Splunk® Enterprise

Release Notes

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Welcome to Splunk Enterprise 9.2

Splunk Enterprise 9.2.0 was released on January 31, 2024. Splunk Enterprise 9.2.0.1 was released on February 8, 2024 to resolve the issues described in Splunk Enterprise 9.2.0.1 Fixed issues. Splunk recommends that customers use version 9.2.0.1 instead of version 9.2.0. Splunk recommends that customers use version 9.2.0.1 instead of version 9.2.0.

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 9.2

New feature, enhancement, or change Description
Deployment server scalability Significant enhancements to deployment server, to make it more resilient and highly available. In addition, deployment server clusters make it possible to coordinate functionality across multiple deployment servers. See Upgrade pre-9.2 deployment servers and Implement a deployment server cluster.
Dashboard Studio - Post-conversion report When you convert a Simple XML dashboard with the Clone in Dashboard Studio feature, Dashboard Studio automates as many conversions as possible. The post-conversion report will detail which objects or options need manual adjustments after conversion. For more details, see About conversion from Simple XML to Dashboard Studio.
Dashboard Studio - Drilldown: Link to custom search You can configure drilldowns from their Dashboard Studio dashboards to custom searches.
Dashboard Studio - Drilldown: Link to reports You can configure drilldowns from their Dashboard Studio dashboards to reports. For more details, see Linking interactions
Dashboard Studio - Events Viewer: Workflow Actions You can configure workflow actions to work with their Events Viewer visualizations in Dashboard Studio. For more details, see Events viewer.
Dashboard Studio - Bigger better code editor Dashboard editors can now expand the source code editor while making edits in the UI.
Dashboard Studio - Trellis for Single Values You can apply a trellis layout for single value, single value icon, and single value radial visualizations. For more details, see Trellis layout.
Federated Search for Splunk - Lookup command improvements for standard mode federated search When you use the lookup command in standard mode federated searches, you can set local=true in the search to force the lookup portion of the search (and all following commands) to be processed on the search head of your local Splunk platform deployment.


See the lookup topic in the Splunk platform Search Reference.

Support for OS certificate trust store and certificate management API Many customers (300+ votes) have asked Splunk to support integration with existing OS trust/certificate stores that include commonly used public CAs. Without this integration, adding additional CA certificates is a manual process that requires uploading these certificates to the Splunk instance filesystem and updating the config settings for root CA paths.
New JSON delete function You can use the new json_delete function to remove one or more keys and their corresponding values from the specified JSON object. For more information, see json_delete(<object>,<keys>) in the Splunk Enterprise Search Reference.
Bitwise enhancements You can use the following new bitwise functions to manipulate fields in eval searches.
  • bit_shift_left for logical left shifts.
  • bit_shift_right for logical right shifts.
  • bit_and for bitwise AND operations.
  • bit_or for bitwise OR operations.
  • bit_not for bitwise NOT operations.
  • bit_xor for bitwise XOR operations.

The following eval functions also now support bitwise operations.

  • tonumber converts a string representation of a binary number to the corresponding number in base 10.
  • tostring converts a number to a string of its binary representation.

For more information, see Common eval functions in the Splunk Enterprise Search Reference.

Abort a rolling restart of an indexer cluster You can now abort an ongoing user-initiated rolling restart of an indexer cluster. The ability to abort a rolling restart can be useful if a rolling restart becomes stuck or slowed down due to an indexer or system issue.


For more information, see the Abort a rolling restart of an indexer cluster in Managing Indexers and Clusters of Indexers.

Manage Splunk platform and operating system certificate authority (CA) certificate trust stores You can now manage the trust stores for certificate authority (CA) certificates, for the purposes of securing your Splunk deployment with transport layer security (TLS).

For more information, see Manage certificate authority (CA) trust stores in Securing Splunk Enterprise. See Certificate trust store REST API usage details for information on how to use the REST API to manage the trust stores.

What's New in 9.2.0.1

Splunk Enterprise 9.2.0.1 was released on February 8, 2024. It resolves the issues described in Splunk Enterprise 9.2.0.1 Fixed issues.

Last modified on 20 February, 2024
  NEXT
Known issues

This documentation applies to the following versions of Splunk® Enterprise: 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters