Splunk Enterprise is a frequently used app by SOCs that allows users to collect, analyse, and visualise the components of their business or IT structure. By aggregating the data from multiple sites, applications, sensors, and devices, Splunk Enterprise indexes and then parses the data, making it viewable and searchable for your operators.

Splunk Enterprise 9.0 has just been rolled out and there are a plethora of new features and updates (both major and minor) to be noted with this release.

Arguably the biggest changes to be rolled out in this version is the new UI to allow admins to more efficiently deploy, author, and preview ingest-time rules for events. Some of the capabilities it offers admins are:

  • Admins are now able to upload files of up to 5GB or copy paste event logs for previews in the authoring environment.
  • Events can be routed to AWS or both AWS and Splunk indexing.
  • Admins are also now able to see previews of which events are unaffected by certain rules in the ruleset authoring environment.

The second big deployment is that of Splunk Assist. As a fully-managed cloud service, it leverages the insight capabilities of the Splunk Cloud Platform for the self-managed Splunk Enterprise edition, alerting operators with cloud-powered recommendations. It also helps operators comply with best practice standards when managing larger and more complex deployments.

One important aspect to keep in mind is that if your company uses third-party or custom apps that integrate with Splunk Enterprise and Splunk Cloud Platform, you may need to double check your compatibility. If you were previously compatible with both, then likely your application compatibility will carry forward - if not, you will need to test to ensure that all your systems continue to function as intended.

Dozens of other updates were also rolled out with this release, affecting everything from providing updates to Dashboard Studio and general report updates. The complete release notes for Splunk Enterprise 9.0 can be found here.

Also of note, a half-dozen items were deprecated from this release. Commands such as audit, creaters, file, and _reload have all been deprecated and are disabled by default. In addition, support for Splunk-To-Splunk (S2S) Protocol V3 and lower are no longer supported moving forward. For the complete list of deprecated features please view this document.

You can review this document to learn more about the minutiae of making the switch. You can also visit the Splunkbase to learn if your apps and add-ons are compatible with the new version.

Considering upgrading your Splunk Enterprise release but not sure if your apps are compatible or your process is sound?  Please send a note to friends@metronlabs.com and our team will be happy to connect.