Splunk Enterprise V9: New Features and Enhancements

by Pavlo Poliakov

Splunk Enterprise V9 has brought in many new features and enhancements that are of great interest to its users. The latest release has introduced various functionalities, including Ingest Actions, Indexer Cluster Manager Redundancy, Configuration Change Tracker Index, Federated Search Functionality Improvement, and Platform Performance Improvement. In this blog, we will discuss some of these features in detail.

Ingest Actions

The Ingest Actions feature is a powerful capability that adds great value to the Splunk platform. It allows users to perform actions on data as it’s ingested, providing greater flexibility and efficiency in data processing.

Ingest Actions can be used to apply custom transformations, filtering, masking and routing to data before indexing it, allowing users to selectively ingest only the data they need. This helps users reduce storage requirements, improve query performance and optimize license usage. Plus, it allows you to route data to S3 storage.

The feature operates by using rulesets on the indexers or heavy forwarders. These ruleset settings can be applied at every layer of processing. For instance, a heavy forwarder can enforce a ruleset on the data and then forward it to an indexer with its own set of rules. In this case, both the heavy forwarder’s and the indexer’s rulesets will be applied to the data in sequence. Similarly, if a heavy forwarder streams data to a second heavy forwarder, which then forwards the data to the indexer, all three processing layers can enforce their respective rulesets on the data.

This means that in Splunk V9, you can reindex your data; something that wasn’t possible in previous versions. This created a limitation in scenarios where parsed data was received from third-party sources, like when a branch company sends masked data for analysis with assigned metadata like sourcetype or index name. In these cases, it was necessary to adopt your Splunk configurations for received metadata from others.

Indexer cluster manager redundancy

If you’re planning to deploy a high-availability or disaster-recovery Splunk environment using V8, you’ll encounter a bottleneck with the indexer cluster manager backup. This is a critical component of the cluster, responsible for controlling essential processes such as bucket replication, indexer discovery, and search processes. It must be reachable by all search heads, indexer peers, and forwarders (when using the indexer discovery feature).

Splunk V8 does not offer an out-of-the-box solution for a smooth recovery of the indexer cluster manager in case of a failure. Instead, users have to use third-party technology to implement high availability for this crucial component of the Splunk environment.

Fortunately, Splunk V9 provides users with this important capability.

Configuration Change Tracker index

One of the most helpful new functionality in Splunk V9 is a configuration change logging feature for troubleshooting Splunk issues and identifying the root cause. This feature enables you to track .conf file changes at the filesystem level with the new index _configtracker.

Federated search functionality improvement

Splunk first introduced this feature in V8.2, and it proved beneficial to users with hybrid environments. The purpose of federated search is to allow users to leverage Splunk’s powerful search, alerting and dashboarding capabilities to access data from multiple Splunk deployments—even if they’re not self-managed. However, this feature did have some limitations in V8, but these have now, at least partially, been addressed in the latest release.

V9 enhancements for this feature include:

  • Federated Search for Cloud to OnPrem Deployments: Customers can access insights across Splunk Cloud and on-prem Splunk deployments with search initiated from Splunk Cloud.
  • Transparent Mode: This feature enables existing customers using Hybrid Search to move to Federated Search without modifying existing SPL of the searches or dashboards.
  • Federated Search Support for Data Model Datasets, Data Model Acceleration, and the tstats Command: Users can now use the tstats command to search over accelerated data model datasets, which is especially useful for Splunk Enterprise security use cases.
  • Lookup command available for Federated Searches

Platform performance improvement

General performance improvements in Splunk V9 include:

  • Indexing performance: In V8, some customers reported slow indexing performance, especially when indexing large volumes of data. Version 9 has addressed this issue by introducing various indexing optimisations, resulting in faster and more efficient indexing.
  • Search performance: Some users experienced slow search performance in V8 particularly when searching large data sets. Version 9 comes with improved search performance, facilitated by introducing several search optimisations like improved parallelisation and distributed search
  • User interface: Issues with the user interface in V8 included slow rendering times and unresponsive UI elements; V9 has an updated user interface featuring various UI optimisations and improvements.

Splunk V9 is a significant upgrade with features and enhancements that improve data processing efficiency, performance, and flexibility. The Ingest Actions feature allows users to perform actions on data as it’s ingested, while the Indexer Cluster Manager Redundancy and Configuration Change Tracker Index make for a smoother and more reliable environment. The Federated Search Functionality Improvement and Platform Performance Improvement features further enhance the search, alerting, and dashboarding capabilities of Splunk.

Overall, these new features will enable Splunk users to have a better experience in data analysis and troubleshooting. The full list of new features in Splunk Version 9 is available here.

If you’re considering whether to upgrade, check out this blog Why you should upgrade to Splunk V9

By Pavlo Poliakov