Welcome to Splunk Enterprise 8.1
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Splunk Enterprise 8.1 was first released on October 20, 2020.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 8.1
This information is subject to change prior to general availability of the release.
New Feature or Enhancement | Description |
---|---|
SmartStore native support for GCP | SmartStore support for Splunk Enterprise on Google Cloud Platform. See Configure the GCS remote store for SmartStore. |
Minimize SmartStore cache churn | Reduces SmartStore cache churn to improve search performance. With the SmartStore "lruk" cache eviction policy, datasets related to infrequent all-time searches and wildcard searches are evicted prior to evicting more frequently accessed datasets. See Set the cache eviction policy. |
KV store storage engine migration | Splunk Enterprise 8.1 includes enhancements to KV store, resulting in significant storage reduction and minor improvements to performance. Migrate KV store to the new WiredTiger storage layer to receive these benefits.
|
Authentication tokens | Customers can use authentication tokens as credentials to perform Splunk Enterprise operations using REST endpoints for some identity providers. For more information, see Set up authentication with tokens. |
Add domain list in email alert action | Allowed Email Domains feature enables admins to create list of email domains to which users can send emails. This helps to ensure that reports and alerts are not sent to external parties by users, accidentally or otherwise.
|
SPL History Keyboard Navigation | Navigate your search history from within the search bar, using simple keyboard shortcuts.
|
SAML assertion encryption | SAML assertion encryption now provides admins the option to enable encryption of SAML assertions to provide a higher level of security for authentication services. |
Source-type-scoped indexed fields for structured data | If you index fields from structured data formats with fixed semantic schemas such as JSON, you now can scope them by source type, using wildcard expressions to capture sets of like-named fields. Searches on fields that are indexed with this method complete quicker than searches on fields that are indexed without source-type-scoping. |
Ingest-time lookups | You can now configure ingest-time lookups, which enable you to enrich your data with lookup fields as it is ingested, and before it is indexed. If you have lookups that are performed on almost all of your events, you may want to set them up as ingest-time lookups. |
Search failure consistency | More consistent handling of failure conditions for sub-searches, including the rest , inputlookup , and inputcsv commands. Optional require command introduced to automatically fail sub-searches that return 0 results.
|
Workload Management - admission rules | Admins can now define rules that automatically filter out potentially harmful searches, such as wildcard searches or all-time searches, so that they don't negatively impact the rest of the search workload.
|
Workload Management - user messaging improvements | Workload management now displays a default message to the user when a workload rule aborts a search. If the admin has defined a customized message for a specific workload rule, then workload management displays the customized message to the user when the workload rule aborts a search.
|
Table Views enhancements | Table Views now make it easier to create a new table dataset directly from the search home screen.
|
Global banner notifications | Administrators can now display a persistent banner message to all users.
For more information, see Display global banner. |
Metrics summary indexes | Administrators now have the option of summarizing statistical search data in metrics summary indexes. Metrics summary indexes can provide better search performance and reduced storage space on disk in comparison to their events summary index counterparts. |
Support for sub-second data storage and retrieval on metrics data | Metrics administrators can now enable metrics indexes to perform metrics searches with millisecond timestamp precision.
|
Export Analytics Workspace chart to Splunk Dashboards App (beta) | Analytics Workspace users can now save a chart to a new dashboard in the Splunk Dashboards App (beta) in order to leverage their analytics output in the new dashboard framework.
|
Enhancements to address rolling restarts | Custom configuration files are now reloadable, further decreasing service disruptions caused by rolling restarts when pushing configuration bundle updates to indexer cluster peers.
|
HTTP Out sender for universal forwarder | The universal forwarder now supports the ability to send data over HTTP. This allows customers more flexibility in configuring their data infrastructure and opens up the use of load balancers to greatly simplify configuration of their ingestion tier.
For more information, see Configure the Splunk Universal Forwarder to send data over HTTP. |
HTTP Out server side receiver endpoint for universal forwarder HTTP traffic | A new HTTP Event Collector endpoint specifically for handling HTTP data from the universal forwarder.
For more information see the API Reference Manual. |
Universal forwarder handles journald data sources | No more messy workaround for reading events from systemd journals. This new input for the universal forwarder provides native support for journald, reading entries directly from the journald database.
For more information, see Get data with the Journald input. |
Improved internal logging performance for high-volume, low-criticality components | Performance improvement optimizes the physical log writes which can sometimes become a bottleneck on high throughput deployments. |
Remove, suppress any field from Windows Eventlog via universal forwarder | Reduce noisy and unnecessary data from Windows Logs by filtering on any fields available at the source. |
ARMv8 and Gravitron Support for universal forwarder | The Splunk universal forwarder is now supported on ARMv8 and ARMv8 Graviton servers. |
Enhanced TSIDX compression | Enhanced TSIDX compression for improved performance and up to 40% reduced storage. See The tsidx writing level in the Managing Indexers and Clusters of Indexers manual. |
Duty cycle based IO thread selection for HTTP server | Improve Splunk platform scalability. Network communication in the Splunk platform is routed mainly through a number of specialized threads, in more extreme scenarios those threads can become chokepoints. We now automate the choice of the number of these threads and improve load-balancing to reduce latency and increase throughput. |
Health Report UI changes And SHC health report | Admins can see real time cluster-wide health on Monitoring Console and Health Report UI with a single click without the need to run searches. |
Conditional license enforcement | For license stack volumes of less than 100GB, search is disabled when license limits are violated after 45 warnings within a 60-day rolling window. For more information on the violation conditions, see What happens during a license violation?. |
Python 3 is the default | Python 3 is the default for all python calls; including CLI commands, custom search commands, and scripts in Splunk Enterprise and its apps. A customer upgrading from 8.0.x that manually configured an app to use Python2 should not see an immediate break in functionality for that app, as Python 2 has not been removed from Splunk Enterprise 8.1. For the latest issues related to python support in Splunk Enterprise, see Known Issues. |
Splunk Secure Gateway | Splunk Secure Gateway is a part of Splunk Enterprise version 8.1.0 and higher. Register devices and configure your mobile app deployment. Splunk Secure Gateway offers the same registration and configuration functionalities as Splunk Cloud Gateway.
|
What's New in 8.1.0.1
Splunk Enterprise 8.1.0.1 was released on November 20, 2020. It resolves the issue described in Fixed issues.
What's New in 8.1.1
Splunk Enterprise 8.1.1 was released on December 8, 2020. It introduces the following enhancements and resolves the issues described in Fixed issues.
Enhancement | Description |
---|---|
HTTP Out and Journald Input updates for the Universal Forwarder | Sending data over HTTP from the Universal Forwarder just got easier. With 8.1.1 the Universal Forwarder will reuse your event breaker configurations so users can leverage the UF with HTTP with only a few config changes to their outputs. Journald is now supported on both Linux x86 64 bit systems as well as ARMv6 and ARMv8. |
General Availability of RapidDiag | This update marks the General Availability of RapidDiag and includes a broad user interface refresh that improves user workflows. A streamlined user interface for Task Wizard and Data Collection Wizards now makes it easier to select target peer nodes, run tasks and download diags. Updates include cleaner, more intuitive layouts and improved description of collector templates and its purpose. Small app performance improvements enable tasks and pages to load more quickly. A dedicated page for RapidDiag Reference Guide is now available to review collector and system requirements and guide for each collector tool. See Using RapidDiag in the Troubleshooting Manual. |
Async fetching of changes made to saved search configuration files | This feature allows faster scheduling of searches if there are many searches scheduled every minute and saved searches configuration files are updated frequently. The feature is turned OFF by default and can be turned on using the async_saved_search_fetch configuration in limits.conf. For more information, see limits.conf.In addition, more granular scheduler performance metrics are captured in metrics.log. |
Linux polkit rules for systemd | Splunk Enterprise adds support for Linux polkit rules that allow non-root users to start/stop/restart Splunk Enterprise under systemd without sudo permissions. For more information, see Install polkit rules to elevate user permissions. |
What's New in 8.1.2
Splunk Enterprise 8.1.2 was released on February 1, 2021. It resolves the issues described in Fixed issues.
What's New in 8.1.3
Splunk Enterprise 8.1.3 was released on March 18, 2021. It resolves the issues described in Fixed issues.
What's New in 8.1.4
Splunk Enterprise 8.1.4 was released on May 11, 2021. It introduces the following enhancement and resolves the issues described in Fixed issues.
Enhancement | Description |
---|---|
Performance enhancement | Improved cluster peer ingestion performance when leaving maintenance mode by reducing contention. . |
What's New in 8.1.5
Splunk Enterprise 8.1.5 was released on July 15, 2021. It introduces the following enhancement and resolves the issues described in Fixed issues.
Enhancement | Description |
---|---|
SmartStore enhancement | IMDSv2 support for SmartStore. |
What's New in 8.1.6
Splunk Enterprise 8.1.6 was released on September 9, 2021. It resolves the issues described in Fixed issues.
What's New in 8.1.7
Splunk Enterprise 8.1.7 was released on November 19, 2021. It resolves the issues described in Fixed issues.
What's New in 8.1.7.1
Splunk Enterprise 8.1.7.1 was released on December 13, 2021. This release includes version 2.15.0 of Apache Log4j to address the issues described in Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046).
What's New in 8.1.7.2
Splunk Enterprise 8.1.7.2 was released on December 17, 2021. This release includes version 2.16.0 of Apache Log4j to address the issues described in Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046).
What's New in 8.1.8
Splunk Enterprise 8.1.8 was released on January 18, 2022. This release includes version 2.17.1 of Apache Log4j. It also resolves the issues described in Fixed issues.
What's New in 8.1.9
Splunk Enterprise 8.1.9 was released on February 16, 2022. It resolves the issues described in Fixed issues.
What's New in 8.1.10
Splunk Enterprise 8.1.10 was released on April 14, 2022. It resolves the issues described in Fixed issues.
What's New in 8.1.10.1
Splunk Enterprise 8.1.10.1 was released on June 30, 2022. This release addresses the issue described in Splunk Security Advisory SVD-2022-0608.
What's New in 8.1.11
Splunk Enterprise 8.1.11 was released on August 16, 2022. It delivers relevant fixes described in the August 16, 2022 quarterly security update on the Splunk Product Security page. This release also resolves the issues described in Fixed issues.
What's New in 8.1.12
Splunk Enterprise 8.1.12 was released on November 1, 2022. It delivers relevant fixes described in the November 1, 2022 quarterly security update on the Splunk Product Security page. This release also resolves the issues described in Fixed issues.
New Feature or Enhancement | Description | ||||||
---|---|---|---|---|---|---|---|
The rex function
|
The rex function in default mode now treats the caret ( ^ ) properly. For example, the following search extracts 192. .
Previously, the following search with the regular expression
Now that the behavior of the caret ( ^ ) has been fixed, the same search returns one row of results. in order to generate three rows of results like before, the regular expression in the search must be changed to
The results of the search look something like this:
|
REST API updates
This release includes these new and updated REST API endpoints.
New endpoints:
- data/ui/global-banner
- shcluster/captain/kvmigrate/start
- shcluster/captain/kvmigrate/status
- shcluster/captain/kvmigrate/stop
- workloads/policy/search_admission_control
Updated endpoints:
The REST API Reference Manual describes the endpoints.
This documentation applies to the following versions of Splunk® Enterprise: 8.1.12
Feedback submitted, thanks!