Preview of important feature released in Splunk Latest Version 9.0.0
- Ingest Actions
- A new feature in Splunk UI is available now setting>>ingest action.
- Using this feature, Operation can be performed on indexed as well as uploaded sample and the options are Route to destination setup , Masking using regex , add S3 as destination, drop event using regex , drop event using eval expressions all can be done, and results can be confirmed via UI.
- Option in Splunk UI to add aws S3 as destination is given via ingest action.
- Once testing is done props and ruleset config can be previewed and deployed from UI only.
Splunk Blog- https://www.splunk.com/en_us/blog/conf-splunklive/ingest-actions-data-access-when-where-and-how-you-need-it.html
- Splunk Assist
- A new visualization tab in monitoring console to get splunk cloud insights at splunk on prem.
Splunk Doc- https://docs.splunk.com/Documentation/Splunk/9.0.0/DMC/AssistIntro
- Upgrade of default TSIDX compression level
- For improved performance tsidxWritingLevel default set to 3.
- TSIDX compression for SmartStore indexes
- This feature enable compression of TSIDX files for SmartStore indexes.
- TSIDX files will be compressed and stored in AWS S3 using the zstd format.
- Indexer cluster manager redundancy
- Deploy two or more CM as active and standby.
Splunk Doc- https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/CMredundancy
- Role-based field filtering
- Protecting PII and PHI data with role-based field filtering.
- What a user with specific role can see in splunk – filter field by index, host , source and sourcetype.
- In limits.conf set role_based_field_filtering=true.
- In authorize.conf file set restrictions.
Sample shown below from Splunk doc:
Splunk Doc- https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/rolebasedfieldfiltering
- Upgrade Readiness App version 4.0.0
- Latest version of splunk serves with python readiness app latest version.
- Use the Upgrade Readiness App to prepare your Splunk platform deployment for upgrade to Python 3 and jQuery 3.5.
- Integrate jQuery into Upgrade Readiness App
- Latest python readiness app version will also check for jQuery upgrade 3.5.
- Configuration Change Tracker index
- Provides a new index “_configtracker” to track config changes
- Configure health report email alerts in Splunk Web
- Given UI for email alert setup and new. Also added some new features in health report panel.
- Health Report updates
- Added new features in the list
- Dashboards: Block access to inline style sheets
- Users now receive a message to reference external style sheets instead of inline styles in SimpleXML dashboards for improved maintainability.
- Dashboard Studio new features
- Added new visualizations (eg-Sankey) , Time range selection from UI for each panel, marker etc.
Splunk Doc– https://docs.splunk.com/Documentation/Splunk/9.0.0/DashStudio/WhatNew
- Universal forwarder
- Automatic password generation support for Windows installations. when prompt for user and password.
- Configuration changes are logged by default now in configuration_change.log.
- Supports the new log sources standard for MacOS using the logd input.
Splunk Doc- https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/Forwardlogddatainputs
- Removed biased language
- Biased language has been removed from the licensing components of Splunk Enterprise, in keeping with Splunk’s commitment to equality in our actions and products.
- Master-apps updated to manager-apps; slave-apps updated to peer-apps.
Best practice is to use manager-apps as the config bundle repository, as master-apps has been deprecated and will be eliminated in some future release.
- One can continue using master-apps , but simultaneously using manager-apps and master-apps will push only apps from manager-apps.
For slave apps If your peer node was upgraded from a pre-9.0 version, slave-apps directory was renamed to peer-apps during the upgrade process.
Splunk Doc-
