What's new

This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.

Also discover what's new in the following features of Splunk Cloud Platform:

Version 10.2.2510

What's New release notes for this release.

New feature, enhancement, or change Description

Federated provider names are now case-insensitive
As of this release, federated provider names are case-insensitive for the following products:

  • Federated Search for Splunk

  • Federated Search for Amazon S3

  • Federated Analytics for Amazon Security Lake

For example, say you have a provider named MyProvider and you try to create a new provider with a Provider name of myprovider. In this instance, Splunk software prevents you from creating the new provider until you choose a Provider name that is unique, regardless of alphabetical character case.

Note: If you are upgrading from a previous version of the Splunk platform, this might be a breaking change. If you have two or more federated providers in your Splunk platform deployment with names that differ only by case (such as one named MyProvider and another named myprovider), you must change the duplicate provider names to unique strings.

There are two ways to accomplish this:

  • You can delete and recreate the federated providers with duplicate names.

  • If you have access to the .conf files for your Splunk platform deployment, you can edit the duplicate federated provider names directly in federated.conf. You cannot edit federated provider names in Splunk Web.

If you choose to not delete or replace duplicate provider names, Splunk software uses the first name that appears in federated.conf. For example, if the MyProvider stanza appears before the myprovider stanza in federated.conf, Splunk software references only the MyProvider stanza when it receives any version of the string "myprovider".

Federated Analytics for Amazon Security Lake: Optional workload optimization for data lake indexes

If you use Federated Analytics for Amazon Security Lake, you now have the option to drive down the storage cost of your data lake indexes by turning off raw term search on those indexes. With this optimization enabled, your data lake indexes have reduced indexing and storage cost, with the trade-off being that the optimized indexes support only key-value search.

For more information, see Set up data ingest and retention rules for data lake indexes.

SPL2

SPL2 extends the existing SPL language by incorporating several powerful features. These features simplify data access and analysis while also providing support for complex investigations and data management workflows. With SPL2, you can write searches using either SPL or SQL syntax. This simplifies learning and using the language, and adds consistency to the language.

SPL2 is a unified search and streaming language, offering a single syntax for searching data in Splunk indexes, accessing federated data stores, and preparing data in-stream across various Splunk products. SPL2 is fully compatible, and can operate in parallel, with SPL.

TLS verification for inter-sidecar communication

To enhance security, each sidecar uses a server data plane certificate when communicating with other sidecars through the direct port of the destination sidecar. Over a Transport Layer Security (TLS) connection on the direct port, the connecting sidecar verifies the certificate of the destination sidecar to ensure a trusted connection.

For more information, see Inter-sidecar communication.

DDAA supported on Azure

Splunk Dynamic Data Active Archive (DDAA), now supported on Azure, provides secure, long-term data retention for Splunk Cloud Platform. Using this Splunk-managed archive, you can restore your archived data within 24 hours and make it searchable for up to 30 days. DDAA eliminates the need for continuous indexing or additional infrastructure. It ensures data durability and security by extending retention beyond the searchable retention period.

Redesigned workflow: Index Archiving Configuration

To enhance user experience, the Add new index dialog box has been redesigned to offer a clearer and more intuitive workflow for configuring index archive settings. The dialog box now displays the Your Total Retention (days) section that indicates the number of days the archive is retained. The Splunk software calculates this number based on the Searchable retention (days) and Total retention settings that you specify.

For more information, see Configure archive settings for an index.
SPL2 support for Dashboard Studio In Dashboard Studio, you can use SPL2 data sources in dashboards by doing one of the following:

  • Create an SPL2 query from within a dashboard

  • Reference an existing view from an SPL2 module

See Create search-based visualizations with SPL2.

Targeted app installation on Victoria Experience (AWS only)

(controlled availability)

Splunk Cloud Platform on Victoria Experience now offers targeted app installation.

Previously, Splunk Cloud Platform installed apps by default on all search heads across a Victoria Experience deployment. With targeted app installation, you can now install apps on specific search heads or search head clusters, making it easier to isolate apps and control user access.

This enhancement aligns app installation features in Victoria Experience with Splunk Cloud Platform Classic Experience and Splunk Enterprise.

See Targeted app installation on Victoria Experience.