Splunk Enterprise 7.2 is the latest release from Splunk and was made available during Splunk .conf18 in Orlando. Many new features were added which will improve Splunk Enterprise from administration and user experience, to analytics and data onboarding.
New Features in Splunk Enterprise 7.2
The following table outlines the key features in the latest release:
|Admin||SmartStore||It allows decoupling of compute from storage, for large environments.|
|Admin||Workload Management||It provides mechanism to reserve system resource (CPU, memory) for ingestion and search workloads.|
|Admin||Splunk Component Monitoring||Continued improvements to the Splunk Component Monitoring Framework including new reports and additional features|
|User Experience||Dashboard Dark Mode||This feature enables easier use of Splunk dashboards on the NOC/SOC wall, and can be enabled from within the dashboard edit page.|
|Analytics||Splunk Metrics Workspace||This feature provides a visual analysis interface within the Search and Reporting app for monitoring and analyzing metrics data. It also lets you create alerts and dashboards based on metrics thresholds.|
|Platform||Metrics Enhancements||It allows index-time definition and extraction of log fields as metric data points.|
|Platform||Splunk on Docker||Docker containers are extremely portable and can run on a variety of operating systems. Helps to reduce the total cost of ownership associated with managing Splunk.|
|Platform||Machine Learning Toolkit 3.4||New pre-processing options, algorithms, and the Experiment Management Framework.|
|Data||Guided Data Onboarding||This feature assists users to get data from their desired sources into Splunk and provides steps by step instructions how to onboard data from some popular sources.|
Having recently upgraded to the new version, we will reflect on our favourite features so far. Let’s dive into some of the more exciting features in detail.
SmartStore is a architecture purpose built for massive scale, with the ability to size compute and storage independently. This can significantly lower hardware costs, but also reducing operational complexity. It also provides flexibility to deployment architecture and gives longer retention at lower cost.
There are a lot of benefits using SmartStore, few of them are listed below.
- Provide flexibility to deployment architecture
- TCO Reduction
- Simplified management and deployment
- Infrastructure costs slowing down expansion and limiting data retention time
- Data archival is not a solution since older data (~1 year) needs to be searchable
- performance is acceptable
Workload management gives you a policy to reserve system resource (CPU, memory) for ingestion and search. It allows administrators to map resource allocation to apps, roles and users. It also allows dynamic reassignment of resource groups, empowering power users to update resource allocation on-demand.
How to Setup:
To demonstrate this functionality , navigate to “Workload Management” in Settings Menu , which navigates you to Workload Management page where you can create workload pools and rules.
Workload management in Monitoring Console
Monitor workload management status and configuration can be accessed from Monitoring Console by navigating to Resource Usage > Workload Management
Some other features i.e Monitor deployment wide CPU and Memory usage by workload pool can also be accessed from Monitoring Console by navigating to Resource Usage >Workload Management
Monitor search activity by workload pool, using the Monitoring Console menu “Search” >”Activity” >”Search Activity: Instance
Dashboard Dark Mode
This is the most desired feature by users and also one of my favorite features, added in 7.2 is the dark mode dashboard. It’s a built-in setting from a UI configuration within the dashboard edit page.
How to enable dark theme from UI
Example Dashboard (Dark)
This feature can also be enabled in view mode after passing the parameter “theme=dark” after the “?” in the URL.
How to enable from URL
Splunk Metrics Workspace
Splunk Metrics Workspace provides you user friendly interface within the Search and Reporting app for monitoring and analyzing metrics data and accelerated data-sets without editing SPL. It lets you create alerts and dashboards from a single view and helps you to identify any aspects of your data that require further investigation.
How to setup:
In order to bring the workspace functionality to the Search & Reporting app, I have download the Metrics workspace app from Splunkbase. You can see new tab “Metrics” to the menu bar after the app installation.
The Splunk Metrics Workspace enables a lot of new features
- Select data sources to create interactive charts in the Analysis Workspace.
- Allow you to create alerts.
- You can monitor or share your findings through the dashboard.
- It allows you to create alerts and dashboards based on metrics thresholds
Guided Data Onboarding
This feature is a nice addition along with all new features. It provides guided instructions to users for Onboarding popular data sources such as Palo Alto.
How to add data
You can add data by navigating to “Add Data” in Settings Menu.
In conclusion, the newest Splunk release brings a lot of amazing new features for Splunkers that can be used immediately.
© Discovered Intelligence Inc., 2018. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.