Splunk Cloud Platform

Release Notes

What's new

This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.

Also discover what's new in the following features of Splunk Cloud Platform:


9.3.2408

New feature, enhancement, or change Description
Federated Analytics The amount of data collected in low-cost cloud and purpose-built remote data stores is growing exponentially. Federated Analytics gives you improved visibility and security-related insights into datasets you store in such data lakes, starting with data stored in Amazon Security Lake.

If you keep stores of data in Amazon Security Lake, Federated Analytics gives you two ways to apply threat detection and threat hunting searches to that data:

  • For threat detection, you can ingest recent Amazon Security Lake data into local indexes on your Splunk Cloud Platform deployment, and then apply high-frequency scheduled searches and alerts to that data.
  • For threat hunting, you can run infrequent ad hoc federated searches over long time-range Amazon Security Lake datasets where they live in Amazon S3.

See About Federated Analytics in Federated Search.

SPL2-based application development This version of Splunk Cloud Platform supports SPL2 via API, to help admins create powerful apps to gain more control over their ecosystem while allowing developers massive flexibility for the custom apps they can build.

Admins and developers can ship SPL2 module files that define custom functions, views, data types, and more to curate resources within their application for users. Users can leverage these resources in the Splunk search bar to create dashboards and reports, by writing single-statement SPL2 searches. See Create SPL2-based apps in the Splunk Developer Guide on dev.splunk.com

Admins can use SPL2 views with run-as-owner permissions. This applies special permissions on modules to execute views under a more privileged context, allowing multiple roles to access sensitive data with different levels of custom data masking. See Manage SPL2-based apps in the Splunk Cloud Platform Admin Manual.

Federated Search for Amazon S3: AWS Glue table automation Federated Search for Amazon S3 searches apply filtering and statistical functions to AWS Glue tables that contain column and schema definitions for datasets in your Amazon S3 buckets. This means that an AWS Glue table must be created for each Amazon S3 dataset you intend to search.

With this version of Splunk Cloud Platform, Splunk software can create and manage AWS Glue tables for Amazon S3 datasets that follow the AWS CloudTrail schema. If you have CloudTrail datasets in Amazon S3, all you need to do is set up your federated provider and federated indexes for them, and Splunk software can create and manage the AWS Glue tables for those datasets behind the scenes.

See Define an Amazon S3 federated provider in Federated Search.

Enhancement to the foreach command A new auto_collections mode has been added the foreach command. The auto_collections mode dynamically iterates over a JSON array or multivalue field depending on which element is present in the search. See foreach in the Search Reference.
Federated Search for Splunk: Standard mode federated search support for the mcatalog command. The mcatalog command is now supported for standard mode federated searches. For more information, see the following topics:
Dashboard Studio enhancements See What's new in Dashboard Studio.
Deprecation of exporting PDFs, scheduling PDF delivery, and printing PDFs with Classic Simple XML dashboards. Exporting dashboard PDFs, scheduling PDF delivery, and printing PDFs with Classic Simple XML dashboards is deprecated and will be removed in a future release.
Eval function enhancements for data type conversion and type testing You can use the following new eval data type conversion functions to manipulate values in eval searches.
  • toarray to convert a value to an array value.
  • tobool to convert a value to a boolean value.
  • todouble to convert a value to a double value.
  • toint to convert a value to an integer value.
  • tomv to convert a value to a multivalue.
  • toobject to convert a value to the equivalent object value of the field, if any.
  • json_entries to convert a value to an array of JSON objects with key and value fields.

You can use the following new eval functions to return information about values in eval searches.

  • isarray to test whether a value is an array value.
  • isdouble to test whether a value is a double value.
  • ismv to test whether a value is a multivalue.
  • isobjectto test whether a value is an object.
  • json_has_key_exact to test whether a JSON key is in a JSON object.

For more information, see Common eval functions in the Splunk Cloud Platform Search Reference.

Eliminate SHC out-of-sync issues SHC (search head cluster) replication has been improved to reduce out-of-sync errors.

Previously, large CSV lookup files that exceeded the 5GB file size limit could block replication and cause cluster members to go out of sync, often requiring a "destructive resync" to remediate.

Now if a CSV lookup exceeds the lookup file size limit, the cluster automatically quarantines the lookup on the search head on which it is generated, without blocking replication of other objects.

The splunkd health report shows the number of quarantined lookups and admins can run a search to get details on these lookups for remediation.

For more information, see Quarantining large CSV lookup files in search head clusters in the Knowledge Manager Manual.

Last modified on 06 December, 2024
Welcome to Splunk Cloud Platform   Known and fixed issues for

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters