Release Notes

 


Welcome to Splunk Enterprise 6.1

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Welcome to Splunk Enterprise 6.1

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 6.1 was released on May 6, 2014.

Planning to upgrade from an earlier version?

If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.1, read About Upgrading to 6.1 - READ THIS FIRST in the Installation Manual for important information you need to know before you upgrade.

Dashboard Editor enhancements

Splunk Enterprise 6.1 introduces interactive creation and editing of forms in the Dashboard Editor. This lets you select which inputs to add to a form, and to optionally place the inputs within specific form panels. For more information, see:

Contextual drilldown

Splunk Enterprise 6.1 improves dynamic drilldown in dashboards and forms so that you can now drill down into your data without leaving the page. For more information, see:

Chart overlay

Use chart overlays to represent two different series on a single chart. You can highlight one series of search results as a line graph on top of a column chart, area chart, or another line chart. For more information, see:

Data model enhancements

Create and share data models more easily in Splunk Enterprise 6.1.

Data model upload and download allows you to use the Splunk Web interface to export data models out of Splunk Enterprise and upload exported data models into other Splunk Enterprise implementations. Use this feature to back up data models or to collaborate on data models with other Splunk Enterprise users. For more information, see Manage data models in the Knowledge Manager Manual.

Splunk Enterprise 6.1 includes several improvements to the way that the Data Model Builder handles creation and maintenance of attributes. These enhancements include:

  • Bulk edit - You can now select multiple attributes and change their type and status (hidden/shown, optional/required) with a single click.
  • Manual auto-extracted attribute addition - Know a field will be in your data but don't see it in the set of available auto-extracted attributes? You can now add it yourself.
  • Improved lookup attribute definition - You'll now be able to select your lookup attributes from a list of every eligible output field in your chosen lookup table. You can also define a lookup that is based on multiple input fields.
  • Improved regular expression attribute definition - When defining regular expression attributes, you can now get much more insight into how the fields extracted by a given regular expression are distributed in your object's dataset. You can also drill down to see events in the object dataset that have a specific extracted field value.

For more information, start with Define object attributes in the Knowledge Manager Manual.

Pan and zoom chart controls

Intuitively explore large amounts of data in your visualizations. For more information, see:

Multisite clustering

In Splunk Enterprise 6.1, clusters have built-in site-awareness, meaning that you can explicitly configure a cluster on a site-by-site basis. This simplifies and extends the ability to implement a cluster that spans multiple physical sites, such as data centers, thus enhancing the disaster recovery capabilities of the cluster.

For more information, see:

Search affinity

One of the key benefits of multisite clustering is that it gives you the ability to set up a cluster so that search heads limit their searches to data stored on their local sites. This reduces network traffic while still providing access to the entire set of data, since each site contains all the data. This benefit is known as "search affinity."

For more information, see:

Data preview with structured inputs

With Splunk Enterprise 6.1, you can view and interact with fields found in a file header or within the body of your structured data source. For more information, see:

zLinux forwarder

Splunk Enterprise 6.1 includes support for the universal forwarder on the zLinux operating system. For the complete list of supported operating systems, see System requirements in the Installation Manual.

Low privilege Windows Universal Forwarder

Run the Splunk Universal forwarder on Windows platforms as a domain user without having to grant local administrator privileges. For more information, see:

Custom email alerts

This release provides you with the ability to customize both the content and format of the emails that Splunk Enterprise alerts deliver. For more information, see:

Embedded reports

Publish Splunk charts in any HTML-based dashboard or external web page with simplified sharing controls. For more information, see

Platform instrumentation framework

The Splunk Enterprise platform instrumentation framework generates data about your Splunk instance and environment and writes that data to log files to aid in troubleshooting problems with your Splunk Enterprise deployment. For more information, see:

Web Framework SplunkJS Stack

You can use the Web Framework SplunkJS Stack to integrate Splunk into your own applications, allowing you to develop SplunkJS Stack applications outside of Splunk Web. For more information, see:

New search commands

This release includes the following updates to existing search commands.

  • The iplocation command has one new option, lang.
  • The sendemail command has many new options for configuring email notifications. These options include: message, sendcsv, use_ssl, use_tls, pdfview, papersize, paperorientation, maxinputs, and maxtime. Some existing options, including format and width_sort_columns, have also changed.
  • The tstats command has two new options, allows_old_summaries and chunk_size, and now works with the full set of stats functions.

New REST APIs

This release includes the following updates to the REST API. For more information, see the REST API Reference Manual.

New APIs

  • cluster/master/indexes
  • cluster/master/indexes/{name}
  • cluster/master/sites
  • cluster/master/sites/{name}
  • data/index-volumes
  • data/index-volumes/{name}
  • data/indexes-extended
  • data/indexes-extended/{name}
  • server/roles
  • server/status
  • server/status/dispatch-artifacts
  • server/status/fishbucket
  • server/status/limits/search-concurrency
  • server/status/partitions-space
  • server/status/resource-usage
  • server/status/resource-usage/hostwide
  • server/status/resource-usage/splunk-processes

Updated API parameter descriptions

  • cluster/master/buckets
  • cluster/master/buckets/{name}
  • cluster/master/peers
  • cluster/master/peers/{name}
  • search/jobs (SPL-82458)

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 View the Article History for its revisions.


Comments

Thanks, alacer, we've fixed the typo in the link.

Cgales splunk
May 8, 2014

Alert Examples has wrong url. http://docs.splunk.com/Documentation/Splunk/latest/Alert/Alertexamples should be the correct one.

Alacercogitatus
May 8, 2014

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!