Welcome to Splunk Enterprise 6.4
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Enterprise 6.4 Overview app from Splunkbase.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 6.4 was released on April 5, 2016.
Planning to upgrade from an earlier version?
If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.4, read How to upgrade Splunk Enterprise in the Installation Manual for important information you need to know before you upgrade.
See About upgrading to 6.4: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 6.4
|New Feature or Enhancement||Description|
|New Distributed Management Console Views|| New Distributed Management Console Views for Search Scheduler, HTTP Event Collector, Splunk TCP Performance, Distributed Search Performance, System Wide Search Performance, and System Resources I/O. |
The information shown in the System Activity view in earlier versions of Splunk Enterprise is now included in Distributed Management Console views. The System Activity view is removed from this version of Splunk Enterprise. For more information, see the Distributed Management Console Manual.
|Custom Visualizations|| Install visualization apps from a new visualization library on Splunkbase. Available visualizations include the following.
These visualizations can be used instead of or in addition to the standard Splunk platform visualizations. They work with Search, Dashboards, and Reports. See Custom visualizations for user documentation.
A new extensibility API is also available for partners, customers, and third party developers to create and package custom visualizations.
|Data Sampling Mode for Dashboard Searches||Efficiently evaluate trends and patterns using sample ratio within search.|
|Tsidx Retention Policy||Allows customers to reduce the storage requirements for older data by approximately 50% by removing the tsidx indexing information. The data remains searchable but at a reduced performance level. The retention policy is configurable by data age per index. See Reduce tsidx disk usage in the Managing Indexers and Clusters of Indexers manual.|
|SAML Providers||New support for Okta, Azure AD, and ADFS.|
|Indexer Cluster Enhancements||Option to force roll specific hot buckets. Ability to quarantine a search peer. See Quarantine a search peer in the Distributed Search manual.|
|Search Head Clustering Enhancements||Search peer replication. See Connect the search heads in clusters to search peers in the Distributed Search manual.|
|Universal Forwarder on Docker||Universal Forwarder is available on Docker Hub.|
|Universal Forwarder support for Linux on Power Little Endian (LE)||Universal Forwarder platform support includes Linux on Power on the Little Endian architecture.|
Splunk Enterprise on-premises customers also get access for the first time to features that were introduced in the cloud-only version 6.3.1511.
|New Feature or Enhancement||Description|
|Summary Replication||Ability to replicate data model acceleration and report acceleration summaries on an indexer cluster. See How indexer clusters handle report and data model acceleration summaries in the Managing Indexers and Clusters of Indexers manual.|
|SAML||Ability to connect with Okta SAML provider. See Configure single sign-on with SAML in the Securing Splunk Enterprise manual.|
|Log Event Alert Action||Ability to create a custom log event that is sent back to the Splunk platform for indexing, searching, and reporting. See Log events in the Alerting Manual.|
|User / Role Replication||Ability to replicate Splunk software users and roles on a search head cluster. See Add users to the search head cluster in the Distributed Search manual.|
|Event Sampling||A probabilistic sampling function for ad-hoc searches and saved reports. Use event sampling to perform quick searches to ensure the correct events are returned and to determine the characteristics of a large data set without processing every event. See Event sampling in the Search Manual.|
|UI Control for Global Default Time Range||Administrators can now define a default time range value for all search pages by using a UI control in Splunk Web. See the Set the default time range section in "Change default values" in the Admin Manual.|
|HTTP Event Collector: Indexer Acknowledgement (Splunk Cloud self-service only)||Allows token administrators to enable indexer acknowledgements. When enabled, clients can poll a new REST endpoint to check whether or not events have been indexed, in a secure and scalable manner. See Set up and use HTTP Event Collector in the Getting Data In manual.|
|HTTP Event Collector: Raw Endpoint||A new token-based endpoint that allows customers to send raw events directly to Splunk software. Removes the need to format customer data into Splunk JSON event format. Also supports batching of events. See the endpoint reference in the REST API Reference for more information.|
|HTTP Event Collector: Dedicated SSL and CORS settings|| HTTP Event Collector now uses dedicated settings for SSL and CORS which are independent of the Splunk REST API configuration. These settings can be found in |
Splunk universal forwarder documentation has moved from the Splunk Enterprise Forwarding Data manual to a new Universal Forwarder Manual in the Splunk universal forwarder documentation set. This change makes installation, upgrade, and usage information about the universal forwarder easier to find and navigate for Splunk Enterprise, Splunk Cloud, and Splunk Light customers.
The Search Tutorial has been updated to be more clear and concise. Additionally, steps that are different between Splunk Cloud and Spunk Enterprise are highlighted.
The spec and example files in the Admin Guide are now formatted with subheadings that enable inline navigation.
REST API updates
This release includes the following new and updated REST API endpoints.
Splunk Enterprise on-premises customers also get access for the first time to the following endpoints that were introduced or updated in the cloud-only version 6.3.1511.
The REST API Reference Manual describes the endpoints.
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0