Release Notes: What We Know About The Splunk Enterprise 9.1 Release

By Zubair Rauf, Team Lead, Professional Services

The world of data analytics is constantly evolving, now at a faster pace than ever as new technology is being introduced to process and analyze data faster and better than before. With the latest Splunk 9.1 release, Splunk is committed to helping organizations turn their raw data into actionable intelligence with new features and improvements. In this blog post we will recap some of those features and how they can help organizations turn data into action!

UI and UX Features

With every new release, Splunk focuses on improving their user experience for users. Some notable changes are recapped below:

Redesigned Home Page

The new home page has a tabular layout with a side bar. The updated sidebar will allow users to pin frequently used apps to the top of the sidebar and be able to search apps by name for easy access to apps. There are five new tabs which help with better organization. Now users can start where they left off with recently viewed knowledge objects, access Quick Links for commonly tasks and resources, view a home dashboard, view knowledge objects created by them and view knowledge objects that are shared with them.

This is what the new home page looks like in Splunk v9.1

Dashboard Studio Updates

The new version comes with several Dashboard Studio updates to improve user experience for interacting with dashboards. Some notable changes included here are:

  • Export data of visualizations to CSV files
  • Base and Chain behavior is updated – now base searches do not need to update if the chain search SPL changes, and users can now also create up to TEN chain searches. This translates to improved performance for dashboards.
  • Events viewer visualization is available on dashboard studio, with workflow actions which help users take predefined actions on events/fields.
  • Inputs are available on the canvas, making user inputs be closer to the panels they impact, making them easier to interact with.
  • Users can now choose to show or hide panels in Absolute layout based on availability of data to display
  • Map visualizations also have Choropleth map layers added
  • Configuration UI introduced for axes charts which were previously only available via source code
  • Trellis is now available for single value visualizations

Health Report Enhancements

The health report has introduced new enhancements which will allow users to:

  • Disable individual features in distributed health report to remove noise
  • Track user modified threshold values and restore defaults
  • New built-in validation for indicator thresholds and feature names.

Splunk 9.1 has also introduced these UI features:

  • Dark and light mode for the Search & Reporting app
  • Search history is preserved across search heads in search head clusters now by leveraging KV Store
  • Triggered Alerts page has a new backend framework to improve accessibility
  • Classic dashboards will also warn users if a script is detected in the XML before running it
  • Admins can also control how searches are shared through Splunk web

Under The Hood

Splunk 9.1 comes with a lot of new features and enhancements under the hood that will greatly improve Splunk capabilities for data ingestion, search, disaster recovery and more.

Ingest Actions

Ingest actions has been phenomenal since it was launched, and it has allowed customers to improve their data ingestion process and allows filtering, masking and routing data. It allows users to configure this without having to tinker with the .conf files. Some improvements for ingest actions we took note of are:

  • Multiple S3 destinations are now supported for routing. There can be a maximum of 8 destinations per provider
  • Using a combination of sourcetype name and timestamp, users can now partition S3 outputs so that all logs do not end up in the same S3 bucket folder. It looks like this:
  • Cross-account KMS encryption is supported
  • Outputs can be customized for better federated search performance and there is more control over batch size, compression type and JSON output. This is what we saw:

Federated Search

Federated search originally introduced in Splunk Enterprise 8.2 allows users to execute unified search across multiple Splunk environments. These can include Splunk Cloud and on-prem. Splunk 9.1 brings some much-needed enhancements to the federated search experience.

  • New remote dataset types introduced for standard mode federated search. These include
    • Metrics Index datasets which allow users to use mstats command in federated search for remote metrics indexes
    • Last job datasets convert last jobs run by remote scheduled searches into datasets that are searchable
  • Splunk Admins can now deactivate federated providers so users can’t search those datasets, deactivate federated indexes, and deactivate the ability of users to run transparent federated searches
  • Standard mode will now also allow wildcard searches to search across multiple indexes
  • Support for accelerated data models has been improved
  • Better access control on federated providers to control which federated indexes can users search in transparent mode

License Manager

Splunk 9.1 now supports a highly available license manager architecture to alleviate. Now customers with unlimited license can deploy multiple license managers in (can be in different regions) behind a load balancer.

Search Head Cluster

Search Head Clusters running Splunk Enterprise 9.1 now support automated rolling upgrades and this reduces complexity of the upgrade process for admins.

Search

A notable improvement in search is the support for parallel reduction for lookup command. Now searches using the lookup command can now leverage the processing power of indexers to return results. This helps improve search efficiency especially for high cardinality data.

Version 1 of the stats command has been deprecated and users will see a warning banner for that. This command is replaced with version 2 of the stats command.

Our Assessment

Splunk Enterprise 9.1 has introduced a lot of new features and improved on existing features that will help users understand their data faster and better. We are pleased with what we see, and it reinforces our belief that Splunk continually improves to make our journey more effective. We think it is worthy of upgrading to the newest version as soon as possible.

There are a lot of other features and enhancements introduced with Splunk Enterprise 9.1 for improving performance and user experience. Details on the additional features can be found here.

If your organization is thinking about buying Splunk to start your data journey or upgrading an older version of Splunk to 9.1 to benefit from the latest features, reach out to me or another of our Splunk experts by filling the form below.