Splunk Enterprise 6.4 – Driving down the cost of big data analytics

enterprise banner

Today, I’m excited to introduce Splunk Enterprise Release 6.4 and the latest version of Splunk Cloud. For Splunk Enterprise customers, the biggest news is that you can lower your cold data storage costs by 40-80%.

We know you’re under pressure to retain more data – and for longer – because of security and compliance. There’s also an increasing demand to optimize your business by analyzing historical data. This data is important but less frequently accessed, so now you can choose to reduce its footprint by 60% on average, and up to 80% for some data types.

How? We can now remove a part of the Splunk optimization data (TSIDX) from your original data, letting you trade optimal search performance for a big reduction in storage cost. You can access the data in all of the normal ways, and for many search and reporting activities there is little impact. But for “needle in the haystack” ad-hoc searches, the performance will no longer be optimal.

Most larger customers will find it compelling. For example, we estimate that a 10 TB/day customer with only a one year retention policy can save more than $4M USD over 5 years. Your account team can help you to assess what data is best for this new option, and how you can cut your storage costs.

There’s much more to 6.4, and the rest is for both Splunk Cloud and Splunk Enterprise customers:

  • Over a dozen new interactive visualizations help you analyze and communicate results more effectively. The first set is available now and the rest will be posted over the coming weeks. Check out a few here:

viz 00

viz 01

viz 02

viz 04

  • Need more? A new open framework makes it easy to create or customize your own, and Splunkbase lets you share new viz created by customers, our partners or Splunk. To get started, after installing 6.4, search and upload Splunkbase apps tagged “visualizations” or use the new visualization picker in the search bar visualizations tab.
  • There’s a new Event Sampling command and an integrated pull-down in the search bar that lets you choose your sampling rate for any search. This feature is useful to quickly characterize large data sets and then focus your investigation where it matters. It uses a statistically valid methodology and it’s lightning fast compared to searching all data.
  • The Predict command has been completely retooled to handle multiple time series, predict missing values within series and more. All with 80-100X the speed for larger data sets.
  • The HTTP Event Collector has been a big hit with customers. It now accepts non-JSON payloads and can provide data indexing acknowledgements if you want validation that your data has been indexed.
  • The Distributed Management Console now has new monitoring views for job scheduler, system I/O, and HTTP Event Collector.
  • For SAML, we now support Okta, Azure Ad and ADFS Identity Providers along with PingFederate.

If you’re a Splunk customer you can learn more by downloading the Release 6.4 Overview App from Splunkbase.


Kevin Faulkner
Sr. Director, Product Marketing
Splunk Inc.

Kevin Faulkner

Posted by


Show All Tags
Show Less Tags