Splunk® Enterprise

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Welcome to Splunk Enterprise 9.3

Splunk Enterprise 9.3 was released on July 24, 2024.

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 9.3

New feature, enhancement, or change Description
Official support for Ingest Actions file system destinations Route data to an NFS or local file system. This is great for use cases related to cost-savings, auditing, compliance, and more. See Create an NFS file system destination.
Indexer cluster rolling upgrade automation Splunk Enterprise now supports automated rolling upgrades for indexer clusters. This feature builds on existing rolling upgrade functionality to minimize the number of steps an admin must take to upgrade the Splunk Enterprise version on indexer cluster nodes.


For more information, see Perform an automated rolling upgrade of an indexer cluster in Managing Indexers and Clusters of Indexers.

Predefined splunk_system_upgrader role The splunk_system_upgrader role is available in Splunk Enterprise. Users who hold this role can perform automated rolling upgrades of search head clusters (SHCs) and indexer clusters (IDXCs) to a higher version of Splunk Enterprise. To learn about the key capabilities of this role, see Table of Splunk platform capabilities.
Indexer cluster data rebalancing using usage statistics Indexer clusters use data rebalancing to balance the number of buckets among peer nodes, but this capability up until now has not considered the actual search usage of the buckets. As a result, some peer nodes might carry a greater search load than others. To improve system performance, this new feature allows data rebalancing based on search usage. See Rebalance the indexer cluster.
conf memory reduction Enhancements to reduce memory usage on Search Heads when a large number of users and applications use them.


To turn this on, add the following setting in $SPLUNK_HOME/etc/system/local/server.conf and restart the Search Head.

[general] conf_cache_memory_optimization = true

TSIDX compression in SmartStore with Azure Blob storage Splunk SmartStore with Azure Blob storage now supports efficient TSIDX compression during uploads. This helps to reduce storage usage and improve network performance. SmartStore can compress tsidx files before uploading them to the remote store. When the files are later downloaded to indexers, SmartStore decompresses the files before placing them in the cache. See remote.azure.tsidx_compression in indexes.conf in the Admin Manual.
Home Page -- Custom bookmarks, search history, knowledge object view updates Admins and Users can personalize their home page with in-product bookmarks for quick access to guides, manuals, apps, knowledge objects, and so on.

Admin users can

  • Share bookmarks with all other users in one operation
  • Control domains in which bookmarks can be created.

Users can

  • Seamlessly access their search history from various apps in a single view, eliminating the need for navigating through multiple apps.
  • Filter the Knowledge Object list by App and Owner for quicker access rather than scrolling through a long list.

See Navigating Splunk Web in the Search Manual.

Dashboard Studio - Scheduled PDF and PNG export Schedule PDF and PNG exports of your dashboards for email delivery. For more details, see Download and schedule email exports of dashboard content for sharing.
Splunk Enterprise Python 3.9 upgrade In this release, the default Python interpreter is set to Python version 3.9. The Python.Version settings has been updated so that the parameter is set to value of force_python3, this forces all Python extension points to use Python 3.9 including overriding any application specified settings. Python 3.9 is the default interpreter. Please ensure that all apps and add-ons are on the latest version and compatible with Python 3.9, otherwise there may be breakage.

This is designed to be secure-by-default for new customers. If the value is set to python3.9, the default interpreter is set to Python 3.9 but applications can choose to use a different value. Python 3.7 continues to be available in the build for customers' private apps.

Federated Search for Splunk: Risky commands blocked for transparent mode federated searches Several risky commands have been blocked for transparent mode federated searches. In addition, the tstats and makeresults commands have been blocked or restricted in certain situations for transparent mode federated searches. See Run federated searches in Federated Search.
Federated Search for Splunk: Standard mode search improvements In standard mode federated searches of remote Splunk deployments, commands such as join, union, and append can now use remote saved searches as subsearches.
Federated Search for Splunk: Improvements for kvstore replication when using transparent mode federated search Enable kvstore for federated search head without indexer When you are using transparent mode federated search and your federated search head does not have indexers, Splunk software can now use kvstore replication to transfer data to the remote Splunk deployment for use in federated searches.
Preview feature: Addition of field filters in Splunk Web to protect sensitive information Now you can use field filters in Splunk Web to obfuscate or redact data such as personal identifiable information (PII) and protected health information (PHI), and control which users can see that sensitive information. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters.


READ THIS FIRST: Should you deploy field filters in your organization? Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but they might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on any indexes if field filters are in use in the Securing Splunk platform manual.

If you used the preview feature, role-based field filters, in a previous release of Splunk Enterprise, you must create new field filters to protect your sensitive data. Role-based field filters do not work in this or subsequent releases, and are not compatible with field filters.

Role-based field filters do not work upon upgrade to this or later releases Role-based field filters that released as a preview feature in previous versions of Splunk Cloud Platform do not work in this or subsequent releases. Role-based field filters have been replaced by field filters.
The view_field_filter capability is renamed to the list_field_filter capability The capability for listing field filters is now called list_field_filter.
Log severity level for searches with wildcards in the middle of a string increased from INFO to WARN Certain searches that produce inconsistent search results now display the following message as a warning instead of an info message: The term <term> contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation. Learn More.


If you don't want this message logged as a warning, you can revert the log severity level back to info. To change the message to an info message, follow these steps:

  1. Open or create a local messages.conf file at $SPLUNK_HOME/etc/system/local if you are using *nix, or %SPLUNK_HOME%\etc\system\local if you are using Windows.

    For information about how to edit .conf files, see How to edit a configuration file in the Splunk Enterprise Admin Manual.
  2. Edit the severity level for [UNIFIEDSEARCH:SEARCH_CONTAINS_INFIX_WILDCARD__S].

See Wildcards in the Splunk Enterprise Search Manual.

Upgrade Readiness App v 4.4.0 Make compatible with Python 3.9
Forwarder certificate rotation This functionality detects upcoming forwarder certificate expiration, issues a new certificate, and rotates the certificate with the new one, without requiring downtime. The feature requires version 9.3 or higher of Universal Forwarder or heavy forwarder, and Splunk Cloud Platform version 9.2.2406 or higher. This forwarder functionality is enabled by Splunk Cloud Platform and is not available with Splunk Enterprise. For more information, see Renew certificates in the Splunk Cloud Universal Forwarder credentials package in the Splunk Universal Forwarder Forwarder Manual.
Workload management enhancements Enhanced search_time_range predicate functionality now lets you match workload rules and admission rules to specific search time ranges to improve search efficiency over large amounts of data.


For more information, see Configure workload rules in the Workload Management manual. Also see Splunk Ideas.

Support for cgroups v2 (Early Access) Workload management now supports Linux cgroups version 2 for Early Access customers. In the Early Access release stage, Splunk products may have limitations on customer access, features, maturity and regional availability. For additional information on Early Access please contact your Splunk representative.
Last modified on 11 October, 2024
  Known issues

This documentation applies to the following versions of Splunk® Enterprise: 9.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters