What's new in Splunk 3.0

What's new in Splunk 3.0

These are the highlights of what's new in Splunk 3.0. See the detailed changelogs for specifics by release as well as details on resolved issues.

Interactive reporting

Analyze any logs and IT data in real time with dynamic field extraction, eliminating the need for complex data mapping and set-up. Move seamlessly between unstructured search and structured reporting. Visualize results as bar, line, pie or other kinds of charts. View and sort the results table.

Dashboards and personalization

Any report, chart, search or alert can be placed onto a personalized dashboard. Initial dashboards can be defined for a user role then personalized by each user. Sample dashboards provide examples to get you started on creating your own.

Expanded search language

Powerful new statistical, arithmetic and reporting operators as well as support for correlation between the results of multiple searches. For example, you can now find all IP addresses with more than 100 firewall denies that also have some firewall accepts via a single search.

Flexible event typing

Users can define their own event types in addition to tagging, renaming, editing or deleting Splunk's auto-discovered types. Splunk also indexes the punctuation pattern of each event in order to support event types defined by the event's structure. Event types are defined in terms of a search string, making them easy to understand and modify.

Scripted inputs

Scripted inputs allow you to schedule and index the output of any shell script or command line actions, greatly expanding data inputs to any data source.

64-bit support

Native support for 64-bit platforms provides better search scalability and performance.

Multi-processor support

Indexing takes advantage of multiple processors and cores for increased performance on powerful hardware.

Deployment server

Centralized management and control of distributed Splunk deployments across large numbers of servers.

Advanced data management

Automate archiving and restore both raw and indexed data. Export large numbers of events in raw or CSV format by source, sourcetype, host and timeframe.

SplunkBase 3.0

Share and download add-ons such as reports, searches, event types and other Splunk knowledge. SplunkBase 3.0 features expanded content and predefined bundles for IT data sources across major applications and servers, devices authored by 30 experts in various IT technologies.

Browser toolbar

The Splunk toolbar allows users to drill-down into Splunk from web-based monitoring applications like IBM Tivoli, CA Unicenter, HP OpenView and SiteScope, BMC Patrol, and Nagios. Simply highlight an error message, hostname, IP address, or any other string, right click, and Splunk will search its index for that string. From the toolbar you can enter new searches, view your search history, run saved searches, and view the status of your alerts.

Other features and improvements

Improved data routing and cloning

Data routing between Splunk servers is now faster, with greater scalability and resiliency. Splunk servers can be setup to use round-robin load balancing. Data can be cloned across multiple machines, resulting in higher availability. Data can optionally be encrypted.

REST API overhaul

The REST API that SplunkWeb uses to communicate with splunkd has been has been overhauled to be more developer-friendly.

Distributed search support for report operators

Splunk reports can use data pulled from remote Splunk servers.

Distributed search support for related

Splunk can find related events across multiple remote Splunk servers.

Interstitial wildcards

Wildcards can now occur in the middle of a search string, for instance f*o, *f*o, and f*o*.

Quoted String Search

Searches can include quoted strings. Quoted string search is case-insensitive. For instance, a search for "ibm udb" will match events containing "IBM UDB".

Microsecond search and display support

Splunk can search for events down to the level of one microsecond, or one-millionth of a second. This is helpful when investing the event storms, such as those that occur during distributed denial of service (DDOS) attacks.

Granular access controls

Splunk lets an admin specify which users can access which events, based on their sources, event types, search fields and/or hosts.

TAI64 date support

Splunk can index logfiles with timestamps in TAI64 format.

Expanded use of bundles for configuration

Forwarding and event types are now stored in bundles. Splunk admins can override Splunk's default forwarding and event type settings by creating their own bundles. Additionally, since event types are now bundled, they can be downloaded off SplunkBase.*

Other alerting improvements

Splunk alerts (formerly called "Live Splunks") can be scheduled with cron-like flexibility. Links within can optionally be setup to use SSL (i.e., https) for greater security. Splunk allows for email, rss, and scripted alerts to be shown in the SplunkWeb. This makes it easier for Splunk users to take advantage of new notification types.

LDAP/SSL

Splunk can connect to LDAP directory servers over SSL.

Other LDAP improvements

Splunk supports multiple LDAP distinguished names (DN's). Splunk can filter out entries based on their attributes, allowing only certain users to access a Splunk server. Splunk supports Microsoft Active Directory paging, enabling it to support organizations with more than 1000 users listed in the AD server.

Configurable event and field actions

Splunk lets you configure actions for a particular type of field or event. For instance, you can setup Splunk to do a reverse DNS lookup of an IP address field, enabling you to discover whether an IP address is probably from a customer or represents a potential security risk.

Native input from archive formats

Splunk natively reads archives in gzip format, allowing for immediate searching of results, rather than waiting for a long-running archive process to complete.

Limited administration via search

Splunk lets admin users view and edit configuration files from the web UI. Simply enter "admin <<name of configuration file>>" as a search, and you'll see all the matching configuration files your search. You can also edit and save configuration files.

• Was this topic useful?
• Post a comment