Splunk Cloud Platform

Release Notes

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

New features

This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.

See also the release notes for the Cloud Monitoring Console app and the Admin Configuration Service for their respective new features.


9.0.2303

New Feature or Enhancement Description
Ingest Actions: Supports partitioning for S3 destinations Ingest Actions now supports the ability to configure how S3 outputs are partitioned, using a combination of timestamp and sourcetype name.
Ingest Actions: Supports multiple S3 bucket destinations Ingest Actions now supports routing to multiple S3 destinations. The creation of a maximum of eight destinations per provider is currently supported.
Ingest Actions: Output optimizations for federated search on S3 Ingest Actions now supports more flexibility in configuring outputs, such as selection of batch size and compression type and greater control over index-time field extractions and JSON output.
Improved guardrails and checks when configuring DDAA settings for indexes When the Archive Retention Period for an index is specified with an incorrect value, the UI displays a warning and disables the save button. These safeguards are activated if the archive retention period value is less than or equal to the searchable retention period when configuring an index for DDAA.

See Configure archiving for an index for more details.

Home page redesign The new Splunk Web home page experience gets users to their insights faster.
  • Start where they left off with recently viewed knowledge objects.
  • Browse a comprehensive list of knowledge objects they have created and have access to.
  • Customize the app order or search by name for better app browsing.

For more details, see Navigating Splunk Web in the Search Manual.

Theming support for Search & Reporting app Users can choose between default systems setting, dark and light mode in the Search & Reporting app.
Accessibility improvements on Triggered Alerts page Updates to the Triggered Alerts page to improve usability and accessibility using modern technologies and frameworks.
Ability to make HEC JSON output into S3 readable by Federated Search Ingest Actions has updated the S3 output JSON schema by delimiting events on newlines. This update prepares for compatibility with Federated Search. At time of writing, Ingest Actions does not support partitioning by sourcetype on Federated Search.
Forwarder hot-reload for TLS certificates (outputs.conf) Customers can now refresh TLS certificates that protect forwarders without having to restart the forwarders.
Splunk Web hot reload for TLS certificates (web.conf) Customers can now refresh TLS certificates that protect Splunk Web on Splunk Enterprise instances without having to restart Splunk Web.
Splunk daemon hot reload for TLS certificates (server.conf, replication port) Customers can now refresh TLS certificates that protect Splunk-to-Splunk communications on Splunk Enterprise and universal forwarder instances without having to restart those instances.
SAML IdP certificate visibility and self-service support Customers now receive notification of expiring SAML IdP certificates and can update the certificates themselves.
Improve REST API to handle large data set Improve REST API to handle large data set using lighter weight XML libraries.
Dashboards - Warn users of external content in Simple XML dashboards Updates Users will see a warning modal regarding external content in their Simple XML dashboards. To remove the warning, users can work with their administrators to add the external content domains to the Dashboards Trusted Domains List. For more details, see Configure Dashboards Trusted Domains List.
Dashboards - Update Simple XML v=null dashboards to v=1.1 Simple XML dashboards in all apps must have a version attribute. Simple XML dashboards without a specified version attribute will be automatically updated to version=1.1. This attribute specification does not apply to default dashboards in an app's /default/data/ui/views directory.
Dashboard Studio - Export the data results of any visualization to a CSV Users can export the data results of any visualization, including search results from base and chain searches, to a CSV for a shareable compact file format. For more details, see Export a visualization.
Dashboard Studio - Updated base and chain behavior Base searches no longer need to refresh if only an associated chain search SPL changes. This update improves performance and reduces resource consumption. Users can also create up to ten chain searches instead of the original two. For more details, see Chain searches together with a base search and chain searches.
Dashboard Studio - Events viewer visualization Users can view event data and interact with field-value pairs with the events viewer visualization. Workflow actions and special parameters are not supported in this release. For more details, see Events viewer.
Dashboard Studio - Improved readability of dashboard definitions in Views Instead of a single line of code, the JSON dashboard definition has expanded into multiple lines with indentations. Users can find a dashboard's definition in User interface under the admin Settings on the Views page.
Dashboard Studio - Inputs available in the canvas Inputs on canvas allow dashboard builders to place user inputs closer to the charts they impact. Inputs are also resizable. For more details, see Adding and configuring inputs.
Dashboard Studio - Show or hide panels in Absolute layout Users can configure dashboards to conditionally show or hide panels in Absolute layout, depending on whether data is available to display. For more details, see Conditionally show or hide panels.
Dashboard Studio - Choropleth map layers for map visualizations Users can apply choropleth map layers to map visualizations in addition to the existing bubble and marker layers. For more details, see Maps.
Dashboard Studio - Configuration UI for axes charts Axes charts, such as bar, line, and scatter, have new configuration UI for most options previously only available via source code.
jQuery v3.5 is packaged with Splunk Cloud Platform by default. Splunk Cloud Platform now uses jQuery 3.5 by default. Splunk Cloud administrators can still choose to enable lower versions of jQuery in the Internal Library Settings. Splunk will remove support for all older versions of jQuery in future releases.


See Overview of the jQuery 3.5 upgrade in the jQuery Upgrade Readiness manual.

Improve scalability of distributed search with a large number of distinct searchable indexes. Improve reliability of distributed search environments with several hundred indexers.
limits.conf self-service UI enhancements The Configure limits UI in Splunk Web adds support for directly editing additional limits.conf stanzas without assistance from Splunk Support.


See Configure limits using Splunk Web in the Splunk Cloud Platform Admin Manual.

Federated search: New remote dataset types for standard mode federated search Splunk platform administrators who manage federated search over standard mode federated providers can map federated indexes to two new remote dataset types.
  • Metrics index datasets allow users to use the mstats command in federated searches of remote metrics data.
  • Last job datasets turn the last jobs run by remote scheduled searches into searchable datasets. Last job datasets can be an alternative to saved search datasets for environments where concurrent search reduction is a priority.

See Create a federated index in the Search Manual.

Federated search: Ability to deactivate federated providers, federated indexes, and transparent mode Federated search administrators can now turn off the following things for all users of their Splunk platform deployment:
  • The ability to run federated searches over specific remote federated providers, by deactivating those federated providers.
  • The ability to run standard mode federated searches over specific federated indexes, by deactivating those federated indexes.
  • The ability to run federated searches in transparent mode.

See the following topics:

Federated search: Search control improvements The ability to gracefully pause, cancel, and finalize federated searches has been improved.
Federated search: Improved support for accelerated data models Federated search users can now run searches over accelerated data models with fewer restrictions in standard and transparent mode.
  • In standard mode you can now apply prestats to tstats searches over data model datasets.
  • In transparent mode, an accelerated data model on your local search head creates summaries on the local search head and the remote search head of the federated provider. In your search, reference that local accelerated data model to return both local and remote results.

Transparent mode support for search of accelerated data models requires that your local Splunk platform deployment and all remote Splunk platform deployments you have set up as federated providers be upgraded to either Splunk Cloud Platform 9.0.2303 or higher, or Splunk Enterprise 9.1.0 or higher.

See Run federated searches in the Search Manual.

Federated search: Improved access control for remote indexes on transparent mode federated providers Administrators of transparent mode federated providers can now control which indexes federated search users can access on those providers. This control is managed through the service account role for the federated provider.

This feature might cause federated searches over Splunk Cloud Platform deployments that are set up as transparent mode federated providers to fail after those deployments upgrade to 9.0.2303. If you are an administrator of an upgraded transparent mode federated provider, to resolve this situation you must update the provider's service account role so that the role has access to the indexes that must be available for federated searches.

See Service accounts and federated search security in the Search Manual.

Parallel reduce search processing support for the lookup and table commands Parallel reduce search processing optimizes performance of high-cardinality searches. Now parallel reduce is supported for searches that use the lookup and table commands. As a result, these commands can now leverage the computing power of indexers, in addition to the search head, to complete searches and produce results more quickly.
Share search results (job & search) Administrators can now control how searches are shared using the flag enable_share_job_control in the web_features.conf file. They can enable users to share the search itself instead of sharing the search as a job. For more details, see Share jobs and export results in the Search Manual.
Upgrade Readiness App 4.1.0 The Upgrade Readiness App version 4.1.0 includes an updated exception list for all Splunk Internal Applications, updated messaging for apps with false positives, and other minor bug fixes.
Stats V1 deprecation Addition of a warning message to remind customers that version 1 of the stats command is deprecated and will be disabled in a future release. Version 1 of the stats command has been deprecated and replaced with version 2 of the stats command.
Health Report enhancements The splunkd health report now includes the following enhancements:
  • The ability to disable individual features in the distributed health report, allowing for customized health report views that exclude noisy or irrelevant features.
  • The ability to track user-modified threshold values in the UI and restore default threshold values.
  • Built-in validation for indicator thresholds and feature names, to prevent misconfigurations that can make the health report unusable.

For more information, see Monitor your deployment with the splunkd health report.

Last modified on 07 November, 2023
Welcome to Splunk Cloud Platform   Known and fixed issues for

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2303

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters