Preview of important feature released in Splunk Latest Version 9.0.0

 

  1. Ingest Actions
  • A new feature in Splunk UI is available now setting>>ingest action.
  • Using this feature, Operation can be performed on indexed as well as uploaded sample and the options are Route to destination setup , Masking using regex  , add S3 as destination, drop event using regex , drop event using eval expressions all can be done, and results can be confirmed via UI.
  • Option in Splunk UI to add aws S3 as destination is given via ingest action.
  • Once testing is done props and ruleset config can be previewed and deployed from UI only.

Splunk Blog- https://www.splunk.com/en_us/blog/conf-splunklive/ingest-actions-data-access-when-where-and-how-you-need-it.html

 

  1. Splunk Assist
  • A new visualization tab in monitoring console to get splunk cloud insights at splunk on prem.

Splunk Doc-  https://docs.splunk.com/Documentation/Splunk/9.0.0/DMC/AssistIntro

 

  1. Upgrade of default TSIDX compression level
  • For improved performance tsidxWritingLevel default set to 3.

 

 

  1. TSIDX compression for SmartStore indexes
  • This feature enable compression of TSIDX files for SmartStore indexes.
  • TSIDX files will be compressed and stored in AWS S3 using the zstd format.

 

  1. Indexer cluster manager redundancy
  • Deploy two or more CM as active and standby.

Splunk Doc- https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/CMredundancy

 

 

 

 

  1. Role-based field filtering

Sample shown below from Splunk doc:

 

 Splunk Doc-     https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/rolebasedfieldfiltering

  1. Upgrade Readiness App version 4.0.0
  • Latest version of splunk serves with python readiness app latest version.
  • Use the Upgrade Readiness App to prepare your Splunk platform deployment for upgrade to Python 3 and jQuery 3.5.

 

 

  1. Integrate jQuery into Upgrade Readiness App
  • Latest python readiness app version will also check for jQuery upgrade 3.5.

 

 

 

  1. Configuration Change Tracker index
  • Provides a new index “_configtracker” to track config changes

Splunk Blog- https://www.splunk.com/en_us/blog/platform/splunking-your-conf-files-how-to-audit-configuration-changes-like-a-boss.html

 

  1. Configure health report email alerts in Splunk Web
  • Given UI for email alert setup and new. Also added some new features in health report panel.

 

 

  1. Health Report updates
  • Added new features in the list

 

 

  1. Dashboards: Block access to inline style sheets
  • Users now receive a message to reference external style sheets instead of inline styles in SimpleXML dashboards for improved maintainability.

  1. Dashboard Studio new features
  • Added new visualizations (eg-Sankey) , Time range selection from UI for each panel, marker etc.

Splunk Dochttps://docs.splunk.com/Documentation/Splunk/9.0.0/DashStudio/WhatNew

 

  1. Universal forwarder
  • Automatic password generation support for Windows installations. when prompt for user and password.
  • Configuration changes are logged by default now in configuration_change.log.
  • Supports the new log sources standard for MacOS using the logd input.

Splunk Doc- https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/Forwardlogddatainputs

 

  1. Removed biased language
  • Biased language has been removed from the licensing components of Splunk Enterprise, in keeping with Splunk’s commitment to equality in our actions and products.
  • Master-apps updated to manager-apps; slave-apps updated to peer-apps.

Best practice is to use manager-apps as the config bundle repository, as master-apps has been deprecated and will be eliminated in some future release.

  • One can continue using master-apps , but simultaneously using manager-apps and master-apps will push only apps from manager-apps.

For slave apps If your peer node was upgraded from a pre-9.0 version, slave-apps directory was renamed to peer-apps during the upgrade process.

Splunk Doc-

https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Updatepeerconfigurations#Which_directory_to_use:_manager-apps_or_master-apps.3F