Splunk® Enterprise

Release Notes

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Welcome to Splunk Enterprise 8.1

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 8.1 was first released on October 20, 2020.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 8.1

This information is subject to change prior to general availability of the release.

New Feature or Enhancement Description
SmartStore native support for GCP SmartStore support for Splunk Enterprise on Google Cloud Platform. See Configure the GCS remote store for SmartStore.
Minimize SmartStore cache churn Reduces SmartStore cache churn to improve search performance. With the SmartStore "lruk" cache eviction policy, datasets related to infrequent all-time searches and wildcard searches are evicted prior to evicting more frequently accessed datasets. See Set the cache eviction policy.
KV store storage engine migration Splunk Enterprise 8.1 includes enhancements to KV store, resulting in significant storage reduction and minor improvements to performance. Migrate KV store to the new WiredTiger storage layer to receive these benefits.

For more information about migrating to WiredTiger, see Migrate the KV store storage engine.

Authentication tokens Customers can use authentication tokens as credentials to perform Splunk Enterprise operations using REST endpoints for some identity providers. For more information, see Set up authentication with tokens.
Add domain list in email alert action Allowed Email Domains feature enables admins to create list of email domains to which users can send emails. This helps to ensure that reports and alerts are not sent to external parties by users, accidentally or otherwise.

For more information, see Email notification action.

SPL History Keyboard Navigation Navigate your search history from within the search bar, using simple keyboard shortcuts.

For more information, see Search history with keyboard navigation.

SAML assertion encryption SAML assertion encryption now provides admins the option to enable encryption of SAML assertions to provide a higher level of security for authentication services.
Source-type-scoped indexed fields for structured data If you index fields from structured data formats with fixed semantic schemas such as JSON, you now can scope them by source type, using wildcard expressions to capture sets of like-named fields. Searches on fields that are indexed with this method complete quicker than searches on fields that are indexed without source-type-scoping.

See Extract fields from files with structured data.

Ingest-time lookups You can now configure ingest-time lookups, which enable you to enrich your data with lookup fields as it is ingested, and before it is indexed. If you have lookups that are performed on almost all of your events, you may want to set them up as ingest-time lookups.

See Reduce lookup overhead with ingest-time lookups.

Search failure consistency More consistent handling of failure conditions for sub-searches, including the rest, inputlookup, and inputcsv commands. Optional require command introduced to automatically fail sub-searches that return 0 results.

See the new require command. See the strict argument for inputcsv, inputlookup, and rest.

Workload Management - admission rules Admins can now define rules that automatically filter out potentially harmful searches, such as wildcard searches or all-time searches, so that they don't negatively impact the rest of the search workload.

For more information, see Configure admission rules to prefilter searches.

Workload Management - user messaging improvements Workload management now displays a default message to the user when a workload rule aborts a search. If the admin has defined a customized message for a specific workload rule, then workload management displays the customized message to the user when the workload rule aborts a search.

For more information, see Configure workload rules.

Table Views enhancements Table Views now make it easier to create a new table dataset directly from the search home screen.

For more information, see Define initial data for a new table dataset.

Global banner notifications Administrators can now display a persistent banner message to all users.
  • Non-dismissible, and viewable by all users on all product pages.
  • Customize text and background color, with ability to also include a hyperlink.

For more information, see Display global banner.

Metrics summary indexes Administrators now have the option of summarizing statistical search data in metrics summary indexes. Metrics summary indexes can provide better search performance and reduced storage space on disk in comparison to their events summary index counterparts.

See Use summary indexing for increased search efficiency.

Support for sub-second data storage and retrieval on metrics data Metrics administrators can now enable metrics indexes to perform metrics searches with millisecond timestamp precision.

To learn about setting up metrics indexes with millisecond timestamp resolution, see Create custom indexes.

Export Analytics Workspace chart to Splunk Dashboards App (beta) Analytics Workspace users can now save a chart to a new dashboard in the Splunk Dashboards App (beta) in order to leverage their analytics output in the new dashboard framework.

For more information, see Dashboards in the Analytics Workspace.

Enhancements to address rolling restarts Custom configuration files are now reloadable, further decreasing service disruptions caused by rolling restarts when pushing configuration bundle updates to indexer cluster peers.

For information on reloadable custom configuration files, see Configuration file reload triggers in app.conf.

HTTP Out sender for universal forwarder The universal forwarder now supports the ability to send data over HTTP. This allows customers more flexibility in configuring their data infrastructure and opens up the use of load balancers to greatly simplify configuration of their ingestion tier.

For more information, see Configure the Splunk Universal Forwarder to send data over HTTP.

HTTP Out server side receiver endpoint for universal forwarder HTTP traffic A new HTTP Event Collector endpoint specifically for handling HTTP data from the universal forwarder.

For more information see the API Reference Manual.

Universal forwarder handles journald data sources No more messy workaround for reading events from systemd journals. This new input for the universal forwarder provides native support for journald, reading entries directly from the journald database.

For more information, see Get data with the Journald input.

Improved internal logging performance for high-volume, low-criticality components Performance improvement optimizes the physical log writes which can sometimes become a bottleneck on high throughput deployments.
Remove, suppress any field from Windows Eventlog via universal forwarder Reduce noisy and unnecessary data from Windows Logs by filtering on any fields available at the source.
ARMv8 and Gravitron Support for universal forwarder The Splunk universal forwarder is now supported on ARMv8 and ARMv8 Graviton servers.
Enhanced TSIDX compression Enhanced TSIDX compression for improved performance and up to 40% reduced storage. See The tsidx writing level in the Managing Indexers and Clusters of Indexers manual.
Duty cycle based IO thread selection for HTTP server Improve Splunk platform scalability. Network communication in the Splunk platform is routed mainly through a number of specialized threads, in more extreme scenarios those threads can become chokepoints. We now automate the choice of the number of these threads and improve load-balancing to reduce latency and increase throughput.
Health Report UI changes And SHC health report Admins can see real time cluster-wide health on Monitoring Console and Health Report UI with a single click without the need to run searches.
Conditional license enforcement For license stack volumes of less than 100GB, search is disabled when license limits are violated after 45 warnings within a 60-day rolling window. For more information on the violation conditions, see What happens during a license violation?.
Python 3 is the default Python 3 is the default for all python calls; including CLI commands, custom search commands, and scripts in Splunk Enterprise and its apps. A customer upgrading from 8.0.x that manually configured an app to use Python2 should not see an immediate break in functionality for that app, as Python 2 has not been removed from Splunk Enterprise 8.1. For the latest issues related to python support in Splunk Enterprise, see Known Issues.
Splunk Secure Gateway Splunk Secure Gateway is a part of Splunk Enterprise version 8.1.0 and higher. Register devices and configure your mobile app deployment. Splunk Secure Gateway offers the same registration and configuration functionalities as Splunk Cloud Gateway.

What's New in

Splunk Enterprise was released on November 20, 2020. It resolves the issue described in Fixed issues.

What's New in 8.1.1

Splunk Enterprise 8.1.1 was released on December 8, 2020. It introduces the following enhancements and resolves the issues described in Fixed issues.

Enhancement Description
HTTP Out and Journald Input updates for the Universal Forwarder Sending data over HTTP from the Universal Forwarder just got easier. With 8.1.1 the Universal Forwarder will reuse your event breaker configurations so users can leverage the UF with HTTP with only a few config changes to their outputs.

Journald is now supported on both Linux x86 64 bit systems as well as ARMv6 and ARMv8.

General Availability of RapidDiag This update marks the General Availability of RapidDiag and includes a broad user interface refresh that improves user workflows.

A streamlined user interface for Task Wizard and Data Collection Wizards now makes it easier to select target peer nodes, run tasks and download diags. Updates include cleaner, more intuitive layouts and improved description of collector templates and its purpose. Small app performance improvements enable tasks and pages to load more quickly. A dedicated page for RapidDiag Reference Guide is now available to review collector and system requirements and guide for each collector tool. See Using RapidDiag in the Troubleshooting Manual.

Async fetching of changes made to saved search configuration files This feature allows faster scheduling of searches if there are many searches scheduled every minute and saved searches configuration files are updated frequently. The feature is turned OFF by default and can be turned on using the async_saved_search_fetch configuration in limits.conf. For more information, see limits.conf.

In addition, more granular scheduler performance metrics are captured in metrics.log.

Linux polkit rules for systemd Splunk Enterprise adds support for Linux polkit rules that allow non-root users to start/stop/restart Splunk Enterprise under systemd without sudo permissions.

For more information, see Install polkit rules to elevate user permissions.

What's New in 8.1.2

Splunk Enterprise 8.1.2 was released on February 1, 2021. It resolves the issues described in Fixed issues.

What's New in 8.1.3

Splunk Enterprise 8.1.3 was released on March 18, 2021. It resolves the issues described in Fixed issues.

What's New in 8.1.4

Splunk Enterprise 8.1.4 was released on May 11, 2021. It introduces the following enhancement and resolves the issues described in Fixed issues.

Enhancement Description
Performance enhancement Improved cluster peer ingestion performance when leaving maintenance mode by reducing contention. .

What's New in 8.1.5

Splunk Enterprise 8.1.5 was released on July 15, 2021. It introduces the following enhancement and resolves the issues described in Fixed issues.

Enhancement Description
SmartStore enhancement IMDSv2 support for SmartStore.

What's New in 8.1.6

Splunk Enterprise 8.1.6 was released on September 9, 2021. It resolves the issues described in Fixed issues.

REST API updates

This release includes these new and updated REST API endpoints.

New endpoints:

Updated endpoints:

The REST API Reference Manual describes the endpoints.

Last modified on 29 October, 2021
  Known issues

This documentation applies to the following versions of Splunk® Enterprise: 8.1.6

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters