Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Meet Splunk 4.3

Welcome to Splunk 4.3!

Read on for information and links into the documentation for all the great new features in this version.

For system requirements information, see the Installation Manual.

Splunk 4.3 was released on January 10, 2012.

Planning to upgrade from an earlier version?

If you plan to upgrade from an earlier version of Splunk to version 4.3, be sure to read "About Upgrading to 4.3 - READ THIS FIRST" in the Installation Manual for important things you'll need to know before you upgrade.

User interface improvements

Splunk 4.3 includes substantial improvements to the user interface and workflow. Enhancements include:

  • Charting controls integrated with timeline view
  • Drag-and-drop dashboard editing
  • Simplified workflow for saving searches
  • Unified "Create" button for alerts, reports, and dashboard panels
  • New "digest" field for grouping alert notifications
  • Integrated time range picker and search button
  • More accessible job control and job inspector buttons
  • Improvements to message banners

Non-Flash UI

To improve support of iOS hand-held devices, Splunk Web now provides non-Flash chart and timeline display. This also improves printing quality. For more information about the non-Flash charts, as well as the circumstances that might cause Splunk to render charts in Flash, see:

Dashboard panel editor

Splunk 4.3 exposes charting controls in a consistent UI that is accessible both from the dashboard and from the report builder UI, allowing you to discover and use this important feature more effectively. For information on how to use the dashboard panel editor, refer to:


Sparklines are a technique to increase information density in tables by adding inline charts to specific cells. They are most commonly used to show time-based trends associated with the primary key of a given row.

Per-result alerting

Per-result alerting allows you to define alerts that trigger based on single events rather than a group of events.

Real time backfill

When you run a real-time windowed search, you can specify that Splunk backfill the initial window with historical data. This ensures real-time dashboards seeded with data on actual visualizations and statistical metrics over time periods are accurate from the start. For more information, refer to:

Bloom filters

Bloom filters speed up keyword searches by ruling out buckets where a searched-for keyword doesn't exist before incurring the overhead of searching the buckets. For more information, check out:

Data preview (single file)

See what data sources are about to be indexed, to where, and preview how their event extractions will be handled by Splunk. Data preview makes it easy to test new sourcetypes and troubleshoot how Splunk will handle them. Data preview lets you see what you're getting, before you commit to an indexing strategy. For more information on data preview, check out:

Structured data field extraction (JSON, XML)

Increasingly, machine data is being generated in structured data formats such as XML and JSON. We've extended the Splunk search language to allow users to extract data from these structures in a straightforward way. For more information, check out:

  • The "spath" search command in the Search Reference Manual.

Per-user time zones

Large deployments often include users in different timezones. These users want to see the data in the timezone they're in. Splunk now supports setting a time zone for each user. For more information, check out:

  • "Add and edit users" in the topic "Set up user authentication with Splunk's built-in system" in the Admin Manual.

Multi-domain LDAP

Multiple domain authorization helps large IT departments overcome the challenges of expanding Splunk across departments where different AAA systems are in use. This also resolves issues where, due to the risk of circular references, Splunk isn't able to follow referrals from one LDAP system to another safely. For more information, check out:


Splunk supports using IPv6 addresses for all network activity, including data forwarding and splunkweb. Users can use Splunk transparently as they migrate their network to IPv6 and can leverage their existing IT Search deployment and experience for problem solving, alerting and reporting even during changes to the core networking technologies that run their environments. Check out

508 Compliance

We've done some work to make Splunk Web more accessible for the visually-impaired. For more details, refer to:

Splunk Developer Portal and REST API Reference

Splunk for Developers is live. Learn how to extend Splunk with the App Framework and how to build your own applications using the Splunk REST API and SDKs. The Splunk REST API Reference is also available as part of the Splunk doc set.

Known issues

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters