Splunk® Enterprise

Release Notes

Download manual as PDF

Download topic as PDF

Welcome to Splunk Enterprise 6.5

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Enterprise 6.5 Overview app from Splunkbase.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 6.5 was released in September 2016.

Planning to upgrade from an earlier version?

If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.5, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading to 6.5: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 6.5

New Feature or Enhancement Description
Datasets This release introduces datasets, collections of data that you can define and maintain for a specific business purpose. With the Datasets listing page you can view and manage CSV lookup datasets and data model datasets (formerly referred to as data model objects). The Datasets listing page replaces the Pivot listing page.

See Dataset types and usage in the Knowledge Manager Manual.
Splunk Datasets Add-on Install this add-on to design and curate table datasets, a new dataset type. Use the Table Editor to build sophisticated new table datasets without writing SPL queries. Investigate detailed analytical information about the fields in your table dataset with the Summarize Fields view. Open table datasets in Pivot to use them as the basis for visualization-rich reports. Share table datasets with other users and let them contribute to future iterations.

Splunk Cloud users will have this add-on installed by default. See About the Splunk Datasets Add-on in Install and Use the Splunk Datasets Add-on.
Enhanced search assistance Improved SPL readability, debugging, and assistance capabilities in the search editor, making it easier to write better searches.

See Help reading searches and Help building searches in the Search Manual.

Conditional table formatting Apply conditional color formatting to table columns. Highlight field values, add context, or show value distributions.

To learn more, see Format table visualizations in Dashboards and Visualizations.
Number formatting Add units and number formatting at the field level to improve readability of table cells. Formatted numbers can still be sorted by value.

To learn more, see Format table visualizations in Dashboards and Visualizations.
Table reporting Add summary statistics rows to show field totals or percentages.

To learn more, see Format table visualizations in Dashboards and Visualizations.
Dashboard preview You can now preview changes to dashboards and cancel to discard changes. An improved Simple XML source code editor helps you catch syntax errors before saving.

For more information, see Edit dashboards in Dashboards and Visualizations.
Dashboard display improvements Dashboards can now refresh with minimal flicker, resulting in an uninterrupted consumption experience. Users can now improve data density on the page by hiding or showing form inputs.

For more information, see Edit dashboards and the Simple XML reference in Dashboards and Visualizations.
Datamodel drilldown Optimize datamodel drilldown by filtering the datamodel data to remove unneeded evals and lookups.
Indexer cluster data rebalancing Rebalance indexer data across all available indexers to achieve even data distribution and optimal utilization of available physical resources.

See Rebalance the indexer cluster in Managing Indexers and Clusters of Indexers.
Indexer clustering improvements Persistent manual detention, improved recoverability with UI-driven actions to resync bucket state, rollover hot buckets, and delete corrupted buckets, fewer restarts on cluster bundle push, improved site decommissioning, and an option to validate the cluster bundle.

Search head clustering (SHC) improvements SHC health check in Monitoring Console dashboard, option to abstain a node from captain selection, improved recoverability from corrupted Raft state, and ability to quarantine a bad search peer.

See Use the monitoring console to view search head cluster status and troubleshoot issues, Specify captaincy preference, Handle Raft issues, and Quarantine a search peer in Distributed Search.
Licensing and tools Support for new licensing policies like unlimited usage, lighter license enforcement, dev/test licenses, and feature usage telemetry. See Types of Splunk software licenses and Share performance data in the Admin Manual.
Splunkbase User experience enhancements to Splunkbase and in-app browser.
Dynamic content in custom alert actions Custom alert actions can now include dynamic content.

For more information, see Dynamic input controls for custom alert actions in Developing Views and Apps for Splunk Web.
Monitoring console improvements Configurable health check assesses several aspects of a Splunk Enterprise deployment. See Access and customize health check in the Monitoring Splunk Enterprise manual.
Machine Learning Toolkit Extends Splunk platform functions and provides a guided modeling environment for Data Analysts and Data Scientists. See About the Machine Learning Toolkit in the Machine Learning Toolkit User Guide.
Hadoop data roll Migrate historical data to Hadoop without loss of functionality.
Splunk Analytics for Hadoop The former Hunk standalone product is now a premium offering within Splunk Enterprise.
Customize the login page Customize the login page using your own background image, custom logo, or custom favicon.

To learn more, see Customize the login page in Developing Views and Apps for Splunk Web.
Two-factor authentication Added support for Duo Security two-factor authentication.
SAML authentication Added support for CA SiteMinder, OneLogin, and Optimal.
Diag upload You can upload a diag or other file directly to your open case using the diag command. See Generate a diag in the Troubleshooting Manual.

REST API updates

This release includes the following new and updated REST API endpoints.

  • admin/Duo-MFA
  • admin/Duo-MFA/{name}
  • admin/ProxySSO-auth
  • admin/ProxySSO-auth/{proxy_name}
  • admin/ProxySSO-auth/{proxy_name}/disable
  • admin/ProxySSO-auth/{proxy_name}/enable
  • admin/ProxySSO-groups
  • admin/ProxySSO-groups/{group_name}
  • admin/ProxySSO-user-role-map
  • admin/ProxySSO-user-role-map/{user_name}
  • datamodel/model
  • datamodel/model/{name}
  • kvstore/status
  • messages
  • messages/{message_name}
  • replication/configuration/health
  • saved/searches
  • saved/searches/{name}
  • saved/searches/{name}/dispatch
  • search/jobs
  • server/info
  • server/status/installed-file-integrity
  • server/status/resource-usage/hostwide
  • server/sysinfo
  • services/collector
  • services/collector/raw
  • storage/passwords
  • storage/passwords/{name}

The REST API Reference Manual describes the endpoints.

Known issues

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters