Splunk® Enterprise

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Welcome to Splunk Enterprise 7.3

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview. If you are familiar with Splunk Enterprise and want to explore the new features interactively, download the Splunk Essentials for Cloud and Enterprise app from Splunkbase.

For system requirements information, see the Installation Manual.

Before proceeding, review Known Issues for this release and Fixed issues.

Splunk Enterprise 7.3 was first released on June 4, 2019.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 7.3.0

New Feature or Enhancement Description
SmartStore enhancements Support for Splunk Enterprise Security workloads.


Support for report acceleration and data model acceleration summaries. See About SmartStore in Managing Indexers and Clusters of Indexers.

Data retention based on raw uncompressed data size per index, supplementing existing controls based on time and compressed data size. See Configure data retention for SmartStore indexes in Managing Indexers and Clusters of Indexers.

Improved SmartStore resiliency.

Improved scalability of SmartStore and indexer clustering.

Support for SmartStore on non-clustered standalone indexers. See About SmartStore in Managing Indexers and Clusters of Indexers.

Indexing pipeline improvements Balanced index load distribution: Efficient resource utilization by automatically distributing indexing load within an indexer across multiple pipeline sets, achieving higher indexing throughput, improved resource utilization, and reduced cost. See Manage pipeline sets for index parallelization in Managing Indexers and Clusters of Indexers.
Searchable data rebalance Minimal disruption to searching during indexer cluster data rebalance. See Rebalance the indexer cluster in Managing Indexers and Clusters of Indexers.
Workload management Shared memory resources between search workload pools.


New workload categories provide isolation of resources allocated to search and ingest processes. See How workload management works in the Workload Management manual.

Explicit resource caps on modular inputs and scripted inputs, to limit excessive resource usage.

Enhanced workload rules to control resource usage based on indexes and users, in addition to apps and roles. See Configure workload management in the Workload Management manual.

Improved monitoring of resource consumption on a per pool basis. See Monitor workload management in the Workload Management manual.

Ability to set distinct workload pools for data model acceleration and report acceleration searches. See Assign searches to workload pools in the Workload Management manual.

Splunk Metrics Workspace Splunk Metrics Workspace is now part of Splunk Enterprise inside the Search & Reporting app. See Visualize metrics in the Splunk Metrics Workspace.
Metrics rollups Keep aggregated metrics data over longer periods of time in metrics rollup summaries for storage savings and better search performance. See Roll up metrics data for faster search performance and increased storage capacity in Metrics.
Chart multiple series Co-analyze multiple related metrics easily in the same view and create sophisticated visualizations for monitoring.
Metrics index storage optimization Reduced storage footprint and increased search performance.
Token-based authentication Ability to authenticate in REST API calls using a token instead of username and password for LDAP and local login users. See Set up authentication with tokens in Securing Splunk Enterprise.
Improved roles management New user interface for selecting Searchable Indexes, Default indexes, Capabilities, and Inheritance on the Roles configuration page. See Add and edit roles with Splunk Web in Securing Splunk Enterprise.
Deployer enhancements Flexible deployer options for search head clustering to assist with application and configuration upgrades as well as single search head to SHC migration. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
SearchEvaluator performance and memory usage improvements Reduced memory footprint of searches and increased performance.
Search performance enhancements Faster search execution with lower memory usage, especially for complex queries spanning large numbers of indexers.
Enhancement in sub-second event data retention Ability to retain sub-second event data without indexing additional fields. See the ADD_EXTRA_TIME_FIELDS setting in props.conf in the Admin Manual.

What's New in 7.3.1

Splunk Enterprise 7.3.1 introduces enhancements to several features and resolves the issues described in Fixed issues.

Enhancement Description
Enhancement to Metric Store Logs to Metrics functionality Support blacklist and whitelist for Metric dimensions when configuring Logs to Metrics. Support for wildcard ( * ) to specify patterns. Ability to automatically treat numeric fields as measures. See Set up ingest-time log-to-metrics conversion with configuration files in Metrics.
Enhancement to Metric Store rollups functionality Ability to roll up only a subset of metrics, rather than every metric in the source metric index. Ability to specify multiple aggregate function rather than a single aggregate function. See Manage metric rollup policies with configuration files in Metrics.
Python future and 2to3 packages Splunk Enterprise 7.3.1 includes the Python libraries "future" and "2to3", which help to make Python 2 syntax compatible with both Python 2 and Python 3. The Splunk Python SDK is dual-compatible via the "Six" library as of v1.6.5, so "future" and "2to3" are most useful for customers who do not use the SDK or who need further modification. See Python 3 Migration for more information.

What's New in 7.3.2

Splunk Enterprise 7.3.2 was released on October 2, 2019. It introduces the following enhancements.

Enhancement Description
Histogram metric datatype support Splunk Enterprise now supports the histogram metric datatype, which enables you to bucket your metric data into a time series of histograms. You can use the new histperc macro to estimate percentile (a.k.a. quantile) values for specific time periods based on your histogram time series. See Use histogram metrics in the Metrics Manual.
Python future and 2to3 packages Splunk Enterprise 7.3.2 includes the Python libraries "future" and "2to3", which help to make Python 2 syntax compatible with both Python 2 and Python 3. The Splunk Python SDK is dual-compatible via the "Six" library as of v1.6.5, so "future" and "2to3" are most useful for customers who do not use the SDK or who need further modification. See Python 3 Migration for more information.

Documentation updates

Splunk Enterprise 7.3.0 introduces additional guided data onboarding manuals that provide end-to-end guidance for getting specific data sources into specific Splunk platform deployments. You can find all the guided data onboarding manuals by clicking the Add data tab on the Splunk Enterprise documentation page.

REST API updates

This release includes these new and updated REST API endpoints.

New endpoints:

Updated endpoints:

The REST API Reference Manual describes the endpoints.

  NEXT
Known issues

This documentation applies to the following versions of Splunk® Enterprise: 7.3.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters