Welcome to Splunk Enterprise 9.3
Splunk Enterprise 9.3 was released on July 24, 2024.
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 9.3
New feature, enhancement, or change | Description |
---|---|
Official support for Ingest Actions file system destinations | Route data to an NFS or local file system. This is great for use cases related to cost-savings, auditing, compliance, and more. See Create an NFS file system destination. |
Indexer cluster rolling upgrade automation | Splunk Enterprise now supports automated rolling upgrades for indexer clusters. This feature builds on existing rolling upgrade functionality to minimize the number of steps an admin must take to upgrade the Splunk Enterprise version on indexer cluster nodes.
|
Predefined splunk_system_upgrader role | The splunk_system_upgrader role is available in Splunk Enterprise. Users who hold this role can perform automated rolling upgrades of search head clusters (SHCs) and indexer clusters (IDXCs) to a higher version of Splunk Enterprise. To learn about the key capabilities of this role, see Table of Splunk platform capabilities. |
Indexer cluster data rebalancing using usage statistics | Indexer clusters use data rebalancing to balance the number of buckets among peer nodes, but this capability up until now has not considered the actual search usage of the buckets. As a result, some peer nodes might carry a greater search load than others. To improve system performance, this new feature allows data rebalancing based on search usage. See Rebalance the indexer cluster. |
conf memory reduction | Enhancements to reduce memory usage on Search Heads when a large number of users and applications use them.
|
TSIDX compression in SmartStore with Azure Blob storage | Splunk SmartStore with Azure Blob storage now supports efficient TSIDX compression during uploads. This helps to reduce storage usage and improve network performance. SmartStore can compress tsidx files before uploading them to the remote store. When the files are later downloaded to indexers, SmartStore decompresses the files before placing them in the cache. See remote.azure.tsidx_compression in indexes.conf in the Admin Manual.
|
Home Page -- Custom bookmarks, search history, knowledge object view updates | Admins and Users can personalize their home page with in-product bookmarks for quick access to guides, manuals, apps, knowledge objects, and so on. Admin users can
Users can
See Navigating Splunk Web in the Search Manual. |
Dashboard Studio - Scheduled PDF and PNG export | Schedule PDF and PNG exports of your dashboards for email delivery. For more details, see Download and schedule email exports of dashboard content for sharing. |
Splunk Enterprise Python 3.9 upgrade | In this release, the default Python interpreter is set to Python version 3.9. The Python.Version settings has been updated so that the parameter is set to value of force_python3 , this forces all Python extension points to use Python 3.9 including overriding any application specified settings. Python 3.9 is the default interpreter. Please ensure that all apps and add-ons are on the latest version and compatible with Python 3.9, otherwise there may be breakage.This is designed to be secure-by-default for new customers. If the value is set to |
Federated Search for Splunk: Risky commands blocked for transparent mode federated searches | Several risky commands have been blocked for transparent mode federated searches. In addition, the tstats and makeresults commands have been blocked or restricted in certain situations for transparent mode federated searches. See Run federated searches in Federated Search.
|
Federated Search for Splunk: Standard mode search improvements | In standard mode federated searches of remote Splunk deployments, commands such as join , union , and append can now use remote saved searches as subsearches.
|
Federated Search for Splunk: Improvements for kvstore replication when using transparent mode federated search Enable kvstore for federated search head without indexer | When you are using transparent mode federated search and your federated search head does not have indexers, Splunk software can now use kvstore replication to transfer data to the remote Splunk deployment for use in federated searches. |
Preview feature: Addition of field filters in Splunk Web to protect sensitive information | Now you can use field filters in Splunk Web to obfuscate or redact data such as personal identifiable information (PII) and protected health information (PHI), and control which users can see that sensitive information. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters.
|
Role-based field filters do not work upon upgrade to this or later releases | Role-based field filters that released as a preview feature in previous versions of Splunk Cloud Platform do not work in this or subsequent releases. Role-based field filters have been replaced by field filters. |
The view_field_filter capability is renamed to the list_field_filter capability | The capability for listing field filters is now called list_field_filter. |
Log severity level for searches with wildcards in the middle of a string increased from INFO to WARN | Certain searches that produce inconsistent search results now display the following message as a warning instead of an info message: The term <term> contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation. Learn More .
See Wildcards in the Splunk Enterprise Search Manual. |
Upgrade Readiness App v 4.4.0 | Make compatible with Python 3.9 |
Forwarder certificate rotation | This functionality detects upcoming forwarder certificate expiration, issues a new certificate, and rotates the certificate with the new one, without requiring downtime. The feature requires version 9.3 or higher of Universal Forwarder or heavy forwarder, and Splunk Cloud Platform version 9.2.2406 or higher. This forwarder functionality is enabled by Splunk Cloud Platform and is not available with Splunk Enterprise. For more information, see Renew certificates in the Splunk Cloud Universal Forwarder credentials package in the Splunk Universal Forwarder Forwarder Manual. |
Workload management enhancements | Enhanced search_time_range predicate functionality now lets you match workload rules and admission rules to specific search time ranges to improve search efficiency over large amounts of data.
|
Support for cgroups v2 (Early Access) | Workload management now supports Linux cgroups version 2 for Early Access customers. In the Early Access release stage, Splunk products may have limitations on customer access, features, maturity and regional availability. For additional information on Early Access please contact your Splunk representative. |
Known issues |
This documentation applies to the following versions of Splunk® Enterprise: 9.3.0
Feedback submitted, thanks!