Welcome to Splunk Enterprise 6.2
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Enterprise 6.2 Overview app.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 6.2 was first released to customers on October 28, 2014.
Planning to upgrade from an earlier version?
If you plan to upgrade from an earlier version of Splunk Enterprise to version 6.2, read "How to upgrade Splunk Enterprise" in the Installation Manual for important information you need to know before you upgrade.
Search head clustering
Search head clusters are groups of Splunk Enterprise search heads that serve as a central resource for searching. You can run or access the same searches, dashboards, knowledge objects, and so on, from any member of the cluster. This feature is designed to provide horizontal scaling, high availability, and no single point of failure.
For more information, see "About search head clustering" in the Distributed Search manual.
Indexer cluster monitoring
A new dashboard provides detailed information on the status of the entire cluster, as well as information on each of the cluster master's peer nodes.
For more information, see "View the indexer cluster master dashboard" in the Managing Indexers and Clusters of Indexers manual.
Distributed management console
The distributed management console provides insight into your Splunk Enterprise deployment with information on instances, indexing performance, search activity, resource usage, license usage, and more.
For more information, see "Configure the distributed management console" in the Admin Manual.
Getting data in
This release features completely remodeled pages and wizard-like workflows for adding data. The new Data Preview feature makes it easier to create the right sourcetype for your data, and the new Forwarder Inputs feature allows you to push input configurations to Splunk Enterprise deployment clients.
For more information, see "How do you want to add data?" in the Getting Data In manual.
Advanced field extractor
The advanced field extractor allows you to create custom fields in Splunk Enterprise. This feature allows you to select fields in events and automatically generate a regular expression that captures the fields.
For more information, see "Build field extractions with the Field Extractor" in the Knowledge Manager Manual.
App key value store
The app key value store enables developers to build rich applications by providing a way to store and retrieve data for use in the operation of an app, such as state data. The app key value store provides both a REST API for full read/write operations and direct access to data via the Splunk Enterprise search pipeline.
For more information, see "About KV store" in the Admin Manual.
Event pattern detection
Splunk Enterprise 6.2 can analyze your data for patterns of common events. Run a search and click on the Patterns tab to review a list of the top event patterns in the search dataset. You can see the estimated number of events associated with each pattern and run a new search that returns events matching a selected pattern. You can save patterns as event types and alerts.
For more information, see "Identify event patterns with the Patterns tab" in the Search Manual.
In past releases, to create tables and charts based on search results, you needed to run a search that included transforming commands like
timechart. With instant pivot, you can now run a non-transforming search and then open the search in Pivot. From there, you can create tables and charts that reflect the data returned by the search. When you are finished you can save your Pivot creations as reports or dashboard panels.
For more information, see "Open a non-transforming search in Pivot to create tables and charts" in the Search Manual.
Home page redesign
Splunk Enterprise 6.2 introduces a redesigned home page. The new design moves Apps into a scrollable list on the left side of the page and creates space for a user-specific dashboard in the center of the page. A collapsible panel at the top of the page provides helpful links for getting started with Splunk Enterprise.
For more information, see "Meet Splunk Web" in the Admin Manual.
You can now create customized panels to share among various dashboards. This is useful to create a personalized dashboard for a group of users. It is also useful to make a commonly used search and visualization readily available to other dashboards.
You can share a prebuilt panel from the same app, a different app, or from a different user.
For more information, in the Dashboards and Visualizations manual see:
If your dashboard contains panels that run similar searches, you can save search resources by creating a base search for the dashboard. Panels in the dashboard can use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.
For more information, see "Post-process searches" in the Dashboards and Visualizations manual.
New search commands
New REST APIs
This release includes the following updates to the REST API.
New API endpoints
Updated API parameter descriptions
The REST API Reference Manual describes the endpoints.
Splunk Enterprise 6.2 introduces a new manual:
- The Capacity Planning Manual provides high-level guidance on how to plan resource capacity for a Splunk Enterprise deployment and helps you decide when to add resources and distribute Splunk Enterprise services to maintain performance.
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15