Introducing Splunk Enterprise 9.x features
Splunk Enterprise has evolved over the years and currently stands at version 9.0.3 at the time of writing this book. As it gets more advanced, some of its features become deprecated and new features are added or enhanced. Older versions often reach end of life (EOL), which means Splunk won’t offer support or fix bugs; instead, it advises upgrading to the latest version.
This section covers the important features of Splunk version 8.x that have been carried forward to the latest 9.0 product version, along with new features introduced in the 9.x version. These features are good to be aware of but are not tested in the exam. Feel free to skip this section if you want to:
- Dashboard Studio: This provides the necessary tools to create visualizations, such as graphs, charts, and statistical tables, with colors and images. It complements the classic simple XML dashboard that existed in previous versions of Splunk but does not replace it as of version 8.2.6.
- Federated search: This is used to search remote Splunk deployments that are outside of the local Splunk deployment. Local SH initiates search requests to remote SH, which acts as a federation provider. Remote deployment could consist of a single SH or cluster.
- Health report: Splunk Web has a handy Health status of Splunk report that displays the health of Splunk processes in green, red, and yellow states. Selecting each process further drills down into the detailed information. The health report helps admins to get a quick understanding of the platform status, such as I/O wait, ingestion latency, data durability, search lag, disk space, and skipped searches.
- Durable Search: Scheduled reports that require the results to be complete for each scheduled run can be enabled to rerun at a later point in time when all the necessary resources are available to finish the job. That’s called a durable search. A scheduled report could return partial/incomplete results due to a number of reasons. For example, a search peer might be busy servicing other requests and have exhausted its resources (CPU, memory, and so on). Another scenario is where SH-to-indexer network connectivity is unstable. However, with the durable search feature, the scheduler ensures it will rerun the same report at a later point in time for the same window it was supposed to execute and return complete results for. So far, we have gone through the features of the 8.2.x product family. Later sections explain the version 9.0 features.
- SmartStore Azure Blob support: SmartStore is a Splunk concept referring to an indexer feature for storing data in remote object storage. In previous versions such as 8.2.X, SmartStore had support for Amazon Web Services (AWS) Simple Storage Service (S3) object storage and Google Cloud Platform’s (GCP’s) Google Cloud Storage (GCS). Starting from 9.0, it also has support for Azure Blob storage.
- Ingest actions: Splunk 9.0 introduced Ingest Actions for data administrators with a new UI. It can do data masking, data filtering, and routing through rulesets. It is a cool feature, changing the way data admins traditionally write transform configurations for masking, filtering, and routing. Data could be routed to external S3 object storage and/or to an index. The new data preview mode allows uploading sample data of up to 5 GB for live testing.
- Splunk Assist: Splunk Assist is an app built for the Splunk cloud offering. It is a fully managed service by Splunk Inc. Starting from version 9.0, the app is available for Splunk Enterprise (on-premises) customers. It provides deep insights to admins regarding Splunk deployment configuration recommendations, evaluating the security posture, making updates to Splunkbase apps, and much more.
- Cluster Manager (CM) redundancy: In previous versions such as 8.x.x, there used to be only a single CM for an indexer cluster. Starting with version 9.0, we can configure a second CM and run it in standby mode. Two managers run in an active/standby configuration; when the active manager is down, the standby manager will be active to rescue the whole cluster.
- Config tracker: A new internal index,
_configtracker, has been introduced to track config files and their stanzas, including key-value pairs. This is a cool new feature that helps to troubleshoot config issues and find who, when, and what changed from an audit perspective. - To go through the complete list of features for previous versions of the 8.x.x family, follow this link and choose the version:
https://docs.splunk.com/Documentation/Splunk/8.2.10/ReleaseNotes/MeetSplunk
Similarly, a full list of 9.0.X features is available here:
https://docs.splunk.com/Documentation/Splunk/9.0.3/ReleaseNotes/MeetSplunk
In the next section, we will learn about Splunk Enterprise components.
