Splunk® Enterprise

Release Notes

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Welcome to Splunk Enterprise 6.2

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Enterprise 6.2 Overview app.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 6.2 was first released to customers on October 28, 2014.

Planning to upgrade from an earlier version?

If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.2, read "How to upgrade Splunk Enterprise" in the Installation Manual for important information you need to know before you upgrade.

Search head clustering

Search head clusters are groups of Splunk Enterprise search heads that serve as a central resource for searching. You can run or access the same searches, dashboards, knowledge objects, and so on, from any member of the cluster. This feature is designed to provide horizontal scaling, high availability, and no single point of failure.

For more information, see "About search head clustering" in the Distributed Search manual.

Indexer cluster monitoring

A new dashboard provides detailed information on the status of the entire cluster, as well as information on each of the cluster master's peer nodes.

For more information, see "View the indexer cluster master dashboard" in the Managing Indexers and Clusters of Indexers manual.

Distributed management console

The distributed management console provides insight into your Splunk Enterprise deployment with information on instances, indexing performance, search activity, resource usage, license usage, and more.

For more information, see "Configure the distributed management console" in the Admin Manual.

Getting data in

This release features completely remodeled pages and wizard-like workflows for adding data. The new Data Preview feature makes it easier to create the right sourcetype for your data, and the new Forwarder Inputs feature allows you to push input configurations to Splunk Enterprise deployment clients.

For more information, see "How do you want to add data?" in the Getting Data In manual.

Advanced field extractor

The advanced field extractor allows you to create custom fields in Splunk Enterprise. This feature allows you to select fields in events and automatically generate a regular expression that captures the fields.

For more information, see "Build field extractions with the Field Extractor" in the Knowledge Manager Manual.

App key value store

The app key value store enables developers to build rich applications by providing a way to store and retrieve data for use in the operation of an app, such as state data. The app key value store provides both a REST API for full read/write operations and direct access to data via the Splunk Enterprise search pipeline.

For more information, see "About KV store" in the Admin Manual.

Event pattern detection

Splunk Enterprise 6.2 can analyze your data for patterns of common events. Run a search and click on the Patterns tab to review a list of the top event patterns in the search dataset. You can see the estimated number of events associated with each pattern and run a new search that returns events matching a selected pattern. You can save patterns as event types and alerts.

For more information, see "Identify event patterns with the Patterns tab" in the Search Manual.

Instant pivot

In past releases, to create tables and charts based on search results, you needed to run a search that included transforming commands like stats or timechart. With instant pivot, you can now run a non-transforming search and then open the search in Pivot. From there, you can create tables and charts that reflect the data returned by the search. When you are finished you can save your Pivot creations as reports or dashboard panels.

For more information, see "Open a non-transforming search in Pivot to create tables and charts" in the Search Manual.

Home page redesign

Splunk Enterprise 6.2 introduces a redesigned home page. The new design moves Apps into a scrollable list on the left side of the page and creates space for a user-specific dashboard in the center of the page. A collapsible panel at the top of the page provides helpful links for getting started with Splunk Enterprise.

For more information, see "Meet Splunk Web" in the Admin Manual.

Prebuilt panels

You can now create customized panels to share among various dashboards. This is useful to create a personalized dashboard for a group of users. It is also useful to make a commonly used search and visualization readily available to other dashboards.

You can share a prebuilt panel from the same app, a different app, or from a different user.

For more information, in the Dashboards and Visualizations manual see:

Post-process searches

If your dashboard contains panels that run similar searches, you can save search resources by creating a base search for the dashboard. Panels in the dashboard can use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.

For more information, see "Post-process searches" in the Dashboards and Visualizations manual.

New search commands

This release includes the new search command, findkeywords. You can use this command after the cluster command, or a similar command that groups events.


This release includes the following updates to the REST API.

New API endpoints

  • cluster/master/control/control/remove_peers
  • licenser/localslave
  • server/control/restart_webui
  • server/introspection/indexer
  • server/introspection/kvstore
  • server/introspection/kvstore/collectionstats
  • server/introspection/kvstore/replicasetstats
  • server/introspection/kvstore/serverstatus
  • shcluster/captain/artifacts
  • shcluster/captain/artifacts/{name}
  • shcluster/captain/info
  • shcluster/captain/jobs
  • shcluster/captain/jobs/{name}
  • shcluster/captain/members
  • shcluster/captain/members/{name}
  • shcluster/config
  • shcluster/member/artifacts
  • shcluster/member/artifacts/{name}
  • shcluster/member/consensus
  • shcluster/member/info

Updated API parameter descriptions

  • cluster/master/buckets

The REST API Reference Manual describes the endpoints.

New documentation

Splunk Enterprise 6.2 introduces a new manual:

  • The Capacity Planning Manual provides high-level guidance on how to plan resource capacity for a Splunk Enterprise deployment and helps you decide when to add resources and distribute Splunk Enterprise services to maintain performance.
Last modified on 25 July, 2018
Known issues

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters