Preview of important feature released in Splunk Latest Version 9.0.0


  1. Ingest Actions
  • A new feature in Splunk UI is available now setting>>ingest action.
  • Using this feature, Operation can be performed on indexed as well as uploaded sample and the options are Route to destination setup , Masking using regex  , add S3 as destination, drop event using regex , drop event using eval expressions all can be done, and results can be confirmed via UI.
  • Option in Splunk UI to add aws S3 as destination is given via ingest action.
  • Once testing is done props and ruleset config can be previewed and deployed from UI only.

Splunk Blog-


  1. Splunk Assist
  • A new visualization tab in monitoring console to get splunk cloud insights at splunk on prem.

Splunk Doc-


  1. Upgrade of default TSIDX compression level
  • For improved performance tsidxWritingLevel default set to 3.



  1. TSIDX compression for SmartStore indexes
  • This feature enable compression of TSIDX files for SmartStore indexes.
  • TSIDX files will be compressed and stored in AWS S3 using the zstd format.


  1. Indexer cluster manager redundancy
  • Deploy two or more CM as active and standby.

Splunk Doc-





  1. Role-based field filtering

Sample shown below from Splunk doc:


 Splunk Doc-

  1. Upgrade Readiness App version 4.0.0
  • Latest version of splunk serves with python readiness app latest version.
  • Use the Upgrade Readiness App to prepare your Splunk platform deployment for upgrade to Python 3 and jQuery 3.5.



  1. Integrate jQuery into Upgrade Readiness App
  • Latest python readiness app version will also check for jQuery upgrade 3.5.




  1. Configuration Change Tracker index
  • Provides a new index “_configtracker” to track config changes

Splunk Blog-


  1. Configure health report email alerts in Splunk Web
  • Given UI for email alert setup and new. Also added some new features in health report panel.



  1. Health Report updates
  • Added new features in the list



  1. Dashboards: Block access to inline style sheets
  • Users now receive a message to reference external style sheets instead of inline styles in SimpleXML dashboards for improved maintainability.

  1. Dashboard Studio new features
  • Added new visualizations (eg-Sankey) , Time range selection from UI for each panel, marker etc.

Splunk Doc


  1. Universal forwarder
  • Automatic password generation support for Windows installations. when prompt for user and password.
  • Configuration changes are logged by default now in configuration_change.log.
  • Supports the new log sources standard for MacOS using the logd input.

Splunk Doc-


  1. Removed biased language
  • Biased language has been removed from the licensing components of Splunk Enterprise, in keeping with Splunk’s commitment to equality in our actions and products.
  • Master-apps updated to manager-apps; slave-apps updated to peer-apps.

Best practice is to use manager-apps as the config bundle repository, as master-apps has been deprecated and will be eliminated in some future release.

  • One can continue using master-apps , but simultaneously using manager-apps and master-apps will push only apps from manager-apps.

For slave apps If your peer node was upgraded from a pre-9.0 version, slave-apps directory was renamed to peer-apps during the upgrade process.

Splunk Doc-