Splunk® Enterprise

Release Notes

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Welcome to Splunk Enterprise 8.2

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 8.2 was first released on May 12, 2021.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 8.2

This information is subject to change prior to general availability of the release.

New Feature or Enhancement Description
Federated Search Enables search across multiple Splunk Enterprise and Splunk Cloud Platform deployments. For more information, see About federated search.
Dashboard Studio Dashboard Studio is a dashboard-building experience that offers advanced visualization tools and fully customizable layouts to easily create visually-compelling, interactive dashboards with an intuitive UI. Create new dashboards from the Dashboards listing page or save visualizations from Search. For more information, see the Splunk Dashboard Studio manual.
Health report UI changes and SHC health status The Splunk health report now captures feature health status across nodes in distributed environments, including search head cluster members. For more information, see Splunk Health Report in the Monitoring Splunk Enterprise manual.
Monitor ingestion latency in health report The ingestion latency feature in the health report lets admins monitor whether forwarders in their Splunk deployment have fallen behind due to ingestion latency. The health status of ingestion latency is displayed in the Splunk health report. For more information, see Supported features in the Monitoring Splunk Enterprise manual.
Identify excessive I/O wait times in health report The IOWait feature in the health report lets admins identify instances waiting for disk I/O tasks to complete. The health status of IOWait is displayed in the Splunk health report and written in health.log. For more information, see Supported features in the Monitoring Splunk Enterprise manual.
Workload Management: Enable single workload and admission rules Workload management now lets you enable or disable individual workload rules and admission rules. This gives you the flexibility to create and save multiple different rules for specific scenarios and apply them to searches as needed. For more information, see Enable individual workload rules in the Workload Management manual.
Workload Management: Default OOM message Workload management now displays a default message to the user when it terminates a search due to an out of memory (OOM) condition.
Back up and restore KV store Admins can use an improved process to back up and restore KV store with point-in-time consistency and with more efficiency. See Back up and restore KV store in the Admin Manual.
Durable search This feature ensures "at-least-once" delivery of events for scheduled reports, which ensures that scheduled reports with incomplete results are rerun. Typical use cases for durable search are scheduled reports that build and maintain summary indexes.

For more information, see Make scheduled reports durable to prevent event loss in the Reporting Manual.

Improved handling of JSON data in Splunkd This release introduces four new eval functions for JSON-structured data.
  • The json_array_to_mv and mv_to_json_array functions improve conversion between multivalue event and JSON-structured data formats.
  • The json_append function lets you append elements to the contents of a valid JSON object.
  • The json_extend function lets you extend the contents of a valid JSON object with the values of an array.

This release additionally introduces a new search command, tojson, which enables conversion of standard log events into JSON-structured data.

See JSON functions and the entry for tojson in the Search Reference.

Use HTTP compression by default The SSL compression is replaced with HTTP compression by default to improve scalability and reduce the security vulnerability surface. See The use of SSL compression is replaced with HTTP compression except when forwarding in the Installation Manual.
Add notes to your Enterprise License files A Splunk admin can add a note or other customized text to Splunk Enterprise licenses using the License Manager page.
Scheduler observability and performance improvements 10X faster scheduling of searches that can improve scheduled search performance in cases where a large number of searches are scheduled every minute and saved searches configuration files are updated frequently.
RapidDiag and Health Report / Monitoring Console Integration When a Health Report feature becomes unhealthy, users are shown a suggested link in the Health Report modal to generate a diag using RapidDiag to further troubleshoot the issue. For more information, see View the splunkd health report in the Monitoring Splunk Enterprise manual and Using RapidDiag in the Troubleshooting Manual.
Faster searchable rolling restart Deliver improvements to speed-up searchable rolling restart, allowing full sites to shut down at a time. See How the manager determines the number of multisite peers to restart in each round in the Managing Indexers and Clusters of Indexers manual.
Restrict search by data age Splunk software now provides a way to restrict end user search results by age of the event. A new option to restrict search results based on the age of the event is available in user role settings. See Create and manage roles with Splunk Web in Securing the Splunk Platform.
Accounting of configuration changes Enable admins to track changes to configuration files regardless of the change origin, logging changes as they are detected at a filesystem level, to improve root cause analysis and troubleshooting. See configuration_change.log in What Splunk software logs about itself in the Troubleshooting Manual.
Bucket Merge functionality for standalone instances Indexer performance and stability increasingly suffers as the number of buckets increases. Additionally, several activities like service restarts can cause a side effect of multiplication of small buckets. The new merge-buckets command provides a self-service capability for administrators to manage the merging of buckets. See merge-buckets in Command line tools for use with Support in the Troubleshooting Manual.
Integrate RapidDiag to support portal Enables RapidDiag app users to upload diag files directly from host server to Splunk's customer support portal on an existing case using the CLI.
Python Upgrade Readiness The new Splunk Python Upgrade Readiness App scans your apps to determine Python 3 compatibility and lists remediation actions you must take to ensure your apps remain compatible with future versions of Splunk Enterprise that will not support older Python libraries. For more information, see About the Splunk Python Upgrade Readiness App in the Splunk Python Upgrade Readiness manual.

REST API updates

This release includes these new and updated REST API endpoints.

New endpoints:

Updated endpoints:

The REST API Reference Manual describes the endpoints.

Last modified on 28 February, 2022
  Known issues

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters