What's new in Splunk 3.2

What's new in Splunk 3.2

Transaction search

Many data sources generate multiple, related log entries for a single observable event. For example, an order transaction generates log entries on multiple servers: on the Web front end, the application server, and the back-end database. Splunk now provides a way to reference these events as one unit - as a transaction. This enables various types of new and improved analysis. You can now see transactions as one unit on screen. No need for you to have to stitch individual events together manually. You can do statistical analysis and queries on entire transactions such as: What is the average transaction execution time? Did all transactions complete? These queries are now simple to write.

For more information, refer to Use transaction search in the User Guide.

Filesystem change monitoring

Splunk's filesystem change monitoring opens up vast new possibilities to capture one of the most important vectors in IT Compliance and IT Operations: change. Identify configuration changes in real time, monitor live IT data feeds, and specify alerting to pinpoint availability problems in your infrastructure like never before. Report on change to your compliance auditors as well, all without additional agents or complex software.

For more information, refer to How the file system change monitor works in the Administration Guide.

REST API

The Splunk Platform is built on Splunk's new REST API. Developers can integrate with and build applications for Splunk more quickly and easily than ever before with an API that supports Splunk SDKs for .NET, Python and other languages. Simple, easy to use API calls inside a programmatic REST structure with Atom syndication encourage rapid development and place the power of IT data inside your applications.

For more information, refer to Splunk's REST API in the Developer Guide.

Windows platform support

Splunk now supports installation on the majority of Windows operating systems currently deployed today with all of the great Splunk features offered on other platforms, including native support for the Windows event log. Windows administrators and those who have standardized on Microsoft technologies can now harness the power of Splunk!

To get started with Splunk on Windows, refer to the Windows installation in the Installation Guide.

Interactive event type learning

The power of event type learning is put into your hands. Based on a specific search result, you can tell Splunk to learn new event types and store them in the system with the appropriate tags.

For more information, refer to Event type discovery in the Administration Guide.

Interactive field extraction

You can now use Splunk Web to define new field extractions as soon as you see an event that needs them. Define your fields as you need them!

For more information, refer to Create extracted fields in the Administration Guide

Increased storage efficiency

Splunk 3.2 delivers significant increases in storage efficiency over previous releases. With standard syslog, Splunk offers 15% greater efficiency in its indexed datastore, making syslog data consume just 25% of raw data size. Save space and money while unlocking the power of your IT data!

Flexible roles

Flexible roles provide streamlined management of user permissions, personalization and content in large environments with hundreds of users and via integration with LDAP meet corporate standards for central management of users and permissions.

Administrators can define new roles that control data access and user capbilities in one location and then map them into role contexts in external authentication systems.

For more information, refer to Configure roles in the Administration Guide.

Auditing & signing

Auditing and signing make it easy to demonstrate the integrity of IT data for compliance purposes and to present IT data as legally admissible evidence. Splunk can automatically determine the integrity of any IT data and its own configuration through cryptographic signing and granular auditing of user and administrator activity.

For more information, refer to Audit event signing in the Administration Guide.

Transaction typing

Transaction typing lets you name specific patterns of events. You can express patterns of events by either defining sequence in which the individual events making up a transaction have to happen, or by using the transaction discoverer (transaction command) to discover transactions automatically. An example of a transaction could be: an attack detected by an intrusion detection system, followed by a specific event, recorded in the operating system log file on the targeted machine. Together, these events make up a "transaction". Once you define a transaction, you can then search it and do operations on it as if it were a single event.

For more information, refer to How transaction types work in the Administration Guide.

New search features

Splunk's new search features greatly improve the overall capabilities of Splunk:

• Summarize or abbreviate larger, more complex searches with a single command (search macros).
• De-duplicate results to see only one example of events that have identical content (using the dedup command).
• Iterate over a set of results and apply the results to a new search (using the map command).
• Find events surrounding other events (using the localize command).
• Apply a regular expression to extract fields at search time (using the rex command).
• Eliminate the need for the where command in most searches by making the search command more powerful.

Role-based search sharing

Extend the power of IT search within your team. Share your searches with different roles inside Splunk to deliver senior analyst troubleshooting knowledge into the hands of junior administrators. Reduce MTTR and empower your whole team to collaborate on new ways to pinpoint problems.

For more information, refer to Set up saved searches in the Administration Guide.

Live Tail

View live log data from multiple, distributed servers and applications from a central location. You don't need to log into multiple servers, know where the servers live, how to access them, or what log files to look at. Splunk's new Live Tail provides one interface to all the data.

For more information, refer to Use Live Tail in the User Guide.

Dynamic event rendering

Tell Splunk how to display events based on each event's properties. Event rendering lets you specify coloring and additional text labels for Splunk to show for specific events.

For more information, refer to Dynamic event rendering in the Administration Guide.

Universal field tagging

Define tags for any field in Splunk. In addition to letting you tag the core fields (source, sourcetype, eventtypes, and hosts), you can tag any other extracted or indexed fields.

For more information, refer to Tag fields in the User Guide.

Pluggable authentication API

Integrate Splunk with your existing authentication systems. By using the new pluggable authentication API, it's simple to integrate with a wide variety of external authentication solutions. This will enable integration with virtually any existing authentication method including PAM and kerberos. Leverage existing role contexts inside Splunk for both data access and administrative control and enhance the security of your Splunk deployment.

Event type templates

Event type templates provide the ability to specify fields within a given event pattern that Splunk will automatically use to generate new event types. For example, for Windows events, you can specify that Splunk use the event ID field to generate a unique event type for each event ID seen, without needing to specify a separate event type manually for each event ID.

For more information, refer to Event type templates in the Administration Guide.

Asynchronous search via the CLI dispatch command

The Splunk CLI now allows you to run multiple searches asynchronously using the dispatch CLI command. Dispatch allows to execute searches that can run for a long time. They can be dispatched into the background and the results can be retrieved at a later point in time. In addition, dispatch eliminates limitations of a maximum number of events passed between commands, enabling reporting over large amounts of data.

For more information, refer to the dispatch CLI command in the User Guide.

• Was this topic useful?
• Post a comment