Splunk® Enterprise

Release Notes

Download manual as PDF

Welcome to Splunk Enterprise 6.3

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 6.3 was first released to customers on September 22, 2015.

Planning to upgrade from an earlier version?

If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.3, read "How to upgrade Splunk Enterprise" in the Installation Manual for important information you need to know before you upgrade.

What's New in 6.3

Platform

  • Search Parallelization. Optimized CPU utilization for faster search execution. See "Manage report acceleration", "Accelerate data models", and "Configure batch mode search" in the Knowledge Manager Manual.
  • Index Parallelization. Optimized CPU utilization for faster data ingestion.
  • Intelligent Job Scheduling. Intelligent job scheduling provides improved system utilization and predictable performance. See "Configure the priority of scheduled reports" in the Reporting Manual.
  • Data Integrity Control. Data integrity control ensures that indexed data has not been modified. See "Manage data integrity" in the Securing Splunk Enterprise manual.
  • Single Sign-On Using SAML. Support for SAML 2.0 for single sign-on using PingFederate as the Identity Provider. See "About single sign-on using SAML" in the Securing Splunk Enterprise manual.
  • Search Head Clustering Improvements. Performance optimization, scalability, and management improvements. Support for Windows OS.
  • Indexer Clustering Improvements. Ability to turn off search affinity. See "Implement search affinity in a multisite indexer cluster" in the Managing Indexers and Clusters of Indexers manual.
  • HTTP Event Collector. Indexing of high-volume JSON-based application and IOT data sent directly via a secure, scalable HTTP endpoint. No Forwarder required. See "Use the HTTP Event Collector" in the Getting Data In manual.
  • Custom Alert Actions. Customizable alert actions and packaged integrations with popular third-party applications or messaging systems. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
  • Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
  • Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.

Management and Administration

  • HTTP Event Collector Configuration. Create and manage configurations for the HTTP Event Collector. See "Use the HTTP Event Collector" in the Getting Data In manual.
  • Source Type Manager. Create and manage source type configurations independent of getting data in, and search within the source type picker. See "Manage source types" in the Getting Data In manual.
  • Powershell Input. Native support for ingesting data retrieved by Powershell scripts. See the Splunk Add-on for Microsoft PowerShell manual.
  • App Browsing Interface. Automates and simplifies app and add-on discovery within Splunk Web.
  • Indexer Auto-Discovery. Forwarders now dynamically retrieve indexer lists from cluster master to enable elastic deployments. See "Use indexer discovery to connect forwarders to peer nodes" in the Managing Indexers and Clusters of Indexers manual.
  • Distributed Management Console. New topology views, status, and alerting for Splunk platform deployments including: indexers, search heads, forwarders, and storage utilization. See "About the distributed management console" in the Distributed Management Console Manual.
  • Field Extractor Enhancements. Simplified field extraction via delimiter and header selection. Displays field extractions within the event preview. See "Build field extractions with the field extractor" in the Knowledge Manager Manual.
  • Search Process Memory Usage Threshold. New configuration parameters to specify the maximum physical memory usage that a single search process can consume. See the search_process_memory_usage_threshold and search_process_memory_usage_percentage_threshold stanzas in "limits.conf" in the Admin Manual.

Usability

  • Single Value Display. Support for at-a-glance, single-value indicators with historical context and change indicators. See the "Single value visualizations" section of "Visualization Reference" in the Dashboards and Visualizations manual.
  • Geospatial Visualization. Support for choropleth maps to visualize how a metric varies across a customizable geographic area. See "Mapping data" in the Dashboards and Visualizations manual.
  • Dashboard Enhancements. More powerful dashboards with extended search and token management. See "Token usage in dashboards" in the Dashboards and Visualizations manual.
  • Search History. View and interact with ad-hoc search command history. See "View and interact with your Search History" in the Search Manual.
  • Anomaly Detection. New SPL command that offers histogram based approach for detecting anomalies. Also includes the capabilities of existing anomalousvalue and outlier SPL commands. See "anomalydetection" in the Search Reference manual.
  • Search Helper Improvements. Re-architected to improve responsiveness.

Developer

  • Java logger Support for HTTP Event Collector. Adds support for log4j, logback and java.util.logging to allow logging from Java apps over HTTP.
  • .NET Logger support for HTTP Event Logger. Adds support for the .NET Trace Listener API and SLAB (Semantic Logging Application Block) to allow logging from apps over HTTP.
  • Custom Alert Actions. Allows developers to build, package, and integrate custom alert actions as native to Splunk software. See "Custom alert actions overview" in the Developing Views and Apps for Splunk Web manual.
  • Key Value Store - Distributed Lookups. Allows App developers to do KV Store lookups on remote indexers to improve efficiency in large scale distributed environments. See "About the app key value store" in the Admin Manual.
  • Key Value Store - Lookup Filtering. Allows App developers to filter lookup data without requiring subsequent searches. See "About the app key value store" in the Admin Manual.

Documentation

The Splunk Enterprise 6.3 release includes one new manual and several enhancements to key areas of existing content.

  • The Distributed Management Console Manual provides dedicated information on the distributed management console that was introduced in Splunk Enterprise 6.2.
  • The Distributed Deployment Manual has been substantially expanded to provide enhanced guidance on implementing, maintaining, and expanding a distributed deployment. In particular, it now features a set of end-to-end implementation frameworks for common deployment scenarios.
  • The Getting Data In manual has been reorganized to provide faster access to the information you need to get your data into Splunk Enterprise. The manual includes information on updated features, and content within the book has been reorganized to make procedures easier to understand and follow.
  • The Forwarding Data manual has been updated to make the installation instructions for the universal forwarder more accessible, and to better group and clarify universal forwarder concepts and activities in deployments of the Splunk platform.

New REST APIs

This release includes the following updates to the REST API.

  • data/inputs/http
  • data/inputs/http/{name}
  • data/inputs/http/{name}/disable
  • data/inputs/http/{name}/enable
  • licenser/usage
  • services/admin/SAML-groups
  • services/admin/SAML-idp-metadata
  • services/admin/SAML-sp-metadata
  • services/collector/event
  • services/collector/mint
  • services/data/ui/alerts
  • servicesNS/{user}/{app}/data/ui/alerts
  • services/server/introspection/search/dispatch/Bundle_Directory_Reaper
  • services/server/introspection/search/dispatch/Dispatch_Directory_Reaper
  • services/server/introspection/search/dispatch/Search_StartUp_Time
  • services/server/introspection/search/distributed
  • services/server/introspection/search/saved
  • services/search/scheduler
  • services/search/scheduler/status

The REST API Reference Manual describes the endpoints.

  NEXT
Known issues

This documentation applies to the following versions of Splunk: 6.3.0, 6.3.1, 6.3.2, 6.3.3 View the Article History for its revisions.


Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters