Welcome to Splunk Enterprise 6.6
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Enterprise 6.6 Overview app from Splunkbase.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 6.6 was released in May 2017.
Planning to upgrade from an earlier version?
If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.6, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading to 6.6: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 6.6
|New Feature or Enhancement||Description|
|Dashboard drilldown editor|| Use an editor to configure drilldown interactivity. Configure settings to share additional data insights when a user clicks on a visualization. Link to a search, a related dashboard, or to an external URL. You can also use the editor to manage token values that trigger interactive behavior in the same dashboard. |
See Use drilldown for dashboard interactivity in Dashboards and Visualizations.
|Dashboard search controls||While viewing a dashboard, users can "finalize" any in-progress searches that are not necessary for their information gathering needs.|
|Enhanced search editing||Option to dynamically "reformat" query with breaks and indents while writing SPL. Option to see line numbers in search bar. Option to expand macros and saved searches. Option to change the themes for the search editor. See Help reading searches in the Search Manual.|
|Search optimizer improvements||Automatically apply Predicate Splitting technique to eligible SPL searches to optimize execution speed. Automatically apply Projection Elimination to remove calculations and evals that are not needed in final results. Typer and Tagger optimization. See Built-in optimization in the Search Manual.|
||New SPL command that allows two discrete datasets to be merged together. Automatically use new |
||New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.|
|Table Dataset direct table manipulation||Ability to replace values, rename fields, and change field type inline.|
|Table Dataset exploration||Explorer page for streamlined report creation and data visualization from Table Dataset. See Explore a dataset in the Knowledge Manager Manual.|
|"Write to CSV" action for scheduled reports||New scheduled report action. It uses the outputlookup command to output the results of a report run to a specified CSV lookup file each time the report runs. The results can replace the existing file contents, or they can be appended to the existing file contents. See Schedule reports in the Reporting Manual.|
|Trellis layout||Split search results by fields or aggregations and visualize each field value separately. Each visualization segment can use the same scale and axes to make value differences and trends more visible. See Use trellis layout to split visualizations in Dashboards and Visualizations.|
|Choropleth map improvements|
|Search Head Clustering enhancements||Resilient configuration replication, intelligent captain selection, and simplified SHC quota management. See Prevent out-of-sync members from becoming captain and How the cluster handles concurrent search quotas in Distributed Search.|
|Search Head Cluster bundle push optimizations||Bundle Push and Replication optimizations.|
|Search Head Clustering user interface||Provide a UI to perform search head clustering rolling restart and transfer captaincy. See Use the search head clustering dashboard in Distributed Search.|
|Indexer clustering enhancements||Performance and stability enhancements: Indexer node offline without search disruption, stop incoming data traffic to an indexer with manual detention, and faster indexer recovery. See Put a peer into detention in Managing Indexers and Clusters of Indexers.|
|Indexer clustering management||Rollback to previous cluster configuration bundle state to enable quick recovery from operational errors. Maintenance mode persists across master restarts. No cluster restart required when new app(s) are deployed. Phased bundle download. See Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.|
|Forwarder site high availability in multisite indexer cluster||Ability to route data from forwarders to indexers in a secondary site when the primary site is down. See Configure the forwarder site failover capability in Managing Indexers and Clusters of Indexers.|
|Volume-based data forwarding||Ability to forward data to indexers based on volume. See Choose a load balancing method in Forwarding Data.|
|Packaging toolkit||Toolkit and developer guidance to help assure clean and reliable app deployment.|
Splunk Enterprise on-premises customers get access for the first time to features that were introduced in the cloud-only version 6.5.1612.
|New Feature or Enhancement||Description|
|Dashboard search edit experience enhancements||Improved SPL readability and editing capabilities in dashboard search editors (for example, search assistance, syntax highlighting, and auto-formatting). These updates make the search editing experience consistent with that in the search bar. See Edit a panel search in Dashboards and Visualizations.|
|Enhanced search editing||Option to dynamically reformat query with breaks and indents while writing SPL. Option to see line numbers in search bar. See Auto-format search syntax in the Search Manual.|
|Change in default time range for Search||The default time range for Search is now "Last 24 hours". The previous default was "All time".|
|Table Datasets columns drag and drop||Ability to select and move multiple contiguous columns in a Table Dataset using drag and drop.|
|Reassign knowledge objects||Change ownership of knowledge objects such as saved searches in bulk. See Manage orphaned knowledge objects in the Knowledge Manager Manual.|
|Data quality dashboard||The data quality dashboard identifies events that have line breaking, event breaking, and time stamping issues. See Resolve data quality issues in the Getting Data In manual.|
The Inherit a Splunk Enterprise Deployment manual is added to the documentation set. Read this manual if you are the new admin owner of an established Splunk software deployment.
The statistical and evaluation functions in the Search Reference are reorganized so that additional and more detailed examples can be provided.
The limits.conf.spec and limits.conf files are reorganized to improve the ability to locate settings. The most significant change is the addition of subsections in the [search] stanza to categorize the settings in that stanza.
New drilldown topics in Dashboards and Visualizations introduce key concepts, present detailed configuration guidance, and include more use case examples. These topics support users who are new to drilldown concepts as well as users seeking advanced configuration information. They include instructions for using the drilldown editor and for working with Simple XML to create drilldown interactivity.
The Simple XML Reference in Dashboards and Visualizations is revised to present information more efficiently and improve navigation. Element hierarchy, option, and attribute information are clarified. Examples and screenshots are revised. Predefined token reference information is updated.
The examples in the REST API Reference Manual are no longer separate topics. The information about each endpoint is followed by an expandable section that includes corresponding request and response examples.
New lookup topics in the Knowledge Manager Manual provide detailed setup instructions and examples for creating lookups in Splunk Web. These topics support users who want to define lookups in Splunk Web without directly editing configuration files.
REST API updates
This release includes the following new and updated REST API endpoints.
The REST API Reference Manual describes the endpoints.
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7