Splunk even more data with 4.3!

Splunk 4.3 is now out and for a minor release it packs an elephant-sized punch! Our continuing emphasis on enhancing usability means that Splunk reaches more and more users on a daily basis. There are also subtle features we continue to add to make data exploration simpler and faster.

One exciting example is the new feature we added that makes structured data formats like XML/JSON easier to navigate within Splunk. While Splunk could always ingest XML/JSON data easily, navigating the nested hierarchical structure of these data formats was not intuitive.

With 4.3, we handle this data much better. Not only did we add color coding for fields within the hierarchy, we also added a search command “spath” that lets you utilize the natural hierarchy specified within XML/JSON to extract, manipulate and report on fields within your structured data easily!

More on spath here: .

And watch it in action in the 4.3 demo video

With a command like spath at your disposal, asking questions of your JSON/XML data becomes trivial. Reporting, analyzing this additional data and linking it with other data in your environment becomes really easy.

Derek Mock, one of our 4.3 beta customers, who is Director of Software Development at Ceryx, a leading messaging and collaboration hosting company, said: “We are currently indexing a file from a DB that includes a column with XML.  Having spath will make field extraction from that particular data source much easier.”

Another feature he found useful was Data Input Preview, “Working with a particularly difficult source, I was able to reduce the time it would have taken before from days or a week to literally an hour.”

Data Input Preview is for all those uncommon and fussy data-types that are difficult to parse through and make usable. Data Input Preview let’s you see exactly how Splunk will understand your timestamps and event boundaries BEFORE you index your data. You can make adjustments to timestamps and event boundaries and save these so that future indexing by Splunk parses the data the way you want it.

What does this mean to some of our IT operations and application management professionals? Well, making it easier to get data into Splunk in the first place, means more data in Splunk. And with more data, customers have a greater opportunity to make connections across different interconnected tiers of their application environment, and gain deeper operational insights.

After speaking to a lot of our early 4.3 users, one user from a Top 5 Home Improvement Retailer summarized the general sentiment: “Some of my applications generate XML logs and I can’t wait to get them into Splunk 4.3 and get visibility across yet another application tier.”

So give it a try and happy Splunking – now with 4.3!

Leena Joshi

Posted by