This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.
The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.
|New Feature or Enhancement||Description|
|Ingest Actions: Supports partitioning for S3 destinations||Ingest Actions now supports the ability to configure how S3 outputs are partitioned, using a combination of timestamp and sourcetype name.|
|Ingest Actions: Supports multiple S3 bucket destinations||Ingest Actions now supports routing to multiple S3 destinations. The creation of a maximum of eight destinations per provider is currently supported.|
|Ingest Actions: Output optimizations for federated search on S3||Ingest Actions now supports more flexibility in configuring outputs, such as selection of batch size and compression type and greater control over index-time field extractions and JSON output.|
|Home page redesign||The new Splunk Web home page experience gets users to their insights faster.
For more details, see Navigating Splunk Web in the Search Manual.
|Theming support for Search & Reporting app||Users can choose between default systems setting, dark and light mode in the Search & Reporting app.|
|Accessibility improvements on Triggered Alerts page||Updates to the Triggered Alerts page to improve usability and accessibility using modern technologies and frameworks.|
|Ability to make HEC JSON output into S3 readable by Federated Search||Ingest Actions has updated the S3 output JSON schema by delimiting events on newlines. This update prepares for compatibility with Federated Search. At time of writing, Ingest Actions does not support partitioning by sourcetype on Federated Search.|
|Forwarder hot-reload for TLS certificates (outputs.conf)||Customers can now refresh TLS certificates that protect forwarders without having to restart the forwarders.|
|Splunk Web hot reload for TLS certificates (web.conf)||Customers can now refresh TLS certificates that protect Splunk Web on Splunk Enterprise instances without having to restart Splunk Web.|
|Splunk daemon hot reload for TLS certificates (server.conf, replication port)||Customers can now refresh TLS certificates that protect Splunk-to-Splunk communications on Splunk Enterprise and universal forwarder instances without having to restart those instances.|
|SAML IdP certificate visibility and self-service support||Customers now receive notification of expiring SAML IdP certificates and can update the certificates themselves.|
|Improve REST API to handle large data set||Improve REST API to handle large data set using lighter weight XML libraries.|
|Dashboards - Warn users of external content in Simple XML dashboards Updates||Users will see a warning modal regarding external content in their Simple XML dashboards. To remove the warning, users can work with their administrators to add the external content domains to the Dashboards Trusted Domains List. For more details, see Configure Dashboards Trusted Domains List.|
|Dashboards - Update Simple XML v=null dashboards to v=1.1||Simple XML dashboards in all apps must have a version attribute. Simple XML dashboards without a specified version attribute will be automatically updated to version=1.1. This attribute specification does not apply to default dashboards in an app's /default/data/ui/views directory.|
|Dashboard Studio - Export the data results of any visualization to a CSV||Users can export the data results of any visualization, including search results from base and chain searches, to a CSV for a shareable compact file format. For more details, see Export a visualization.|
|Dashboard Studio - Updated base and chain behavior||Base searches no longer need to refresh if only an associated chain search SPL changes. This update improves performance and reduces resource consumption. Users can also create up to ten chain searches instead of the original two. For more details, see Chain searches together with a base search and chain searches.|
|Dashboard Studio - Events viewer visualization||Users can view event data and interact with field-value pairs with the events viewer visualization. Workflow actions and special parameters are not supported in this release. For more details, see Events viewer.|
|Dashboard Studio - Improved readability of dashboard definitions in Views||Instead of a single line of code, the JSON dashboard definition has expanded into multiple lines with indentations. Users can find a dashboard's definition in User interface under the admin Settings on the Views page.|
|Dashboard Studio - Inputs available in the canvas||Inputs on canvas allow dashboard builders to place user inputs closer to the charts they impact. Inputs are also resizable. For more details, see Adding and configuring inputs.|
|Dashboard Studio - Show or hide panels in Absolute layout||Users can configure dashboards to conditionally show or hide panels in Absolute layout, depending on whether data is available to display. For more details, see Conditionally show or hide panels.|
|Dashboard Studio - Choropleth map layers for map visualizations||Users can apply choropleth map layers to map visualizations in addition to the existing bubble and marker layers. For more details, see Maps.|
|Dashboard Studio - Configuration UI for axes charts||Axes charts, such as bar, line, and scatter, have new configuration UI for most options previously only available via source code.|
|jQuery v3.5 is packaged with Splunk Cloud Platform by default.||Splunk Cloud Platform now uses jQuery 3.5 by default. Splunk Cloud administrators can still choose to enable lower versions of jQuery in the Internal Library Settings. Splunk will remove support for all older versions of jQuery in future releases.
|Improve scalability of distributed search with a large number of distinct searchable indexes.||Improve reliability of distributed search environments with several hundred indexers.|
|limits.conf self-service UI enhancements||The Configure limits UI in Splunk Web adds support for directly editing additional limits.conf stanzas without assistance from Splunk Support.
|Federated search: New remote dataset types for standard mode federated search||Splunk platform administrators who manage federated search over standard mode federated providers can map federated indexes to two new remote dataset types.
See Create a federated index in the Search Manual.
|Federated search: Ability to deactivate federated providers, federated indexes, and transparent mode||Federated search administrators can now turn off the following things for all users of their Splunk platform deployment:
See the following topics:
|Federated search: Search control improvements||The ability to gracefully pause, cancel, and finalize federated searches has been improved.|
|Federated search: Improved support for accelerated data models||Federated search users can now run searches over accelerated data models with fewer restrictions in standard and transparent mode.
Transparent mode support for search of accelerated data models requires that your local Splunk platform deployment and all remote Splunk platform deployments you have set up as federated providers be upgraded to either Splunk Cloud Platform 9.0.2303 or higher, or Splunk Enterprise 9.1.0 or higher.
See Run federated searches in the Search Manual.
|Federated search: Improved access control for remote indexes on transparent mode federated providers||Administrators of transparent mode federated providers can now control which indexes federated search users can access on those providers. This control is managed through the service account role for the federated provider.
This feature might cause federated searches over Splunk Cloud Platform deployments that are set up as transparent mode federated providers to fail after those deployments upgrade to 9.0.2303. If you are an administrator of an upgraded transparent mode federated provider, to resolve this situation you must update the provider's service account role so that the role has access to the indexes that must be available for federated searches.
See Service accounts and federated search security in the Search Manual.
|Parallel reduce search processing support for the
||Parallel reduce search processing optimizes performance of high-cardinality searches. Now parallel reduce is supported for searches that use the |
|Share search results (job & search)||Administrators can now control how searches are shared using the flag |
|Upgrade Readiness App 4.1.0||The Upgrade Readiness App version 4.1.0 includes an updated exception list for all Splunk Internal Applications, updated messaging for apps with false positives, and other minor bug fixes.|
|Stats V1 deprecation||Addition of a warning message to remind customers that version 1 of the |
|Health Report enhancements||The splunkd health report now includes the following enhancements:
For more information, see Monitor your deployment with the splunkd health report.
Welcome to Splunk Cloud Platform
Known and fixed issues for
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2303