drill down into sourcetypes across hosts.

What about the Cloud!? Specifically for our Cloud customers we’ve created a better App Management interface and experience. These updates include:

  • A new app management page allows for easier management, app updates, self-service installation and resolution of dynamic app dependencies.
  • Support for a larger set of apps and topologies.
  • More robust app deployment with self-service action retries, better restart notifications and overall coordination between automated tasks and manual work performed by Cloud Ops.

We're excited about this new release and hope you are too. Download Splunk Enterprise 6.6 and the Splunk Enterprise 6.6 Overview App today!

Stephen Luedtke
Posted by

Stephen Luedtke

Stephen Luedtke is a Technical Product Marketing Manager at Splunk. Prior to this role he served as a Professional Services consultant working with customers on Splunk architecture, design, implementation, dashboarding, and training. Before joining us, Stephen served as a Systems Engineer for Mission Critical Networks within Harris Corporation from 2006 to 2013 and specializes in telecommunications, network systems and business analytics. Stephen holds a B.S. in Computer Engineering and M.S. in Professional Engineering Management.

Join the Discussion