5 new features in Splunk 8.1

A year after Splunk’s big release of version 8, the company now released Splunk 8.1 during their legendary (and virtual) Conf2020. As each release has many new features, in this article I would like to highlight some of these and discuss why they are interesting for users and admins based on my own practical experience.

The new features that I would like to touch upon are:

• SPL search history shortcut
• Search comments
• Table views
• Search banner
• Workload management rules

Splunk search history shortcut

Imagine you have the task of developing a new monitoring dashboard for your team and each of the panels have somewhat similar searches. In developing each panel, you probably perform multiple searches before getting to the ultimate search query. In previous versions of Splunk, each new search query was overwritten by the other in the search query bar. If you wanted to use a previous search query you specifically had to go to a search history panel to find your earlier search queries unless you had saved it on your clipboard. In other words, for your search history you had to look at different locations or perform multiple clicks, which felt like spending more time in finding previous searches and made searching sometimes less comfortable. This little issue is now solved in the new release of Splunk 8.1

Splunk now added a new shortcut feature that allows you to quickly snip to previous search queries you performed. The shortcuts that can be used are Alt/Ctrl P (for previous) and Alt/ Ctrl N (for next) depending your operating system. Personally, I am very enthusiastic about this feature as it helps in actually spending time on performing searches instead of finding previous queries.

Search Comments

Another little feature that improves the experience of building searches and dashboards is the ability of adding comments in search queries. Similar to writing scripts, this way, you can make your search clear for others or leave a reminder for yourself when you continue the other day. This can be really helpful for Splunk users as well as admins.

For instance, your comment could state what you are trying to do with this search or highlight the reason for a certain argument in your search query. In terms of troubleshooting, you can also specifically indicate with which argument you are struggling.

From my admin experience, I once found this terrible search with 21 sub-searches of a certain user, which he had copied to multiple dashboards at his department. He probably was very proud of getting this big search to work. However, for me as a Splunk admin who wants to keep his platform running smooth and efficiently I wanted to help him out in improving his search. But looking at his query without the purpose or his ideas behind this big search makes it challenging to support. In this case, comments would definitely help in making a long search more readable as these could state why certain decisions or reasons for an argument were made. The possibility of adding comments can also help admins in supporting their Splunk users.

You can add a comment by adding three backticks ( ``` ) before and after your comments.

Table views

For those Splunk users, who are unfamiliar with writing Splunk queries or who are new to Splunk, there is now a new feature called “Table views”. This feature allows you to easily create a table by clicking through the UI. This feature has been added to the datasets tab. As can be seen in the displayed figure, you can simply specify, which index, source, host you want to search and how you want your table exposed. In the background Splunk automatically writes the query for you, which you can easily export to a dashboard. Personally, I believe this is a great feature, especially for novices. I have seen in multiple companies that the adoption of Splunk is sometimes somewhat challenging for teams as they have to start writing queries, which is not common for each and every person. I believe this feature could remove some of the challenges when starting with Splunk.

Search Banner

Imagine that you as a Splunk admin, are going to implement a big change (like updating to Splunk 8.1) on your Splunk platform and you need to inform all your Splunk users, when this is going to happen and where they can find more information about this. Or imagine that you need to perform a restart of the search head during daytime, which impacts the users. How can we ensure that we reach all our Splunk users? A question that I have seen a couple of times in these kind of cases before. The new banner feature provides the possibility to communicate to all current Splunk users by displaying a bar on top of the Splunk page. This bar can be presented in multiple colors and may contain a message or link to a certain page. Personally, I am very enthusiastic about this feature. I have been in a position where I had to send an email to 1500+ Splunk users during a summer period regarding a change that we were going to perform and received 400+ out of office replies in my personal inbox. The intention is to reach every Splunk user that was using Splunk at that time. However, as we only had a list of registered Splunkers available, we had to contact everyone as we did not know who was actually using Splunk that week. This banner feature can now support us Splunk admins in reaching out to our Splunk users. Great work Splunk!

Workload Management Rules

Workload management, the management of workloads on a Splunk platform has already been introduced before. However, in this release Splunk now also added admission rules. These rules support in the management of workloads depending on business needs. For instance, very often in practice, Splunk users, which have discovered the wildcard trick, define index=* coupled with some search terms in their query in order to find their data.

It could be that they do not know the name of their index or some are simply to lazy to investigate what the index is and, therefore, decide to use “index=*”. As a consequence, this could have a very negative impact on the performance of the Splunk platform when running a query with this search term over a longer period of time. You could compare this to going to a library where you need to go through every single book out there as you do not know in which category the info you are looking for resides. You are simply telling Splunk to look through every single index over a certain time period, which takes processing power, and so impacts other users that want to perform search queries as well. With workload user management rules, you can now instruct Splunk to ignore wildcard search, which reduces the unexpected workloads on your platform. Besides wildcard searches, it is also possible to filter on “all time” time range searches or disallow searches in peak hours. So, this is a great feature to support admins in controlling their platform and reducing the chance of unexpected workloads.

These are five of the new features that the new release of Splunk 8.1 offers, which I believe, based on my own experiences, are great for Splunk users and admins. Further information regarding other features that common with this release, can be found at the following page: 

https://www.splunk.com/en_us/blog/conf-splunklive/what-s-new-with-splunk-enterprise-8-1.html