Last week, we presented a webinar titled “7 Reasons to Upgrade to Splunk 7.” During the presentation, we provided an overview of the top features in both versions 7.0 and 7.1, along with upgrade best practices.
1 – Faster Data Model Acceleration – Splunk 7.0
Splunk 7.0 provides significant improvements to Data Model acceleration over previous versions. Acceleration lag is up to 1/3 less than that which occurred in version 6.5, and the acceleration search runtime is up to 3 times faster than version 6.5. This means that fewer CPUs are occupied at any given time and hardware usage is more efficient. Acceleration data is also now available immediately so there’s no need to wait for a large bucket to be accelerated.
This feature is primarily targeted at Splunk Enterprise Security (ES) users because data models power ES. However, by installing the Common Information Model add-on, anyone can take advantage of Data Model acceleration.
2 – Event Annotation and Chart Enhancements – Splunk 7.0
Event annotations provide the ability to correlate discrete events with time-series metrics to provide deeper context for your data. If you have any type of chart and you want to place any type of events on the chart, event annotation is a great way to do that.
Some example use cases for Event Annotation include:
- Correlate code check-ins against application performance metrics
- Overlay marketing events such as campaigns or news announcements
- Overlay service monitoring events with specific application metrics to identify chain effects
- Correlate firewall changes to increases or decreases in traffic volume
There are some limitations to Event Annotation. First, event annotation can only be applied to time-series charts such as line, column, or area charts. Also, in Splunk 7.0 and 7.1, event annotations can only be configured using SimpleXML, and a PDF export will not show the annotation.
In addition to Event Annotation, new chart enhancements provide a better monitoring experience in dashboards. New chart options include:
- charting.lineWidth – Change line width (pixels) for all line series in a chart
- charting.data.fieldHideList – Defines a list of fields to hide from results
- charting.legend.mode – Choose Standard or SeriesCompare. Standard is default and SeriesCompare is useful for comparing series data. This feature disables the shortening of the field name in the legend which makes most charts more readable.
- charting.fieldDashStyles – Select dash line styles to use for each field (11 options available). Be sure to select a style that represents your data without giving the appearance of missing data.
This feature is, of course, only available for Splunk Cloud customers. In the past, most app management was done through Splunk Cloud support. Now Splunk is allowing customers to perform more app management within Splunk Cloud.
Self-service app management is available for most Splunk-certified and internally built apps and add-ons. The new app management interface allows for easier management, app updates, self-service installation, and resolution of dynamic app dependencies. Self-service app management provides more robust app deployment with self-service action retries and better restart notifications.
Note that one of the limitations of self-service app management is Enterprise Security instances do not have the ability to be controlled via self-service so the app and add-on installs for Cloud ES SHs need to be done through a ticket with Splunk Cloud.
4 – Refined Splunk User Interface – Splunk 7.1
The new Splunk interface has a clean, modern look, with a standardized style across Splunk products and Splunk.com. The updated interface also improves usability with an updated search page, events viewer, listing pages, and tables.
5 – Site Wide Diagnostic Generation – Splunk 7.1
This feature is particularly useful for those who are managing Splunk in a distributed environment. It provides an easy-to-use interface for generating diags from Splunkweb across a distributed deployment.
This feature provides easy to configure diag parameters, and you can recreate the diag based on previous parameters. The settings that you use for the original diag will be maintained and you can quickly generate a new diag. This is helpful in working with Splunk Support when you may want to create, troubleshoot, and later recreate a diag.
Diags can be generated from any instance but common choices are those Splunk instances with several search peers such as the Monitoring Console (Distributed) or Search Head. They can also be downloaded and deleted when cleanup is needed.
6 – Rolling Upgrades for an Indexer or Search Head Cluster – Splunk 7.1
To be honest, when reviewing this feature, I had doubts about how robust it would be. But on further review, this is really an amazing new feature in Splunk 7.1.
This feature allows an engineer to sequentially upgrade indexer or search head members with minimal search impact. It preserves the ability to perform searches across your environment. The limitation to this feature is that you must be running Splunk version 7.1.0 or higher to take advantage of it.
7 – Local Login Password Refinements – Splunk 7.1
These refinements are really nice because Splunk now enables you to enforce password policies for new installations, including:
• Minimum number of characters in a password
• Complexity requirements – use of numerals, special characters, upper and lower-case letters
• Users with weak passwords can be forced to change them
• User lockout after repeated failed login attempts
• Expiration of passwords and preventing reuse of old passwords
• Splunk Enterprise no longer ships with a default password – the administrator must set one
• All these changes apply to new installation and do not impact software upgrades
These changes don’t affect existing installation, nor do they affect users who log in through Active Directory or SAML.
Bonus Feature – Metrics!
Metrics are a valuable new feature in Splunk 7 and have been further refined in Splunk 7.1. Metrics provides a method to send numeric data into Splunk in a structured format that is much more efficient than previous methods. A metric is a specific measurement containing a timestamp, name, value, and dimension, where dimension provides metadata about the metric. Using Metrics can result in significant performance improvements for this type of data.
Splunk 7.0 and 7.1 Upgrade Considerations
When planning your upgrade, it’s important to always check app compatibility. This is especially true for Enterprise Security, which can be tricky about version compatibility.
Splunk version 7.0 and 7.1 are very stable, and now is the time to upgrade. There will likely be numerous additional features released later this year at .conf18. Now is the time to get to version 7.1 and catch up on new features before new ones are released!
Additional Resources and References for Splunk 7
- What’s New in Splunk Enterprise 7.0
- Splunk 7.0 Overview App
- Splunk 7.1 Overview App
- Search Performance Improvements – 2017 Conf Presentation
- Event Annotations for Charts
- Create App Button for Splunk Cloud
- Overview of Metrics
SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.