Geschreven door Matthias van den Berg

5 things to know before you upgrade to Splunk 9.2

Data2 minuten leestijd

With the release of Splunk 9.2 there are some new features that we would like to share with you. If you upgrade please use version 9.2.0.1 since it solves a bug with config validation check that’s blocks config push. 

1. Deployment server scalability 

Starting with version 9.2 it will be possible to create a deployment server cluster to make it high available. Using a load balancer and 2 or 3 deployment servers you are able to create the cluster, the configuration will be placed on a shared mount.

Besides this new ability the logging will also be sent to the following new indexes:

_dsphonehome
_dsclient
_dsappevent

If you do not see any data in the forwarder management UI, have a look at the following Splunk docs article for possible issues.
https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers#Possible_issues_with_upgrade

2. Dashboard Studio improvements

There are a number of improvements to the dashboard studio dashboards in Splunk. 

Post-conversion report 

If you convert an XML dashboard to a Dashboard Studio dashboard it will show you a report which details what need to be manually changed.

Drilldowns

You will now be able to configure drilldowns to custom searches or to reports.

Trellis for single values

A highly requested feature is the ability to use trellis, in this case you are able to use it with single values. We have seen a number of customers holding out on switching to Dashboard Studio because they had no trellis option. You can do this now!

3. Support for OS certificate trust store and certificate management API 

Instead of uploading additional CA certificates you are now able to integrate with a OS trust/certificate store. This makes it easier for companies to use their own CA’s without having to upload it to each Splunk instance.

4. Abort a rolling restart of an indexer cluster 

You are now able to abort a user-initiated rolling restart of an indexer cluster, you cannot abort a rolling restart that happens with a bundle push because that would leave the cluster in an inconsistent state. 

5. Splunk Universal Forwarder bugfixes

Although 9.2 does not introduce new functionality it does fix three bugs that could crash the forwarder. If you upgrade from 9.0.x please note that the default user changes from splunk to splunkfwd which can create issues reading logfiles/winventlog on your systems!

We have seen multiple companies that thought their upgrade went smoothly only to find out that some of their logging was no longer going to Splunk. You can check your environment with the following search:

index=_internal sourcetype=splunkd cannot_open  

Links

Splunk Enterprise Release notes:
https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes

Deployment server scalability:
https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Implementascalabledeploymentserversolution
https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers

Dashboard studio:
https://docs.splunk.com/Documentation/Splunk/latest/DashStudio/WhatNew
http://docs.splunk.com/Documentation/Splunk/9.2.0/DashStudio/ConvertSXML
http://docs.splunk.com/Documentation/Splunk/9.2.0/DashStudio/linkURL
http://docs.splunk.com/Documentation/Splunk/9.2.0/DashStudio/trellisLayout

Abort rolling restart:
https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Userollingrestart#Abort_a_rolling_restart_of_an_indexer_cluster