Splunk 4.2 Overview

Transcript

Jake : Hi, I'm Jake Flomenberg, product manager for the Splunk User Interface and Search Technology.
John : And I'm John Cervelli, director of product management for the Splunk server. We're here today to introduce you to Splunk 4.2. Splunk 4.2 features a variety of new search and enterprise management functionality, as well as the constant improvements to performance you've come to expect from us.
Jake : Traditionally, Splunk has provided alerting by polling and running searches on a scheduled basis. <start RT alerting demo> In Splunk 4.2 we've gone a step further to tie our alerting architecture together with our real-time search infrastructure. Real-time alerting allows you to take immediate action when an incident or attack occurs by triggering automatic emails, running scripts, or posting to an RSS feed. Real time alerting takes advantage of all of the flexibility that the Splunk search language affords so that you can perform advanced correlation and statistical operations and get the insight that you need to run you business better. You can even throttle alerts to avoid redundant notifications and view your alerts in the Alerting Management interface where you can search through your alerts and drill down into the original results that triggered them.
<start Gauge demo> We're also excited to introduce our new gauge visualizations that help summarize and visualize real-time business data and thresholds for management consumption. It's a great way to put the data that you need to run your business better at your fingertips.
We're also making it easier than ever before to get started with Splunk. <start Quickstart demo> Our new quickstart recipes take the uncertainty out of data ingestion by guiding you through best practice for how to get data into Splunk. <start App demo> It's also easier to find and install apps on splunkbase and we let you know whenever an update becomes available. <start workflow demo> And our new workflows make common tasks easy. In addition to saving searches, you can now easily create and share real-time dashboards without having to manually configure permissions and step through the process of crafting alerts to send email notifications or take programmatic action.
And, as always, we maintain our commitment to getting you search results faster than ever before. Splunk 4.2 is no exception - page render time is up to 2.5x faster, single server reporting is up to twice as fast, and reporting over distributed indexers up to 10x faster. If you know precisely what you are searching for, you can also turn off automatic field discovery for dramatic performance improvements.
John : Thanks Jake. Installing and managing distributed Splunk instances also gets much easier in 4.2. The first new distributed enhancement is the Universal Forwarder. <start UF demo> It's always been possible to deploy Splunk effectively on remote hosts for data collection, but this starts to get more complex when you have a large number of remote hosts. The Universal Forwarder is a new, dedicated Splunk package specially designed for collecting and sending data to Splunk. It's super light on resources, easy to install, but still includes all the current Splunk inputs, without requiring python.
Of course, once you have Splunk deployed everywhere, now you have to manage it. <start DM demo> To help with that, we've created a new app that monitors Splunk forwarders and indexers. Once you enable the Deployment Monitor app, shipping in with the product, you can see information about the health of your forwarders, your indexers and the use of your license. You can even drill down into specific indexers and forwarders for troubleshooting.
Finally, we're also introducing a new distributed license manager. <start license demo> This new manager makes it easy to combine and distribute your Enterprise licenses across a multi-index deployment. You can stack multiple Enterprise licenses, including a Sales Trial if you need more capacity while you work with our sales team. You can stack your legacy Splunk licenses as well, so you don't have to re-key to upgrade to 4.2.
Once you have installed your licenses, 4.2 makes it easy to distribute that license to multiple indexers. A Splunk license master will automatically accept other instances into a single, shared license pool. However, if you want more control, you can create multiple license pools for one or more instances and assign exactly what you need to each indexer or group of indexers.
But that's just the overview. There's much more to Splunk 4.2 that makes it easier to get started, get data in and scale to extreme, big data proportions.
Jake : Be sure to check out the What's New section of the documentation and read about all that 4.2 has to offer as well as Splunkbase and SplunkAnswers where you can learn about Splunk apps and find answers to many of your questions. Thanks and happy Splunking.