Splunk® Enterprise

Release Notes

Download manual as PDF

Welcome to Splunk Enterprise 6.4

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Enterprise 6.4 Overview app from Splunkbase.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 6.4 was released on April 5, 2016.

Planning to upgrade from an earlier version?

If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.4, read How to upgrade Splunk Enterprise in the Installation Manual for important information you need to know before you upgrade.

See About upgrading to 6.4: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 6.4

New Feature or Enhancement Description
New Distributed Management Console Views New Distributed Management Console Views for Search Scheduler, HTTP Event Collector, Splunk TCP Performance, Distributed Search Performance, System Wide Search Performance, and System Resources I/O.

Most of the information shown in the System Activity view in earlier versions of Splunk Enterprise is now included in Distributed Management Console views. The System Activity view is removed from this version of Splunk Enterprise. For more information, see the Distributed Management Console Manual.
Custom Visualizations Install visualization apps from a new visualization library on Splunkbase. Available visualizations include the following.
These visualizations can be used instead of or in addition to the standard Splunk platform visualizations. They work with Search, Dashboards, and Reports. See Custom visualizations for user documentation.

A new extensibility API is also available for partners, customers, and third party developers to create and package custom visualizations.
Data Sampling Mode for Dashboard Searches Efficiently evaluate trends and patterns using sample ratio within search.
Tsidx Retention Policy Allows customers to reduce the storage requirements for older data by approximately 50% by removing the tsidx indexing information. The data remains searchable but at a reduced performance level. The retention policy is configurable by data age per index. See Reduce tsidx disk usage in the Managing Indexers and Clusters of Indexers manual.
SAML Providers New support for Okta, Azure AD, and ADFS.
Indexer Cluster Enhancements Option to force roll specific hot buckets. Ability to quarantine a search peer. See Quarantine a search peer in the Distributed Search manual.
Search Head Clustering Enhancements Search peer replication. See Connect the search heads in clusters to search peers in the Distributed Search manual.
Universal Forwarder on Docker Universal Forwarder is available on Docker Hub.
Universal Forwarder support for Linux on Power Little Endian (LE) Universal Forwarder platform support includes Linux on Power on the Little Endian architecture.

Additional features

Splunk Enterprise on-premises customers also get access for the first time to features that were introduced in the cloud-only version 6.3.1511.

New Feature or Enhancement Description
Summary Replication Ability to replicate data model acceleration and report acceleration summaries on an indexer cluster. See How indexer clusters handle report and data model acceleration summaries in the Managing Indexers and Clusters of Indexers manual.
SAML Ability to connect with Okta SAML provider. See Configure single sign-on with SAML in the Securing Splunk Enterprise manual.
Log Event Alert Action Ability to create a custom log event that is sent back to the Splunk platform for indexing, searching, and reporting. See Log events in the Alerting Manual.
User / Role Replication Ability to replicate Splunk software users and roles on a search head cluster. See Add users to the search head cluster in the Distributed Search manual.
Event Sampling A probabilistic sampling function for ad-hoc searches and saved reports. Use event sampling to perform quick searches to ensure the correct events are returned and to determine the characteristics of a large data set without processing every event. See Event sampling in the Search Manual.
UI Control for Global Default Time Range Administrators can now define a default time range value for all search pages by using a UI control in Splunk Web. See the Set the default time range section in "Change default values" in the Admin Manual.
HTTP Event Collector: Indexer Acknowledgement (Splunk Cloud self-service only) Allows token administrators to enable indexer acknowledgements. When enabled, clients can poll a new REST endpoint to check whether or not events have been indexed, in a secure and scalable manner. See Set up and use HTTP Event Collector in the Getting Data In manual.
HTTP Event Collector: Raw Endpoint A new token-based endpoint that allows customers to send raw events directly to Splunk software. Removes the need to format customer data into Splunk JSON event format. Also supports batching of events. See the endpoint reference in the REST API Reference for more information.
HTTP Event Collector: Dedicated SSL and CORS settings HTTP Event Collector now uses dedicated settings for SSL and CORS which are independent of the Splunk REST API configuration. These settings can be found in inputs.conf under the http stanza and are required for enabling SSL and CORS in Splunk Enterprise 6.4. See the http stanza in inputs.conf in the Admin Manual for more information.

Documentation Updates

Splunk universal forwarder documentation has moved from the Splunk Enterprise Forwarding Data manual to a new Universal Forwarder Manual in the Splunk universal forwarder documentation set. This change makes installation, upgrade, and usage information about the universal forwarder easier to find and navigate for Splunk Enterprise, Splunk Cloud, and Splunk Light customers.

The Search Tutorial has been updated to be more clear and concise. Additionally, steps that are different between Splunk Cloud and Splunk Enterprise are highlighted.

The spec and example files in the Admin Guide are now formatted with subheadings that enable inline navigation.

REST API updates

This release includes the following new and updated REST API endpoints.

  • authentication/providers/SAML
  • authentication/providers/SAML/{stanza_name}
  • cluster/master/control/control/roll-hot-buckets
  • data/inputs/tcp/splunktcptoken
  • saved/searches
  • server/status/resource-usage/iostats


Splunk Enterprise on-premises customers also get access for the first time to the following endpoints that were introduced or updated in the cloud-only version 6.3.1511.

  • authorization/grantable_capabilities
  • cluster/master/buckets
  • cluster/config
  • data/inputs/http/{name}/rotate
  • data/ui/views
  • data/ui/views/{name}
  • services/admin/SAML-user-role-map
  • services/admin/SAML-user-role-map/{name}
  • services/collector
  • services/collector/ack
  • services/collector/event
  • services/collector/mint
  • services/collector/raw
  • services/data/inputs/tcp/splunktcptoken
  • services/data/inputs/tcp/splunktcptoken/{name}
  • services/data/summaries
  • services/data/summaries/{summary_name}
  • services/server/status/resource-usage/iostats
  • services/server/status/resource-usage/splunk-processes


The REST API Reference Manual describes the endpoints.

  NEXT
Known issues

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1 View the Article History for its revisions.


Comments

For CORS and 6.4 also see this post: http://blogs.splunk.com/2016/04/14/http-event-collector-and-sending-from-the-browser/

Gblock splunk, Splunker
April 22, 2016

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters