Meet Splunk 4.3
Welcome to Splunk 4.3!
Read on for information and links into the documentation for all the great new features in this version.
For system requirements information, see the Installation Manual.
Splunk 4.3 was released on January 10, 2012.
Planning to upgrade from an earlier version?
If you plan to upgrade from an earlier version of Splunk to version 4.3, be sure to read "About Upgrading to 4.3 - READ THIS FIRST" in the Installation Manual for important things you'll need to know before you upgrade.
User interface improvements
Splunk 4.3 includes substantial improvements to the user interface and workflow. Enhancements include:
- Charting controls integrated with timeline view
- Drag-and-drop dashboard editing
- Simplified workflow for saving searches
- Unified "Create" button for alerts, reports, and dashboard panels
- New "digest" field for grouping alert notifications
- Integrated time range picker and search button
- More accessible job control and job inspector buttons
- Improvements to message banners
To improve support of iOS hand-held devices, Splunk Web now provides non-Flash chart and timeline display. This also improves printing quality. For more information about the non-Flash charts, as well as the circumstances that might cause Splunk to render charts in Flash, see:
- "Advanced charting options" in Developing Dashboards, Views, and Apps for Splunk Web.
Dashboard panel editor
Splunk 4.3 exposes charting controls in a consistent UI that is accessible both from the dashboard and from the report builder UI, allowing you to discover and use this important feature more effectively. For information on how to use the dashboard panel editor, refer to:
- "Edit dashboard panel visualizations" in the User Manual.
Sparklines are a technique to increase information density in tables by adding inline charts to specific cells. They are most commonly used to show time-based trends associated with the primary key of a given row.
- "Add sparklines to your search results" in the User Manual.
Per-result alerting allows you to define alerts that trigger based on single events rather than a group of events.
- "Create an alert" in the User Manual.
Real time backfill
When you run a real-time windowed search, you can specify that Splunk backfill the initial window with historical data. This ensures real-time dashboards seeded with data on actual visualizations and statistical metrics over time periods are accurate from the start. For more information, refer to:
- "Search and report in real time" in the User Manual.
Bloom filters speed up keyword searches by ruling out buckets where a searched-for keyword doesn't exist before incurring the overhead of searching the buckets. For more information, check out:
- "Bloom filters" in the Admin Manual.
Data preview (single file)
See what data sources are about to be indexed, to where, and preview how their event extractions will be handled by Splunk. Data preview makes it easy to test new sourcetypes and troubleshoot how Splunk will handle them. Data preview lets you see what you're getting, before you commit to an indexing strategy. For more information on data preview, check out:
- "Overview of data preview" in the Getting Data In Manual.
Structured data field extraction (JSON, XML)
Increasingly, machine data is being generated in structured data formats such as XML and JSON. We've extended the Splunk search language to allow users to extract data from these structures in a straightforward way. For more information, check out:
- The "spath" search command in the Search Reference Manual.
Per-user time zones
Large deployments often include users in different timezones. These users want to see the data in the timezone they're in. Splunk now supports setting a time zone for each user. For more information, check out:
- "Add and edit users" in the topic "Set up user authentication with Splunk's built-in system" in the Admin Manual.
Multiple domain authorization helps large IT departments overcome the challenges of expanding Splunk across departments where different AAA systems are in use. This also resolves issues where, due to the risk of circular references, Splunk isn't able to follow referrals from one LDAP system to another safely. For more information, check out:
- "Use multiple LDAP strategies" in the topic "Set up user authentication with LDAP" in the Admin Manual.
Splunk supports using IPv6 addresses for all network activity, including data forwarding and splunkweb. Users can use Splunk transparently as they migrate their network to IPv6 and can leverage their existing IT Search deployment and experience for problem solving, alerting and reporting even during changes to the core networking technologies that run their environments. Check out
- "Configure Splunk for IPv6" in the Admin Manual for more information.
We've done some work to make Splunk Web more accessible for the visually-impaired. For more details, refer to:
- "Accessibility options" in the Installation Manual.
Splunk Developer Portal and REST API Reference
Splunk for Developers is live. Learn how to extend Splunk with the App Framework and how to build your own applications using the Splunk REST API and SDKs. The Splunk REST API Reference is also available as part of the Splunk doc set.