Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 5.3.0 includes the following enhancements.

New Feature or Enhancement Description
Improved Splunk Enterprise Security installer to better support Search Head Clustering The ES installer now integrates directly on the deployer in a search head cluster environment and no longer requires a staging server. In addition, the shipped technology add-ons are no longer installed as part of the post-install configuration. See Install Splunk Enterprise Security in a search head cluster environment and Upgrade Splunk Enterprise Security in a search head cluster environment.

Splunk Enterprise 7.3.0 now has four deployer modes to push application configuration changes to search head cluster nodes. In addition, per-app lookup preservation is possible. These enhancements do not impact the Splunk Enterprise Security 5.3 installer in a search head cluster environment, but you need Splunk Enterprise 7.3.0 if you want to take advantage of the core changes. See Propagate SHC configuration changes in the Splunk Enterprise Distributed Search manual.

Improved App Import and Export Support Splunk Enterprise Security no longer selectively imports apps and add-ons based on the name of the app or add-on. Knowledge objects in apps and add-ons that are installed on the same search head as Splunk Enterprise Security and exported to other apps or globally are visible in Splunk Enterprise Security. To verify a global export from the search head, check the local.meta file of the app or add-on for export = system. For further details, see the "Make Splunk knowledge objects globally available" section of App architecture and object ownership in the Splunk Enterprise Admin Manual.
Migration of CSV-based trackers to KV-Store The following CSV-based trackers have now been migrated to the KV Store to improve performance in large deployments:
  • User account tracker
  • Malware tracker
  • IDS attack tracker
  • Listening Port tracker
  • Whois tracker
  • Local Process tracker
  • Access Tracker

See Configure CSV lookups and Configure KV Store lookups in the Splunk Enterprise Knowledge Manager Manual.

Managed Lookups Audit dashboard The Managed Lookups Audit dashboard reports on managed lookups and collections such as services, data, transforms, KV Store lookups, and CSV lookups in Enterprise Security. You can use this to help determine if any managed lookups are growing too large for your particular environment's performance and need to be pruned. See Managed Lookups Audit
Improved the default maximum age for threat intelligence feed The threat intelligence feed now has a 30 day default maximum age for KV Store retention. If you purposely store this data in the KV Store indefinitely, you need to revise your settings. See Configure threat source retention.
Improved the filter for lookup generating search type Content Management includes a new menu option for filtering on the lookup generating search type. The lookup generating search is editable in the search-driven lookup editor. See Create and manage search-driven lookups in Splunk Enterprise Security.
Updated the performance test results The performance test results are updated. See Performance test results.

Deprecated features

The audit dashboard for Content Profile is removed in favor of the Content Management data model row expansion. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.

The deprecated lookup generating search for Traffic Volume Tracker is now removed, resolving an issue with exporting all objects in Content Management.

In a future release, the Extreme Search app (Splunk_SA_ExtremeSearch) will be deprecated from the Splunk Enterprise Security package. As part of this process, there will be replacements for some saved searches and correlation searches that currently ship with Enterprise Security.

The notable_adhoc_invocations macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.

The automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is deprecated. See Deploy add-ons to indexers.

Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.


Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security that was previously deprecated is no longer deprecated. The add-ons are still included. The current change is that they are no longer automatically installed as part of the post-install configuration in a search head cluster environment. See Install Splunk Enterprise Security in a search head cluster environment and Upgrade Splunk Enterprise Security in a search head cluster environment.

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 4.13.0.

Last modified on 04 June, 2019
Fixed Issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters