Welcome to Splunk Enterprise 8.1
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 8.1 was first released on October 20, 2020.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 8.1
This information is subject to change prior to general availability of the release.
New Feature or Enhancement | Description |
---|---|
SmartStore native support for GCP | SmartStore support for Splunk Enterprise on Google Cloud Platform. See Configure the GCS remote store for SmartStore. |
Minimize SmartStore cache churn | Reduces SmartStore cache churn to improve search performance. With the SmartStore "lruk" cache eviction policy, datasets related to infrequent all-time searches and wildcard searches are evicted prior to evicting more frequently accessed datasets. See Set the cache eviction policy. |
KV store storage engine migration | Splunk Enterprise 8.1 includes enhancements to KV store, resulting in significant storage reduction and minor improvements to performance. Migrate KV store to the new WiredTiger storage layer to receive these benefits.
|
Authentication tokens | Customers can use authentication tokens as credentials to perform Splunk Enterprise operations using REST endpoints for some identity providers. For more information, see Set up authentication with tokens. |
Add domain list in email alert action | Allowed Email Domains feature enables admins to create list of email domains to which users can send emails. This helps to ensure that reports and alerts are not sent to external parties by users, accidentally or otherwise.
|
SPL History Keyboard Navigation | Navigate your search history from within the search bar, using simple keyboard shortcuts.
|
SAML assertion encryption | SAML assertion encryption now provides admins the option to enable encryption of SAML assertions to provide a higher level of security for authentication services. |
Source-type-scoped indexed fields for structured data | If you index fields from structured data formats with fixed semantic schemas such as JSON, you now can scope them by source type, using wildcard expressions to capture sets of like-named fields. Searches on fields that are indexed with this method complete quicker than searches on fields that are indexed without source-type-scoping. |
Ingest-time lookups | You can now configure ingest-time lookups, which enable you to enrich your data with lookup fields as it is ingested, and before it is indexed. If you have lookups that are performed on almost all of your events, you may want to set them up as ingest-time lookups. |
Search failure consistency | More consistent handling of failure conditions for sub-searches, including the rest , inputlookup , and inputcsv commands. Optional require command introduced to automatically fail sub-searches that return 0 results.
|
Workload Management - admission rules | Admins can now define rules that automatically filter out potentially harmful searches, such as wildcard searches or all-time searches, so that they don't negatively impact the rest of the search workload.
|
Workload Management - user messaging improvements | Workload management now displays a default message to the user when a workload rule aborts a search. If the admin has defined a customized message for a specific workload rule, then workload management displays the customized message to the user when the workload rule aborts a search.
|
Table Views enhancements | Table Views now make it easier to create a new table dataset directly from the search home screen.
|
Global banner notifications | Administrators can now display a persistent banner message to all users.
For more information, see Display global banner. |
Metrics summary indexes | Administrators now have the option of summarizing statistical search data in metrics summary indexes. Metrics summary indexes can provide better search performance and reduced storage space on disk in comparison to their events summary index counterparts. |
Support for sub-second data storage and retrieval on metrics data | Metrics administrators can now enable metrics indexes to perform metrics searches with millisecond timestamp precision.
|
Export Analytics Workspace chart to Splunk Dashboards App (beta) | Analytics Workspace users can now save a chart to a new dashboard in the Splunk Dashboards App (beta) in order to leverage their analytics output in the new dashboard framework.
|
Enhancements to address rolling restarts | Custom configuration files are now reloadable, further decreasing service disruptions caused by rolling restarts when pushing configuration bundle updates to indexer cluster peers.
|
HTTP Out sender for universal forwarder | The universal forwarder now supports the ability to send data over HTTP. This allows customers more flexibility in configuring their data infrastructure and opens up the use of load balancers to greatly simplify configuration of their ingestion tier.
For more information, see Configure the Splunk Universal Forwarder to send data over HTTP. |
HTTP Out server side receiver endpoint for universal forwarder HTTP traffic | A new HTTP Event Collector endpoint specifically for handling HTTP data from the universal forwarder.
For more information see the API Reference Manual. |
Universal forwarder handles journald data sources | No more messy workaround for reading events from systemd journals. This new input for the universal forwarder provides native support for journald, reading entries directly from the journald database.
For more information, see Get data with the Journald input. |
Improved internal logging performance for high-volume, low-criticality components | Performance improvement optimizes the physical log writes which can sometimes become a bottleneck on high throughput deployments. |
Remove, suppress any field from Windows Eventlog via universal forwarder | Reduce noisy and unnecessary data from Windows Logs by filtering on any fields available at the source. |
ARMv8 and Gravitron Support for universal forwarder | The Splunk universal forwarder is now supported on ARMv8 and ARMv8 Graviton servers. |
Enhanced TSIDX compression | Enhanced TSIDX compression for improved performance and up to 40% reduced storage. |
Duty cycle based IO thread selection for HTTP server | Improve Splunk platform scalability. Network communication in the Splunk platform is routed mainly through a number of specialized threads, in more extreme scenarios those threads can become chokepoints. We now automate the choice of the number of these threads and improve load-balancing to reduce latency and increase throughput. |
Health Report UI changes And SHC health report | Admins can see real time cluster-wide health on Monitoring Console and Health Report UI with a single click without the need to run searches. |
Conditional license enforcement | For license stack volumes of less than 100GB, search is disabled when license limits are violated after 45 warnings within a 60-day rolling window. For more information on the violation conditions, see What happens during a license violation?. |
Python 3 is the default | Python 3 is the default for all python calls; including CLI commands, custom search commands, and scripts in Splunk Enterprise and its apps. A customer upgrading from 8.0.x that manually configured an app to use Python2 should not see an immediate break in functionality for that app, as Python 2 has not been removed from Splunk Enterprise 8.1. For the latest issues related to python support in Splunk Enterprise, see Known Issues. |
Splunk Secure Gateway | Splunk Secure Gateway is a part of Splunk Enterprise version 8.1.0 and higher. Register devices and configure your mobile app deployment. Splunk Secure Gateway offers the same registration and configuration functionalities as Splunk Cloud Gateway.
|
What's New in 8.1.0.1
Splunk Enterprise 8.1.0.1 was released on November 20, 2020. It resolves the issue described in Fixed issues.
REST API updates
This release includes these new and updated REST API endpoints.
New endpoints:
- data/ui/global-banner
- shcluster/captain/kvmigrate/start
- shcluster/captain/kvmigrate/status
- shcluster/captain/kvmigrate/stop
- workloads/policy/search_admission_control
Updated endpoints:
The REST API Reference Manual describes the endpoints.
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0
Feedback submitted, thanks!