Welcome to Splunk Enterprise 9.2
Splunk Enterprise 9.2.0 was released on January 31, 2024. Splunk Enterprise 18.104.22.168 was released on February 8, 2024 to resolve the issues described in Splunk Enterprise 22.214.171.124 Fixed issues. Splunk recommends that customers use version 126.96.36.199 instead of version 9.2.0. Splunk recommends that customers use version 188.8.131.52 instead of version 9.2.0.
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 9.2
|New feature, enhancement, or change
|Deployment server scalability
|Significant enhancements to deployment server, to make it more resilient and highly available. In addition, deployment server clusters make it possible to coordinate functionality across multiple deployment servers. See Upgrade pre-9.2 deployment servers and Implement a deployment server cluster.
|Dashboard Studio - Post-conversion report
|When you convert a Simple XML dashboard with the Clone in Dashboard Studio feature, Dashboard Studio automates as many conversions as possible. The post-conversion report will detail which objects or options need manual adjustments after conversion. For more details, see About conversion from Simple XML to Dashboard Studio.
|Dashboard Studio - Drilldown: Link to custom search
|You can configure drilldowns from their Dashboard Studio dashboards to custom searches.
|Dashboard Studio - Drilldown: Link to reports
|You can configure drilldowns from their Dashboard Studio dashboards to reports. For more details, see Linking interactions
|Dashboard Studio - Events Viewer: Workflow Actions
|You can configure workflow actions to work with their Events Viewer visualizations in Dashboard Studio. For more details, see Events viewer.
|Dashboard Studio - Bigger better code editor
|Dashboard editors can now expand the source code editor while making edits in the UI.
|Dashboard Studio - Trellis for Single Values
|You can apply a trellis layout for single value, single value icon, and single value radial visualizations. For more details, see Trellis layout.
|Federated Search for Splunk - Lookup command improvements for standard mode federated search
|When you use the
lookup command in standard mode federated searches, you can set
local=true in the search to force the lookup portion of the search (and all following commands) to be processed on the search head of your local Splunk platform deployment.
|Support for OS certificate trust store and certificate management API
|Many customers (300+ votes) have asked Splunk to support integration with existing OS trust/certificate stores that include commonly used public CAs. Without this integration, adding additional CA certificates is a manual process that requires uploading these certificates to the Splunk instance filesystem and updating the config settings for root CA paths.
|New JSON delete function
|You can use the new
json_delete function to remove one or more keys and their corresponding values from the specified JSON object. For more information, see json_delete(<object>,<keys>) in the Splunk Enterprise Search Reference.
|You can use the following new bitwise functions to manipulate fields in
For more information, see Common eval functions in the Splunk Enterprise Search Reference.
|Abort a rolling restart of an indexer cluster
|You can now abort an ongoing user-initiated rolling restart of an indexer cluster. The ability to abort a rolling restart can be useful if a rolling restart becomes stuck or slowed down due to an indexer or system issue.
|Manage Splunk platform and operating system certificate authority (CA) certificate trust stores
|You can now manage the trust stores for certificate authority (CA) certificates, for the purposes of securing your Splunk deployment with transport layer security (TLS).
For more information, see Manage certificate authority (CA) trust stores in Securing Splunk Enterprise. See Certificate trust store REST API usage details for information on how to use the REST API to manage the trust stores.
What's New in 184.108.40.206
Splunk Enterprise 220.127.116.11 was released on February 8, 2024. It resolves the issues described in Splunk Enterprise 18.104.22.168 Fixed issues.
This documentation applies to the following versions of Splunk® Enterprise: 9.2.0