Splunk Cloud Platform

Release Notes

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

What's new

This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.

Also discover what's new in the following features of Splunk Cloud Platform:

9.2.2403

New feature, enhancement, or change Description
Cloud App Export Admins on Victoria Experience can now export apps on a self-service basis using the ACS API. App export lets you keep a snapshot of current app configurations and associated app data in default, local, and user directories, which you can use for troubleshooting, configuration management, and app development purposes.

For more information, see Export apps in Splunk Cloud Platform in the Admin Config Service Manual.
Search result reuse for Federated Search for Amazon S3 This feature can improve the performance of Amazon S3 federated searches and reduce the data scan unit consumption of those searches. By default, when, you rerun an Amazon S3 federated search that was run successfully within the past 24 hours, the system uses the results of that last successful run of the search. You can turn this feature off for individual searches by adding reuse_search_results = f to the search string. See sdselect command syntax details in Federated Search.
Federated Search for Splunk: Risky commands blocked for transparent mode federated searches Several risky commands have been blocked for transparent mode federated searches. In addition, the tstats and makeresults commands have been blocked or restricted in certain situations for transparent mode federated searches. See Run federated searches in Federated Search.
Federated Search for Splunk: Standard mode search improvements In standard mode federated searches of remote Splunk deployments, commands such as join, union, and append can now use remote saved searches as subsearches.
Federated Search for Splunk: Improvements for kvstore replication when using transparent mode federated search Enable kvstore for federated search head without indexer When you are using transparent mode federated search and your federated search head does not have indexers, Splunk software can now use kvstore replication to transfer data to the remote Splunk deployment for use in federated searches.
Python 3.9 upgrade In this release, the default Python interpreter is set to Python version 3.9. The Python.Version settings have been updated, so that the parameter is set to value of force_python3, which will forces all Python extension points to use Python 3.9, including overriding any application specified settings.

This is designed to be secure-by-default for new customers. If the value is set to python3.9, the default interpreter is set to Python 3.9, but applications can choose to use a different value.

Upgrade Readiness App v 4.4.0 Compatibility with Python 3.9.
Home Page -- Custom bookmarks, search history, knowledge object view updates Admins and Users can personalize their home page with in-product bookmarks for quick access to guides, manuals, apps, knowledge objects, and so on.

Admin users can

  • Share bookmarks with all other users in one operation
  • Control domains in which bookmarks can be created.

Users can

  • Seamlessly access their search history from various apps in a single view, eliminating the need for navigating through multiple apps.
  • Filter the Knowledge Object list by App and Owner for quicker access rather than scrolling through a long list.
Continuous deployment of UI experiences in Splunk Cloud Platform Continuous deployment of UI experiences in Splunk Cloud Platform.
Preview feature: Field filters updates enable multiple target indexes, hosts, sources, or source types Now you can specify one or more target indexes, hosts, sources, or source types that apply to the fields that you want to protect with field filters. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters.

---
READ THIS FIRST: Should you deploy field filters in your organization? Field filters is a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters in the Securing Splunk platform manual.
---

To turn on field filters in your Splunk Cloud environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.

The view_field_filter capability is renamed to the list_field_filter capability The capability for listing field filters is now called list_field_filter.
Enable kvstore for federated search head without indexer Even federated head that do not have indexers will be able to transfer kvstore data to the remote search head, and use that data while doing the searches
Handle search commands correctly on remote providers This enhancement avoids the following unexpected behaviors in Federated Search:
  • Not running risky commands on remote providers.
  • Not running unsupported commands on remote providers with previous releases that do not have right support.
Observability Related Content in Splunk Cloud improvements The Observability Related Content experience has three distinct improvements:
  • Revamped and intuitive configuration experience to guide users through activating Related Content while setting expectations on how to use the feature.
  • Automated field mapping for immediate time to value for common fields that could be used by users instead of host.name, trace_id and service.name.
  • Alert context in host and service previews for immediate context on potential outages related to the event.
The Splunk platform REST API spawn_process parameter is deprecated. Do not use the spawn_process parameter. It is deprecated and will be removed in a future release.
Removal of the populate_lookup alert action The legacy alert action, populate_lookup, has been removed. Use the lookup alert action instead.
Log severity level for searches with wildcards in the middle of a string increased from INFO to WARN Certain searches that produce inconsistent search results now display the following message as a warning instead of an info message:

The term <term> contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation. Learn More.

See Wildcards in the Splunk Cloud Platform Search Manual.

Data Management experience Filter, mask, and route data using flexible and reusable SPL2 pipelines.


You can navigate to the Data Management experience by doing any of the following:

  • On the Splunk Home page, select the Process incoming data task.
  • In the Settings menu, select Data Management experience. This link replaces the Edge Processor link from the previous release.
  • On the Ingest Actions page, select the Try our new Data Management experience banner.

If your Splunk Cloud Platform deployment is not connected to a cloud tenant that has the Data Management experience available, then selecting these links directs you to a web page where you can learn more about the Data Management experience.

UI Style Guide The legacy in-product UI Style Guide is removed. Instead, refer to the Splunk UI documentation.
Internal Library Settings The Internal Library Settings page is removed. Deprecated libraries and unsupported hotlinked imports are restricted, and Splunk Cloud Platform no longer offers a self-service option to use them. For more information about Internal Library Settings, see Control access to jQuery and other internal libraries in the jQuery Upgrade Readiness manual.
Last modified on 24 September, 2024
Welcome to Splunk Cloud Platform   Known and fixed issues for

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2403

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters