Splunk Enterprise 6.6 New Features – Part I
Splunk Enterprise 6.6 introduces new features in Data Visualization, Indexer and Search Head Clustering, Knowledge Object management and more to enhance user experience. This series of Splunk 6.6 blog postings explores some of these new features in detail.
These new features bring further capabilities to the UI (User Interface) for interacting with data efficiently. On the back-end stability improvements to ensure data flow continues without interruptions.
New Features in Splunk Enterprise 6.6
The following table lists the new features in Splunk 6.6:
User Experience | Dashboard Search Assistant |
Dashboard Drilldown UI Editor | |
Trellis Layout | |
Search Editor Enhancements | |
Dataset Explorer | |
Platform | Indexer Clustering Enhancements |
Search Head Clustering Enhancements | |
Management | Knowledge Object Reassign |
Search Head Clustering UI |
To analyze the new features, we created a virtual Splunk environment. The environment includes: Search Head Cluster (3 Search Heads), Indexer Cluster (2 Indexers), 1 Deployer, 1 Master node, 1 Monitoring Console (MC).
Reassign Knowledge Objects
Splunk 6.6 comes with a great new feature, Reassigning Knowledge Objects (KO), allowing the admin to migrate KO’s individually or in bulk from one Splunk user to another. Ownership of objects such as: reports, alerts, macros, tags, fields, advanced search can be changed from the UI. The admin can also reassign ‘orphaned’ KO’s.
Removing a user from the system or deactivating their account results in knowledge objects they previously owned becoming orphaned. KO’s such as scheduled reports are unable to run due to no ownership. In previous versions, if you wanted to have these orphaned knowledge objects re-assigned to another user, the Splunk admin would have to update configuration files manually.
To demonstrate this capability, as a Splunk admin, navigate to ‘All Configurations’ in knowledge section of the Settings menu.
At the top of the table, you can find a ‘Reassign Knowledge Objects’ option which navigates you another page, listing all KO’s assigned and orphaned by users who were removed no longer in the system. The Reassign KO page allows you to toggle between filtering KO by app, ownership, object type or via simple word search.
On the same page, we narrowed down the search for all KO’s created by user ‘urwah’ in the search app. We get the option to reassign KO’s individually or in bulk.
Select the new owner as admin and save for the changes to take effect. As we set up the KO ownership in the Splunk instance, the configurations will automatically synchronize with other members of the Search Head Cluster.
This new functionality in Splunk 6.6 makes it simple to migrate alerts, saved searches, macros, between users. Admins should keep in mind that reassigning knowledge objects can allow access to previously inaccessible data. It may not work in coherence with existing objects due to roles restrictions. Objects should always be examined before reassigning ownership to maintain data integrity.
Looking to expedite your success with Splunk? Click here to view our Splunk service offerings.
© Discovered Intelligence Inc., 2017. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.