What's new

This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.

Also discover what's new in the following features of Splunk Cloud Platform:

9.3.2408

New feature, enhancement, or change	Description
Federated Analytics	The amount of data collected in low-cost cloud and purpose-built remote data stores is growing exponentially. Federated Analytics gives you improved visibility and security-related insights into datasets you store in such data lakes, starting with data stored in Amazon Security Lake. If you keep stores of data in Amazon Security Lake, Federated Analytics gives you two ways to apply threat detection and threat hunting searches to that data: For threat detection, you can ingest recent Amazon Security Lake data into local indexes on your Splunk Cloud Platform deployment, and then apply high-frequency scheduled searches and alerts to that data. For threat hunting, you can run infrequent ad hoc federated searches over long time-range Amazon Security Lake datasets where they live in Amazon S3. See About Federated Analytics in Federated Search.
SPL2 public beta	This version of Splunk Cloud Platform supports SPL2 via API, to help admins create powerful apps to gain more control over their ecosystem while allowing developers massive flexibility for the custom apps they can build. Admins and developers can ship SPL2 module files that define custom functions, views, data types, and more to curate resources within their application for users. Users can leverage these resources in the Splunk search bar to create dashboards and reports, by writing single-statement SPL2 searches. Admins can use "SPL2 views with run-as-owner permissions". This applies special permissions on modules to execute views under a more privileged context, allowing multiple roles to access sensitive data with different levels of custom data masking.
Federated Search for Amazon S3: AWS Glue table automation	Federated Search for Amazon S3 searches apply filtering and statistical functions to AWS Glue tables that contain column and schema definitions for datasets in your Amazon S3 buckets. This means that an AWS Glue table must be created for each Amazon S3 dataset you intend to search. With this version of Splunk Cloud Platform, Splunk software can create and manage AWS Glue tables for Amazon S3 datasets that follow the AWS CloudTrail schema. If you have CloudTrail datasets in Amazon S3, all you need to do is set up your federated provider and federated indexes for them, and Splunk software can create and manage the AWS Glue tables for those datasets behind the scenes. See Define an Amazon S3 federated provider in Federated Search.
Enhancement to the `foreach` command	A new `auto_collections` mode has been added the `foreach` command. The `auto_collections` mode dynamically iterates over a JSON array or multivalue field depending on which element is present in the search. See foreach in the Search Reference.
Federated Search for Splunk: Standard mode federated search support for the `mcatalog` command.	The `mcatalog` command is now supported for standard mode federated searches. For more information, see the following topics: Run federated searches over remote Splunk platform deployments, in Federated Search. mcatalog, in the Search Reference.
Dashboard Studio enhancements	See What's new in Dashboard Studio.
Deprecation of exporting PDFs, scheduling PDF delivery, and printing PDFs with Classic Simple XML dashboards.	Exporting dashboard PDFs, scheduling PDF delivery, and printing PDFs with Classic Simple XML dashboards is deprecated and will be removed in a future release.
Eval function enhancements for data type conversion and type testing	You can use the following new `eval` data type conversion functions to manipulate values in `eval` searches. `toarray` to convert a value to an array value. `tobool` to convert a value to a boolean value. `todouble` to convert a value to a double value. `toint` to convert a value to an integer value. `tomv` to convert a value to a multivalue. `toobject` to convert a value to the equivalent object value of the field, if any. `json_entries` to convert a value to an array of JSON objects with `key` and `value` fields. You can use the following new `eval` functions to return information about values in `eval` searches. `isarray` to test whether a value is an array value. `isdouble` to test whether a value is a double value. `ismv` to test whether a value is a multivalue. `isobject`to test whether a value is an object. `json_has_key_exact` to test whether a JSON key is in a JSON object. For more information, see Common eval functions in the Splunk Enterprise Search Reference.
Eliminate SHC out-of-sync issues	SHC (search head cluster) replication has been improved to reduce out-of-sync errors. Previously, large CSV lookup files that exceeded the 5GB file size limit could block replication and cause cluster members to go out of sync, often requiring a "destructive resync" to remediate. Now if a CSV lookup exceeds the lookup file size limit, the cluster automatically quarantines the lookup on the search head on which it is generated, without blocking replication of other objects. The splunkd health report shows the number of quarantined lookups and admins can run a search to get details on these lookups for remediation. For more information, see Quarantining large CSV lookup files in search head clusters in the Knowledge Manager Manual.

Related answers from Splunk Community

What's new

9.3.2408

Comments

What's new

Was this topic useful?