Welcome to Splunk Enterprise 9.3
Splunk Enterprise 9.3 was released on July 24, 2024.
If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
For system requirements information, see the Installation Manual.
Before proceeding, review the Known Issues for this release.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.
What's New in 9.3
New feature, enhancement, or change | Description |
---|---|
Official support for Ingest Actions file system destinations | Route data to an NFS or local file system. This is great for use cases related to cost-savings, auditing, compliance, and more. See Create an NFS file system destination. |
Indexer cluster rolling upgrade automation | Splunk Enterprise now supports automated rolling upgrades for indexer clusters. This feature builds on existing rolling upgrade functionality to minimize the number of steps an admin must take to upgrade the Splunk Enterprise version on indexer cluster nodes.
|
Predefined splunk_system_upgrader role | The splunk_system_upgrader role is available in Splunk Enterprise. Users who hold this role can perform automated rolling upgrades of search head clusters (SHCs) and indexer clusters (IDXCs) to a higher version of Splunk Enterprise. To learn about the key capabilities of this role, see Table of Splunk platform capabilities. |
Indexer cluster data rebalancing using usage statistics | Indexer clusters use data rebalancing to balance the number of buckets among peer nodes, but this capability up until now has not considered the actual search usage of the buckets. As a result, some peer nodes might carry a greater search load than others. To improve system performance, this new feature allows data rebalancing based on search usage. See Rebalance the indexer cluster. |
conf memory reduction | Enhancements to reduce memory usage on Search Heads when a large number of users and applications use them.
|
Home Page -- Custom bookmarks, search history, knowledge object view updates | Admins and Users can personalize their home page with in-product bookmarks for quick access to guides, manuals, apps, knowledge objects, and so on. Admin users can
Users can
See Navigating Splunk Web in the Search Manual. |
Dashboard Studio - Scheduled PDF and PNG export | Schedule PDF and PNG exports of your dashboards for email delivery. For more details, see Download and schedule email exports of dashboard content for sharing. |
Splunk Enterprise Python 3.9 upgrade | In this release, the default Python interpreter is set to Python version 3.9. The Python.Version settings has been updated so that the parameter is set to value of force_python3 , this forces all Python extension points to use Python 3.9 including overriding any application specified settings. Python 3.9 is the default interpreter. Please ensure that all apps and add-ons are on the latest version and compatible with Python 3.9, otherwise there may be breakage.
|
Federated Search for Splunk: Risky commands blocked for transparent mode federated searches | Several risky commands have been blocked for transparent mode federated searches. In addition, the tstats and makeresults commands have been blocked or restricted in certain situations for transparent mode federated searches. See Run federated searches in Federated Search.
|
Federated Search for Splunk: Standard mode search improvements | In standard mode federated searches of remote Splunk deployments, commands such as join , union , and append can now use remote saved searches as subsearches.
|
Federated Search for Splunk: Improvements for kvstore replication when using transparent mode federated search Enable kvstore for federated search head without indexer | When you are using transparent mode federated search and your federated search head does not have indexers, Splunk software can now use kvstore replication to transfer data to the remote Splunk deployment for use in federated searches. |
Preview feature: Addition of field filters in Splunk Web to protect sensitive information | Now you can use field filters in Splunk Web to obfuscate or redact data such as personal identifiable information (PII) and protected health information (PHI), and control which users can see that sensitive information. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters.
|
Role-based field filters do not work upon upgrade to this or later releases | Role-based field filters that released as a preview feature in previous versions of Splunk Cloud Platform do not work in this or subsequent releases. Role-based field filters have been replaced by field filters. |
The view_field_filter capability is renamed to the list_field_filter capability | The capability for listing field filters is now called list_field_filter. |
Log severity level for searches with infix wildcards increased from INFO to WARN | Certain searches that produce inconsistent search results now display the following message as a warning instead of an info message: The term <term> contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation. Learn More .
|
Upgrade Readiness App v 4.4.0 | Make compatible with Python 3.9 |
Workload management enhancements | Enhanced search_time_range predicate functionality now lets you match workload rules and admission rules to specific search time ranges to improve search efficiency over large amounts of data.
|
What's New in 9.3.1
Splunk Enterprise 9.3.1 was released on September 12, 2024. It resolves the issues described in Fixed issues.
New feature, enhancement, or change | Description |
---|---|
Duo Security authentication - support for the Universal Prompt | Users can use the Universal Prompt experience for Duo Security multifactor authentication. The Universal Prompt is a more advanced and secure authentication experience than the Traditional Prompt used on previous Splunk Enterprise versions. See About multifactor authentication with Duo Security. If you still use the Traditional Prompt for Duo multifactor authentication, take the following steps by December 31, 2024:
December 31, 2024 is the last day of support for the Traditional Prompt. |
Known issues |
This documentation applies to the following versions of Splunk® Enterprise: 9.3.1
Feedback submitted, thanks!