Welcome to Splunk Enterprise 8.2
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 8.2 was first released on May 12, 2021.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 8.2
New Feature or Enhancement | Description |
---|---|
Federated Search | Enables search across multiple Splunk Enterprise and Splunk Cloud Platform deployments. For more information, see About federated search. |
Dashboard Studio | Dashboard Studio is a dashboard-building experience that offers advanced visualization tools and fully customizable layouts to easily create visually-compelling, interactive dashboards with an intuitive UI. Create new dashboards from the Dashboards listing page or save visualizations from Search. For more information, see the Splunk Dashboard Studio manual. |
Health report UI changes and SHC health status | The Splunk health report now captures feature health status across nodes in distributed environments, including search head cluster members. For more information, see Splunk Health Report in the Monitoring Splunk Enterprise manual. |
Monitor ingestion latency in health report | The ingestion latency feature in the health report lets admins monitor whether forwarders in their Splunk deployment have fallen behind due to ingestion latency. The health status of ingestion latency is displayed in the Splunk health report. For more information, see Supported features in the Monitoring Splunk Enterprise manual. |
Identify excessive I/O wait times in health report | The IOWait feature in the health report lets admins identify instances waiting for disk I/O tasks to complete. The health status of IOWait is displayed in the Splunk health report and written in health.log. For more information, see Supported features in the Monitoring Splunk Enterprise manual. |
Workload Management: Enable single workload and admission rules | Workload management now lets you enable or disable individual workload rules and admission rules. This gives you the flexibility to create and save multiple different rules for specific scenarios and apply them to searches as needed. For more information, see Enable individual workload rules in the Workload Management manual. |
Workload Management: Default OOM message | Workload management now displays a default message to the user when it terminates a search due to an out of memory (OOM) condition. |
Back up and restore KV store | Admins can use an improved process to back up and restore KV store with point-in-time consistency and with more efficiency. See Back up and restore KV store in the Admin Manual. |
Durable search | This feature ensures "at-least-once" delivery of events for scheduled reports, which ensures that scheduled reports with incomplete results are rerun. Typical use cases for durable search are scheduled reports that build and maintain summary indexes. For more information, see Make scheduled reports durable to prevent event loss in the Reporting Manual. |
Improved handling of JSON data in Splunkd | This release introduces four new eval functions for JSON-structured data.
This release additionally introduces a new search command, |
Use HTTP compression by default | The SSL compression is replaced with HTTP compression by default to improve scalability and reduce the security vulnerability surface. See The use of SSL compression is replaced with HTTP compression except when forwarding in the Installation Manual. |
Add notes to your Enterprise License files | A Splunk admin can add a note or other customized text to Splunk Enterprise licenses using the License Manager page. |
Scheduler observability and performance improvements | 10X faster scheduling of searches that can improve scheduled search performance in cases where a large number of searches are scheduled every minute and saved searches configuration files are updated frequently. |
RapidDiag and Health Report / Monitoring Console Integration | When a Health Report feature becomes unhealthy, users are shown a suggested link in the Health Report modal to generate a diag using RapidDiag to further troubleshoot the issue. For more information, see View the splunkd health report in the Monitoring Splunk Enterprise manual and Using RapidDiag in the Troubleshooting Manual. |
Faster searchable rolling restart | Deliver improvements to speed-up searchable rolling restart, allowing full sites to shut down at a time. See How the manager determines the number of multisite peers to restart in each round in the Managing Indexers and Clusters of Indexers manual. |
Restrict search by data age | Splunk software now provides a way to restrict end user search results by age of the event. A new option to restrict search results based on the age of the event is available in user role settings. See Create and manage roles with Splunk Web in Securing the Splunk Platform. |
Accounting of configuration changes | Enable admins to track changes to configuration files regardless of the change origin, logging changes as they are detected at a filesystem level, to improve root cause analysis and troubleshooting. See configuration_change.log in What Splunk software logs about itself in the Troubleshooting Manual.
|
Bucket Merge functionality for standalone instances | Indexer performance and stability increasingly suffers as the number of buckets increases. Additionally, several activities like service restarts can cause a side effect of multiplication of small buckets. The new merge-buckets command provides a self-service capability for administrators to manage the merging of buckets. See merge-buckets in Command line tools for use with Support in the Troubleshooting Manual.
|
Integrate RapidDiag to support portal | Enables RapidDiag app users to upload diag files directly from host server to Splunk's customer support portal on an existing case using the CLI. |
Python Upgrade Readiness | The new Splunk Python Upgrade Readiness App scans your apps to determine Python 3 compatibility and lists remediation actions you must take to ensure your apps remain compatible with future versions of Splunk Enterprise that will not support older Python libraries. For more information, see About the Splunk Python Upgrade Readiness App in the Splunk Python Upgrade Readiness manual. |
What's New in 8.2.1
Splunk Enterprise 8.2.1 was released on June 21, 2021. It resolves the issues described in Fixed issues.
What's New in 8.2.2
Splunk Enterprise 8.2.2 was released on August 18, 2021. It introduces the following enhancement and resolves the issues described in Fixed issues.
Enhancement | Description |
---|---|
SmartStore enhancement | IMDSv2 support for SmartStore. |
What's New in 8.2.2.1
Splunk Enterprise 8.2.2.1 was released on September 20, 2021. It resolves the issue described in Splunk Enterprise 8.2.2.1 Fixed issues.
What's New in 8.2.3
Splunk Enterprise 8.2.3 was released on October 25, 2021. It resolves the issues described in Fixed issues.
What's New in 8.2.3.2
Splunk Enterprise 8.2.3.2 was released on December 13, 2021. This release includes version 2.15.0 of Apache Log4j to address the issues described in Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046).
What's New in 8.2.3.3
Splunk Enterprise 8.2.3.3 was released on December 17, 2021. This release includes version 2.16.0 of Apache Log4j to address the issues described in Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046).
What's New in 8.2.4
Splunk Enterprise 8.2.4 was released on December 21, 2021. This release includes version 2.16.0 of Apache Log4j to address the issues described in Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046).
This version also resolves the issues described in Fixed issues.
What's New in 8.2.5
Splunk Enterprise 8.2.5 was released on February 16, 2022. This release includes version 2.17.1 of Apache Log4j. It also resolves the issues described in Fixed issues.
This release adds support for Universal Forwarder 8.2.5 and higher on Windows Server 2022 and Windows 11.
What's New in 8.2.6
Splunk Enterprise 8.2.6 was released on April 5, 2022. It resolves the issues described in Fixed issues.
What's New in 8.2.6.1
Splunk Enterprise 8.2.6.1 was released on June 30, 2022. This release addresses the issue described in Splunk Security Advisory SVD-2022-0608.
What's new in 8.2.7
Splunk Enterprise 8.2.7 was released on June 30, 2022. This release includes the fix in version 8.2.6.1 and resolves the issues described in Fixed issues.
What's new in 8.2.7.1
Splunk Enterprise 8.2.7.1 was released on August 16, 2022. It delivers relevant fixes described in the August 16, 2022 quarterly security update on the Splunk Product Security page.
What's New in 8.2.8
Splunk Enterprise 8.2.8 was released on September 7, 2022. It resolves the issues described in Fixed issues.
What's new in 8.2.9
Splunk Enterprise 8.2.9 was released on November 1, 2022. It delivers relevant fixes described in the November 1, 2022 quarterly security update on the Splunk Product Security page. It also resolves the issues described in Fixed issues.
New Feature or Enhancement | Description | ||||||
---|---|---|---|---|---|---|---|
The rex function
|
The rex function in default mode now treats the caret ( ^ ) properly. For example, the following search extracts 192. .
Previously, the following search with the regular expression
Now that the behavior of the caret ( ^ ) has been fixed, the same search returns one row of results. in order to generate three rows of results like before, the regular expression in the search must be changed to
The results of the search look something like this:
|
REST API updates
This release includes these new and updated REST API endpoints.
New endpoints:
- data/federated/provider
- data/federated/provider/{federated_provider_name}
- data/federated/index
- data/federated/index/federated:{federated_index_name}
- kvstore/control/maintenance
Updated endpoints:
- saved/searches/{name}
- saved/searches/{name}/history
- kvstore/backup/create
- kvstore/backup/restore
- workload/rules
The REST API Reference Manual describes the endpoints.
Known issues |
This documentation applies to the following versions of Splunk® Enterprise: 8.2.9
Feedback submitted, thanks!