Splunk Cloud Platform

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

New features

This page summarizes the new features and enhancements in each release of Splunk Cloud.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.


New Feature or Enhancement Description
Federated Search Splunk Cloud-to-Splunk Cloud (limited availability release) For customers with multiple deployments in Splunk Cloud, ability to search across deployments. Contact Splunk support if you'd like to activate this capability.
Improved handling of JSON data in Splunkd Introduced json_array_to_mv and mv_to_json_array eval functions to improve conversion between these formats.

See JSON functions.

Configure IP allow lists for Splunk Cloud Splunk Cloud admins can now configure Splunk Cloud IP allow lists to control access to Splunk Cloud deployments using the new Admin Configuration Service (ACS) API.

See Configure IP allow lists for Splunk Cloud.


New Feature or Enhancement Description
Workload Management: Default user message on OOM Workload management now displays a default message to the user if their search is terminated due to an out of memory (OOM) condition.
Workload Management: Enable or disable workload rules Splunk Cloud admins can now enable or disable individual workload rules and admission rules.

For more information, see Enable workload rules and Enable admission rules.

Durable search This feature ensures "at-least-once" delivery of events for scheduled reports, which ensures that scheduled reports with incomplete results are rerun. Typical use cases for durable search are scheduled reports that build and maintain summary indexes.

For more information, see Make scheduled reports durable to prevent event loss.

DDSS/DDAA support for GCP The Dynamic Data Self Storage (DDSS) and Dynamic Data Active Archive (DDAA) features now support data storage for expired Splunk Cloud indexes on Google Cloud Platform (GCP).

For more information, see Configure self storage in GCP.

Improved handling of JSON data in Splunkd Additional tojson command to improve performance and usability when working with JSON structured data.
Global split-by Global split-by allows users to apply a split-by dimension simultaneously to all charts in their workspace.

To learn about splitting by a dimension, see Split time series by dimension.


Splunk Cloud 8.1.2009 introduces general enhancements and resolves a number of issues identified in earlier releases.


New Feature or Enhancement Description
Splunk Cloud health report Splunk Cloud admins can now monitor search scheduler health on a real-time basis.
  • Warns you when high numbers of skipped searches occur.
  • Gets health data from a REST endpoint with no impact on search workloads or indexing latency.

For information on how to configure and use the health report, see Splunk Cloud health report.

Sub-second metric data storage and retrieval Metrics administrators can now enable metrics indexes to perform metrics searches with millisecond timestamp precision.

To learn about setting up metrics indexes with millisecond timestamp resolution, see Manage Splunk Cloud indexes.

Source-type-scoped indexed fields If you index fields from structured data formats with fixed semantic schemas such as JSON, you now can scope them by source type, using wildcard expressions to capture sets of like-named fields. Searches on fields that are indexed with this method complete quicker than searches on fields that are indexed without source-type-scoping.

For more information see Scope indexed structured data fields by source type to improve search performance.


New Feature or Enhancement Description
Authentication tokens Splunk Cloud now lets admins and customers use authentication tokens as credentials to perform Splunk Cloud operations using REST endpoints for some identity providers. For more information, see Set up authentication with tokens.

Add domain list in email alert action Allowed Email Domains feature enables admins to create list of email domains to which users can send emails. This helps to ensure that reports and alerts are not sent to external parties by users, accidentally or otherwise.

For more information, see Email notification action.

DDAA and DDSS usage monitoring enhancements UI updates to DDAA/DDSS to improve usability.
Parallel Reduce Enable Parallel Reduce in Splunk Cloud for improved performance
SPL History Keyboard Navigation Navigate your search history right from within the search bar, using simple keyboard shortcuts.

For more information, see Search history with keyboard navigation.

Splunk Secure Gateway integration Splunk Secure Gateway facilitates easy mobile engagement via a secure cloud service with end-to-end encryption, acting as a bridge for transferring data from your Splunk Enterprise or Splunk Cloud deployment to mobile devices.
SAML assertion encryption SAML assertion encryption now provides admins the option to enable encryption of SAML assertions to provide a higher level of security for authentication services.
Search failure consistency More consistent handling of failure conditions for sub-searches, including the rest, inputlookup, and inputcsv commands. Optional require command introduced to automatically fail sub-searches that return 0 results.

See the new require command. See the strict argument for inputcsv, inputlookup, and rest.

Workload Management - user messaging improvements Workload management now displays a default message to the user if a search is aborted by a workload rule. If admin defines a customized message in the workload rule that aborted the search, then the customized message is displayed to the user.
Table Views enhancements Table Views now make it easier to create a new table dataset directly from the search home screen.

For more information, see Define initial data for a new table dataset.

Export Analytics Workspace chart to Splunk Dashboards App (beta) Analytics Workspace users can now save a chart to a new dashboard in the Splunk Dashboards App (beta) in order to leverage their analytics output in the new dashboard framework.

For more information, see Dashboards in the Analytics Workspace.

Enhancements to address rolling restarts The following enhancements are available in this release:
  • Custom configuration files are now reloadable, further decreasing Splunk Cloud service disruptions caused by rolling restarts when installing apps and updating configuration files.
  • More self-service apps on Splunk Cloud are now reloadable.

For details, see Managing a rolling restart in Splunk Cloud.


New Feature or Enhancement Description
Search improvement: SPL comments Search now supports in-line comments, making it easier to explain each step of your search.
Add 'View Inheritance' of indexes and capabilities for roles and users View index inheritance now provides Splunk Cloud admins a view of the full set of inherited and assigned indexes that users can search.
Faster Index metadata lookup Provides a REST call to fetch the list of indexes, along with metadata and configuration attributes.
Table views-usability improvements Usability improvements are added to make it easier to clean and transform table views.
DDAA Usage Monitoring Allows monitoring of data usage and consumption for searchable and archival data, relative to customer entitlement. This includes per index & overall data size, data/event time range, and growth rate for archived and restored data.
Enhancements to address rolling restarts The following enhancements are available in this release:
  • HEC CRUD operations are now reloadable.
  • Adds more reloadable configuration files, which decreases the number of rolling restarts required when installing apps and updating configuration files, and reduces Splunk Cloud service disruptions.
  • Supports stanza-level reload for inputs.conf.

For details, see Managing a rolling restart in Splunk Cloud.

Data Panel Filtering: Key-Value Pairs Allow users to filter on fields in the data panel in Analytics Workspace by using key-value pairs, in order to simplify the act of browsing to select data.


New Feature or Enhancement Description
Shareable alert suppression across unique searches Reduces the volume of alert notifications by creating alert suppression groups for alerts that are based on similar searches and run across the same or very similar datasets. When an alert in the group is triggered, all of the alerts in the group are throttled for the suppression period of the triggering alert. See Define alert suppression groups to throttle sets of similar alerts in the Alerting Manual.
Workload Management enhancement - admission rules Allows admins to automatically filter potentially harmful searches such as wildcard searches or all-time searches so that they don't negatively impact the rest of the search workload.
Performance improvements in metrics searches Delivers performance improvement when running metrics searches in Splunk Cloud.
Data panel filtering - index selection and time range Enables you to filter and limit data in the Analytics Workspace based on your use cases. You can find your data faster, have better data organization, and might also improve your performance.


New Feature or Enhancement Description
New msearch arguments improve search performance and responsiveness The msearch command allows users to run searches that return raw, unaggregated metric data points. However, even msearch searches that run over relatively brief time ranges can cover enormous numbers of data points, causing the searches to be slow to complete or even unresponsive. We have added an argument to msearch called target_per_timeseries that restricts the number of data points that the search returns per metric time series by default, making msearch searches faster and more reliable. We've also added the chunk_size argument to the msearch command. It can further improve the responsiveness of troublesome msearch searches. See msearch in the Search Reference.
Y-axis Scaling You can set the minimum and maximum values for the Y-axis in a chart. Y-axis scaling allows you to customize the timescale and zoom in on the data, making it easier to draw insights from the data presented. See Set the Y Axis scaling on a chart in the Analytics Workspace guide.
Filter on metrics data sources You can filter the metrics data sources shown in the Data panel based on index and/or time-range. This allows you to show only those metrics that are relevant to your current use-case. See Filter on metrics data sources in the Analytics Workspace guide.


New Feature or Enhancement Description
Enhancements to user and role management Users and Authentication UI now provides several new configuration options for roles and users, including index Wildcards, sc_admin can run a search as a user, last login time/date per user, and force a user to change their password. See Manage Splunk Cloud Users and Roles.
Metrics enhancement--enhance counter support v3+ with rate_sum() and rate_average() Provides ability to aggregate rates across metric series in a sensible way to generate their final report or alerts. In this enhancement, we provide a syntax to properly compute a per time series rate and then aggregate on it. See Calculate average and aggregate rates for accumulating counter metrics.
Metrics enhancement--Summary Index - Ability to specify Metric Index type - to send summary data Provides ability to specify a Metric Index type as the sink where the summary data flows into. This has advantage in terms of performance and optimized storage.
Metrics enhancement-- MSIDX Storage Optimizations: Timestamp compression Timestamp compression in Metric Index reduces storage footprint.
Metrics enhancement-- Query Time Downsampling Techniques for Metric Store Downsampling is the process of reducing the resolution of data. Skipping values in blocks will help improve query latency, since backend need not load and process all the values from disk. See the coverage of the every argument for the mstats command in mstats.
Workload Management enhancement Ability to define a custom message for each workload rule that is displayed to end-users when their search triggers a workload rule. See Create a workload rule.
Analytics Workspace enhancements The following enhancements are added for this release:
  • Users can visualize dense data as Heatmaps to identify variations across categorical dimensions to start root cause analysis. Easier to identify missing data.
  • Control time-spans for each chart depending upon the type of your data.
  • Draw reference lines (statistical metrics) based on any time-range to compare against current data.
  • Visualize rate of change for counters.

See About the Analytics Workspace.


New Feature or Enhancement Description
Workload management for Splunk Cloud Workload management enables prioritized provisioning of resource (CPU, memory) allocation for searches, in alignment with business priorities. It allows classification of searches into different resource groups, and then reserves a guaranteed amount of system resources (CPU, memory) per resource group regardless of the load on the system. Splunk Cloud also provides pre-configured workload pools for your use. For details, see Workload Management in the Splunk Cloud Admin Manual.
Python 3.7 support Migrate scripts to Python 3.7 compatibility individually over time. Force Python 3.7 usage across instance if Python 3.7 is crucial.
Security enhancements Granular access controls; within-index controls.

New user interface for Roles management.

Distributed search Get up-to-date search results with faster bundle replication. See Cascading knowledge bundle replication in Distributed Search.
Search performance improvements Gains in search performance.

Grouping of alerts for higher performance.

Metrics performance improvements Cost savings with optimized metrics data storage.

Wildcard functionality for logs2metrics.

Analytics Workspace Create categorical charts (line, column, area, time-column) and run analytical operations on metrics and accelerated datasets.

Add reference lines to metrics data for comparison/analysis.
Create fast and highly performant streaming alerts.
Visualize events data timeline along with metrics for root-cause analysis.
Expanded time-range picker provides better control over the data to analyze.

Histogram metric datatype support Splunk Cloud now supports the histogram metric datatype, which enables you to bucket your metric data into a time series of histograms. You can use the new histperc macro to estimate percentile (a.k.a. quantile) values for specific time periods based on your histogram time series.

See Use histogram metrics in the Metrics Manual.

HEC timestamp extraction Keep event metadata (source, sourcetype, host) when ingesting event data from Apache Kafka or AWS Kinesis without the need to maintain custom parsers for things like timestamp extraction.
Last modified on 27 April, 2021
Welcome to Splunk Cloud Platform
Splunk Cloud Platform Field alias behavior change

This documentation applies to the following versions of Splunk Cloud Platform: 8.1.2012

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters