Splunk® Enterprise

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Welcome to Splunk Enterprise 9.1

Splunk Enterprise 9.1.0 was released on June 28, 2023.

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 9.1

New feature, enhancement, or change Description
Macros now replicate by default to search peers Macros used in apps are now replicated by default to search peers as part of the knowledge bundle in Splunk deployments. As a result of this change, searches that previously failed now run successfully, which could impact downstream performance.

If you don't want to replicate macros for your apps, you can suppress replication by setting replicate.macros = false in the [replicationSettings:refineConf] stanza in the distsearch.conf file. Be aware that disabling distribution of macros might negatively impact your search results.

Health Report enhancements The splunkd health report now includes the following enhancements:
  • The ability to disable individual features in the distributed health report, allowing for customized health report views that exclude noisy or irrelevant features.
  • The ability to track user-modified threshold values in the UI and reset thresholds to default values.
  • Built-in validation for indicator thresholds and feature names, to prevent misconfigurations that can make the health report unusable.

For more information, see Configure the splunkd health report in Monitoring Splunk Enterprise.

Ingest Actions: Supports partitioning for S3 destinations Ingest Actions now supports the ability to configure how S3 outputs are partitioned, using a combination of timestamp and sourcetype name.
Ingest Actions: Supports multiple S3 bucket destinations Ingest Actions now supports routing to multiple S3 destinations. The creation of a maximum of eight destinations per provider is currently supported.
Ingest Actions: Output optimizations for federated search on S3 Ingest Actions now supports more flexibility in configuring outputs, such as selection of batch size and compression type and greater control over index-time field extractions and JSON output.
Ingest Actions: KMS encryption improvements Ingest Actions now allows KMS encryption via cross-account IAM.
Ingest Actions: Data preview UI Ingest Actions users are now able to use the user interface to preview ruleset changes using a sampling of live data. This feature is supported on HWF tier and Standalone deployments.
Ingest Actions: Sourcetype validation in Splunk Web Validate sourcetype entries and disallow incompatible syntax.
Cluster manager: Enhancements to primary bucket assignment and rebalancing In previous versions of Splunk Enterprise, the cluster manager selects primary buckets at random. For customers who use SmartStore, this can cause longer search times if the cluster manager selects a primary bucket that must be downloaded from remote storage. This enhancement gives priority to copies of a bucket that are already localized (downloaded) when selecting primaries.
Automated search head cluster rolling upgrade Splunk Enterprise now supports automated rolling upgrades for search head clusters. This feature builds on existing rolling upgrade functionality to minimize the number of steps an admin must take to upgrade the Splunk Enterprise version on search head cluster members.

For more information, see Perform an automated rolling upgrade of a search head cluster in Distributed Search.

Preserve search history across search heads Search history is lost when users switch between various nodes in a search head cluster. This feature utilizes KV store to keep search history replicated across nodes. See search_history_storage_mode in limits.conf in the Admin Manual for information on using this functionality.
Home page redesign The new Splunk Web home page experience gets users to their insights faster.
  • Start where they left off with recently viewed knowledge objects.
  • Browse a comprehensive list of knowledge objects they have created and have access to.
  • Customize the app order or search by name for better app browsing.

For more details, see Navigating Splunk Web in the Search Manual.

Theming support for Search & Reporting app Users can choose between default systems setting, dark and light mode in the Search & Reporting app.
Accessibility improvements on Triggered Alerts page Updates to the Triggered Alerts page to improve usability and accessibility using modern technologies and frameworks.
Ability to make HEC JSON output into S3 readable by Federated Search Ingest Actions has updated the S3 output JSON schema by delimiting events on newlines. This update prepares for compatibility with Federated Search. At time of writing, Ingest Actions does not support partitioning by sourcetype on Federated Search.
Forwarder hot reload for TLS certificates (outputs.conf) Customers can now refresh TLS certificates that protect forwarders without having to restart the forwarders. See Renew existing TLS certificates in the Securing Splunk Enterprise Manual.
Splunk Web hot reload for TLS certificates (web.conf) Customers can now refresh TLS certificates that protect Splunk Web on Splunk Enterprise instances without having to restart Splunk Web.
Splunk daemon hot reload for TLS certificates (server.conf, replication port) Customers can now refresh TLS certificates that protect Splunk-to-Splunk communications on Splunk Enterprise and universal forwarder instances without having to restart those instances.
SAML IdP certificate visibility and self-service support Customers now receive notification of expiring SAML IdP certificates and can update the certificates themselves.
Improve REST API to handle large data set Improve REST API to handle large data set using lighter weight XML libraries.
Dashboards - Warn users of external content in Simple XML dashboards Users will see a warning modal regarding external content in their Simple XML dashboards. To remove the warning, users can work with their administrators to add the external content domains to the Dashboards Trusted Domains List. For more details, see Configure Dashboards Trusted Domains List.
Dashboards - Update Simple XML v=null dashboards to v=1.1 Simple XML dashboards in all apps must have a version attribute. Simple XML dashboards without a specified version attribute will be automatically updated to version=1.1. This attribute specification does not apply to default dashboards in an app's /default/data/ui/views directory.
Dashboard Studio - Export the data results of any visualization to a CSV Users can export the data results of any visualization, including search results from base and chain searches, to a CSV for a shareable compact file format. For more details, see Export a visualization.
Dashboard Studio - Updated base and chain behavior Base searches no longer need to refresh if only an associated chain search SPL changes. This update improves performance and reduces resource consumption. Users can also create up to ten chain searches instead of the original two. For more details, see Chain searches together with a base search and chain searches.
Dashboard Studio - Events viewer visualization Users can view event data and interact with field-value pairs with the events viewer visualization. Workflow actions and special parameters are not supported in this release. For more details, see Events viewer.
Dashboard Studio - Improved readability of dashboard definitions in Views Instead of a single line of code, the JSON dashboard definition has expanded into multiple lines with indentations. Users can find a dashboard's definition in User interface under the admin Settings on the Views page.
Dashboard Studio - Inputs available in the canvas Inputs on canvas allow dashboard builders to place user inputs closer to the charts they impact. Inputs are also resizable. For more details, see Adding and configuring inputs.
Dashboard Studio - Show or hide panels in Absolute layout Users can configure dashboards to conditionally show or hide panels in Absolute layout, depending on whether data is available to display. For more details, see Conditionally show or hide panels.
Dashboard Studio - Choropleth map layers for map visualizations Users can apply choropleth map layers to map visualizations in addition to the existing bubble and marker layers. For more details, see Maps.
Dashboard Studio - Configuration UI for axes charts Axes charts, such as bar, line, and scatter, have new configuration UI for most options previously only available via source code.
Dashboard links with tokens update For Dashboard Studio and Classic Simple XML dashboards, links that direct outside of the Splunk Platform require token filters to handle tokens with spaces. For more details, see Token filters in the Dashboards and Visualizations manual.
jQuery v3.5 is packaged with Splunk Enterprise by default Splunk Enterprise now uses jQuery 3.5 by default. HTML dashboards do not work with jQuery 3.5. Administrators can choose to enable lower versions of jQuery in the Internal Library Settings. Splunk will remove support for all older versions of jQuery in future releases.

See Overview of the jQuery 3.5 upgrade in the jQuery Upgrade Readiness manual.

Improve scalability of distributed search with a large number of distinct searchable indexers Improve reliability of distributed search environments with several hundred indexers.
Federated search: New remote dataset types for standard mode federated search Splunk platform administrators who manage federated search over standard mode federated providers can map federated indexes to two new remote dataset types.
  • Metrics index datasets allow users to use the mstats command in federated searches of remote metrics data.
  • Last job datasets turn the last jobs run by remote scheduled searches into searchable datasets. Last job datasets can be an alternative to saved search datasets for environments where concurrent search reduction is a priority.

See Create a federated index in the Search Manual.

Federated search: Ability to deactivate federated providers, federated indexes, and transparent mode Federated search administrators can now turn off the following things for all users of their Splunk platform deployment:
  • The ability to run federated searches over specific remote federated providers, by deactivating those federated providers.
  • The ability to run standard mode federated searches over specific federated indexes, by deactivating those federated indexes.
  • The ability to run federated searches in transparent mode.

See the following topics:

Federated search: Search control improvements The ability to gracefully pause, cancel, and finalize federated searches has been improved.
Federated search: Wildcard support in standard mode Standard mode federated searches now let you use wildcard symbols (*) to reference multiple federated indexes.
Federated search: Improved support for accelerated data models Federated search users can now run searches over accelerated data models with fewer restrictions in standard and transparent mode.
  • In standard mode you can now apply prestats to tstats searches over data model datasets.
  • In transparent mode, an accelerated data model on your local search head creates summaries on the local search head and the remote search head of the federated provider. In your search, reference that local accelerated data model to return both local and remote results.

See Run federated searches in the Search Manual.

Federated search: Improved access control for remote indexes on transparent mode federated providers Administrators of transparent mode federated providers can now control which indexes federated search users can access on those providers. This control is managed through the service account role for the federated provider.

This feature might cause federated searches over Splunk Cloud Platform deployments that are set up as transparent mode federated providers to fail after those deployments upgrade to 9.0.2303. If you are an administrator of an upgraded transparent mode federated provider, you can resolve this situation by updating the provider's service account role so that the role has access to the indexes that must be available for federated searches.

See Service accounts and federated search security in the Search Manual.

Parallel reduce search processing support for the table command Parallel reduce search processing optimizes performance of high-cardinality searches. Now parallel reduce is supported for searches that use the table command. As a result, the table command can now leverage the computing power of indexers, in addition to the search head, to complete searches and produce results more quickly.
Share search results (job & search) Administrators can now control how searches are shared using the flag enable_share_job_control in the web_features.conf file. They can enable users to share the search itself instead of sharing the search as a job. For more details, see Share jobs and export results in the Search Manual.
Updates to Splunk Secure Gateway App in Splunk Enterprise The latest updates to Splunk Secure Gateway make it easier to configure SSG, unlocks the ability to manage Scheduled Report notifications, and fixes an issue regarding devices being unregistered.
Deployment Server improvements Increased performance support for Deployment Server clients.
License manager redundancy Upgrades the license manager capability so that it is high availability/disaster recovery ready. When this feature is enabled, you can deploy multiple license managers behind a load balancer. The license managers can be located in different sites. This feature is currently available only to customers with unlimited licenses.

For more information, contact your Sales Representative.

Upgrade Readiness App 4.1.0 The Upgrade Readiness App version 4.1.0 includes an updated exception list for all Splunk Internal Applications, updated messaging for apps with false positives, and other minor bug fixes.
Updates to information on logD and journalD inputs Information about various logD and journalD inputs is updated to provide more context and guidance.
Stats V1 deprecation Addition of a warning message to remind customers that version 1 of the stats command is deprecated and will be disabled in a future release. Version 1 of the stats command has been deprecated and replaced with version 2 of the stats command.

What's New in

Splunk Enterprise was released on July 6, 2023. It resolves the issue described in Splunk Enterprise Fixed issues.

What's New in

Splunk Enterprise was released on July 31, 2023. It resolves the issue described in Splunk Enterprise Fixed issues.

What's New in 9.1.1

Splunk Enterprise 9.1.1 was released on August 30, 2023. It resolves the issues described in Fixed issues.

What's New in 9.1.2

Splunk Enterprise 9.1.2 was released on November 16, 2023. It resolves the issues described in Fixed issues.

What's New in 9.1.3

Splunk Enterprise 9.1.3 was released on January 22, 2024. It resolves the issues described in Fixed issues.

What's New in 9.1.4

Splunk Enterprise 9.1.4 was released on March 27, 2024. It resolves the issues described in Fixed issues.

Last modified on 28 June, 2024
  Known issues

This documentation applies to the following versions of Splunk® Enterprise: 9.1.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters