Splunk Enterprise 6.6 Has Been Released
This blog release will cover the areas that we have experienced when exploring the latest version of Splunk. Within Splunks latest version, we have found that its easier than ever for a wide selection of administrators/users to leverage data sets, create dashboards, gather answers and share information. We have also experienced the improvements made with Indexer and Search Head clustering which makes the platform much more manageable at a large scale.
Hands-on experience with the new Dataset Explorer in Splunk Enterprise 6.5, we see improvements such as Dataset Types:
- Lookup files
- Data models
This makes managing datasets effortless within the new interface. Users can explore these prepared datasets with:
- A time-range picker
- Schedule a report
- Investigate in search
- Visualize in pivot
- Export to CSV all from one centralised instance
Dashboard Drilldown UI Editor
The Dashboard Drilldown UI Editor comes in very useful for a user when building dashboards. The drilldown editor can:
- Set up linking to a search
- Even update token values in your dashboard
In previous versions, the behaviour of drilldown was edited by source XML. Now a user can set up these actions right in the GUI. Additionally to this Simple XML can still be used to expand on these actions with conditional or other advanced configurations.
Search Processing Language
Splunk has optimised their Search Processing Language (SPL) to make both understanding and constructing queries easier. They have also added the following:
- More syntax highlighting options
- Line numbers
- Dynamic line formatting (instead of having to use a hotkey)
- Expanding macros from the search bar
Tip: You can enable these options from the Account Settings dropdown underneath the user.
Union is a new SPL command. This lets you merge two or more discrete datasets together. It is similar to the append command but more performant in that it can be parallelized and run on your indexers as opposed to append which only runs on the search head.
Performance and Scalability
With the latest release Splunk has announced Indexer and Search Head Clustering improvements that make clusters easier to manage and more resilient to network and hardware failures.
A few of these scalability and performance enhancements for Indexer Clustering are:
- Avoidance of search disruption by automatically ensuring replicated data is available prior to taking a node offline
- A new manual detention option to selectively stop incoming and replication data traffic to specific indexers, which allows better disk growth management and easier hardware migration tasks
- Faster indexer recovery through performance improvements
- The ability to push new apps (with reloadable configurations) without having to restart the cluster
Search Head Clustering (SHC) improvements include:
- A new Search Head Clustering management UI
- Continuous replication of knowledge objects across the SHC members
- Intelligent captain selection which avoids out-of-sync SHC members from becoming captain
- New independent controls for user/role and system-wide quota management
- Performance improvements for bundle pushes and replication