Splunk, the Data-to-Everything Platform, offers products and solutions that work together to make your data strategy stronger with Splunk Enterprise at the core of our portfolio. Since our last release of Splunk Enterprise 8.0 at .conf19, we have continued to strengthen our platform by listening to YOU, our dedicated Splunk users. In Splunk Enterprise 8.1, we have incorporated many customer-requested features to boost your day-to-day productivity, optimized search performance for even faster insights and expanded your cloud environment options to manage Splunk.
If you haven’t heard, we’ve changed the way we deliver new features to you as we shift to a cloud-first delivery model. To you, this means that if you’re a Splunk Cloud customer, new services and enhancements are delivered incrementally on about a six-week cadence, and once those are hardened from customer feedback and use, Splunk Enterprise customers receive them on a more traditional delivery cycle.
Now let’s move on to what’s new. There are five major categories of updates, but be sure to check out Splunk Docs for a complete and definitive guide on how and where you can access the new features.
First, Let’s Talk About Dashboards and SPL
We’re introducing search history and in-line commenting directly in the search bar for both Splunk Cloud and Splunk Enterprise. I can’t hear your applause but I know it’s there — these were the most upvoted features in Splunk Ideas. Search History is an easier way to navigate searches; you can use keyboard shortcuts to iterate through previous searches. SPL Commenting can make SPL easier to read for very long SPL. All you need to do is use three backticks before and after your comment. You can add as many as you’d like, and it has syntax highlighting for both light and dark mode.
Seamless SPL History Navigation
In-Line SPL Comments
Next, we have a no-SPL experience from raw data to dashboard. Native table datasets, Table Views, allow you to visually explore and prepare your data for analysis. Plus, integration with Analytics Workspace creates an intuitive slice and dice experience without using SPL.
Next Up is All About Access and Control for Splunk Cloud and Splunk Enterprise
(admins, lean in!) You’re now able to view inheritance for roles or users so that you can see which roles contribute to indexes, on a hierarchical and assignment level. Now you can spend less time trying to troubleshoot who has access to what and validating what users should not be able to see. You can now also search as a specific user to validate your RBAC configurations are behaving as expected.
We’ve also retired another popular request, which is the ability to persist a global banner at the top of every Splunk page so that you can announce something to all your users! We’ll let you decide what gets put in there, in addition to customizing banner color and hyperlink.
We’ve Also Improved Workload Management
This feature allows you to prioritize workloads based on business needs and manage them through user-defined rules. Shipping with the latest release of Splunk Cloud and Splunk Enterprise is a new admissions rules framework for filtering rogue searches like when users do the inevitable index=*. You can filter for any all time range searches, disallow searches in peak hours or do ad hoc wildcard searches. It’s a very powerful tool for you to reduce the impact of unexpected workloads when you need Splunk the most.
Now Let’s Move on to Performance
We’ve made performance improvements to support deployments scaling to 40 million buckets, enabling reductions in memory footprint and faster time to recovery. Compared to our previous release, our testing reveals rolling restarts are 60% faster, Cluster Manager consumes 75% less memory following a rolling restart, and replication and search factors are 73% faster following a rolling restart.
We’ve improved search processing performance with optimized lookups and refactored query execution so that your day-to-day use of Splunk will be more responsive and streamlined. You should experience your general dashboard usage to be snappier and more responsive.
For our on-premises Splunk Enterprise customers, we now have lookups which are possible at ingest time, not just at search time. You may want to consider using this at ingest time to save lookup performance time, or lookups you know that are consistently used, such as looking up the IP address and adding the DNS field.
More improvements have been made to the file format of tsdix index files. You can now set the file format to level 4, which can save related storage costs.
We’ve Also Made Major Improvements to Our Metrics Store
For those who are new to the metrics store, you can use it to gain orders of magnitude speed increase of search performance where you need to aggregate numerical metrics over time, in a more cost effective way. We’ve made improvements so that you aggregate across more than 2M metrics events per second, increasing throughput and speed. In the Analytics Workspace, there’s now an easier way to filter on hundreds of thousands of metrics and, for Splunk Cloud customers, there’s now support for counters and sub-second time ranges.
SmartStore support for GCP is also new for Splunk Enterprise 8.1 customers running Splunk on Google Cloud.
Also in this release, is the use of WiredTiger storage engine in the KV Store, to replace MMAP. Migrating to WiredTiger improves read/write performance and introduces a pathway for significant reduction in storage requirements.
Lastly, We’re Announcing the Public Beta Release of the Splunk Operator for Kubernetes
This allows you to easily deploy and manage Splunk Enterprise on your favorite public or private cloud environment. The Splunk Operator for Kubernetes is an open source product developed by Splunkers with contributions from the open source community. This is our next-gen platform architecture for managing and running Splunk in a cloud-native way. In addition to easily deploying Splunk Enterprise in a scalable manner, the Splunk Operator facilitates the other benefits of Kubernetes like multicloud portability and CI/CD integration. Designed with prescriptive architecture and deployment upgrades in mind, we’re working on encapsulating best practices for running Splunk in a distributed setting, so that it requires little time to install and enables push-button deployments for easy expansion and contraction of clusters.
Follow all the conversations coming out of #splunkconf20!