Welcome to Splunk Enterprise 6.1
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Welcome to Splunk Enterprise 6.1
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 6.1 was released on May 6, 2014.
Planning to upgrade from an earlier version?
If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.1, read About Upgrading to 6.1 - READ THIS FIRST in the Installation Manual for important information you need to know before you upgrade.
Dashboard Editor enhancements
Splunk Enterprise 6.1 introduces interactive creation and editing of forms in the Dashboard Editor. This lets you select which inputs to add to a form, and to optionally place the inputs within specific form panels. For more information, see:
- Create and edit forms with the Dashboard Editor in the Dashboards and Visualizations manual.
Splunk Enterprise 6.1 improves dynamic drilldown in dashboards and forms so that you can now drill down into your data without leaving the page. For more information, see:
- Dynamic drilldown in dashboards and forms in the Dashboards and Visualizations manual.
Use chart overlays to represent two different series on a single chart. You can highlight one series of search results as a line graph on top of a column chart, area chart, or another line chart. For more information, see:
- Chart overlay in the Dashboards and Visualizations manual.
Data model enhancements
Create and share data models more easily in Splunk Enterprise 6.1.
Data model upload and download allows you to use the Splunk Web interface to export data models out of Splunk Enterprise and upload exported data models into other Splunk Enterprise implementations. Use this feature to back up data models or to collaborate on data models with other Splunk Enterprise users. For more information, see Manage data models in the Knowledge Manager Manual.
Splunk Enterprise 6.1 includes several improvements to the way that the Data Model Builder handles creation and maintenance of attributes. These enhancements include:
- Bulk edit - You can now select multiple attributes and change their type and status (hidden/shown, optional/required) with a single click.
- Manual auto-extracted attribute addition - Know a field will be in your data but don't see it in the set of available auto-extracted attributes? You can now add it yourself.
- Improved lookup attribute definition - You'll now be able to select your lookup attributes from a list of every eligible output field in your chosen lookup table. You can also define a lookup that is based on multiple input fields.
- Improved regular expression attribute definition - When defining regular expression attributes, you can now get much more insight into how the fields extracted by a given regular expression are distributed in your object's dataset. You can also drill down to see events in the object dataset that have a specific extracted field value.
For more information, start with Define object attributes in the Knowledge Manager Manual.
Pan and zoom chart controls
Intuitively explore large amounts of data in your visualizations. For more information, see:
- Pan and zoom chart controls in the Dashboards and Visualizations manual.
In Splunk Enterprise 6.1, clusters have built-in site-awareness, meaning that you can explicitly configure a cluster on a site-by-site basis. This simplifies and extends the ability to implement a cluster that spans multiple physical sites, such as data centers, thus enhancing the disaster recovery capabilities of the cluster.
For more information, see:
- Multisite deployment overview in the Managing Indexers and Clusters manual.
One of the key benefits of multisite clustering is that it gives you the ability to set up a cluster so that search heads limit their searches to data stored on their local sites. This reduces network traffic while still providing access to the entire set of data, since each site contains all the data. This benefit is known as "search affinity."
For more information, see:
- Implement multisite search affinity in the Managing Indexers and Clusters manual.
Data preview with structured inputs
With Splunk Enterprise 6.1, you can view and interact with fields found in a file header or within the body of your structured data source. For more information, see:
- Overview of data preview in the Getting Data In manual.
Splunk Enterprise 6.1 includes support for the universal forwarder on the zLinux operating system. For the complete list of supported operating systems, see System requirements in the Installation Manual.
Low privilege Windows Universal Forwarder
Run the Splunk Universal forwarder on Windows platforms as a domain user without having to grant local administrator privileges. For more information, see:
- Deploy a Windows universal forwarder in the Forwarding Data manual.
Custom email alerts
This release provides you with the ability to customize both the content and format of the emails that Splunk Enterprise alerts deliver. For more information, see:
- Set up alert actions in the Alerting Manual.
- Use tokens in email notifications in the Alerting Manual.
- Alert examples in the Alerting Manual.
Publish Splunk charts in any HTML-based dashboard or external web page with simplified sharing controls. For more information, see
- Embed scheduled reports in the Reporting Manual.
Platform instrumentation framework
The Splunk Enterprise platform instrumentation framework generates data about your Splunk instance and environment and writes that data to log files to aid in troubleshooting problems with your Splunk Enterprise deployment. For more information, see:
- About the platform instrumentation framework in the Troubleshooting Manual.
Web Framework SplunkJS Stack
You can use the Web Framework SplunkJS Stack to integrate Splunk into your own applications, allowing you to develop SplunkJS Stack applications outside of Splunk Web. For more information, see:
- SplunkJS Stack on the Splunk developer web site.
New search commands
This release includes the following updates to existing search commands.
- The iplocation command has one new option,
- The sendemail command has many new options for configuring email notifications. These options include:
message, sendcsv, use_ssl, use_tls, pdfview, papersize, paperorientation, maxinputs,and
maxtime. Some existing options, including
width_sort_columns, have also changed.
- The tstats command has two new options,
chunk_size, and now works with the full set of stats functions.
New REST APIs
This release includes the following updates to the REST API. For more information, see the REST API Reference Manual.
Updated API parameter descriptions
- search/jobs (SPL-82458)