With the release of Splunk 9.2 there are some new features that we would like to share with you. If you upgrade please use version 9.2.0.1 since it solves a bug with config validation check that’s blocks config push.
Starting with version 9.2 it will be possible to create a deployment server cluster to make it high available. Using a load balancer and 2 or 3 deployment servers you are able to create the cluster, the configuration will be placed on a shared mount.
Besides this new ability the logging will also be sent to the following new indexes:
_dsphonehome
_dsclient
_dsappevent
If you do not see any data in the forwarder management UI, have a look at the following Splunk docs article for possible issues.
https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers#Possible_issues_with_upgrade
There are a number of improvements to the dashboard studio dashboards in Splunk.
If you convert an XML dashboard to a Dashboard Studio dashboard it will show you a report which details what need to be manually changed.
You will now be able to configure drilldowns to custom searches or to reports.
A highly requested feature is the ability to use trellis, in this case you are able to use it with single values. We have seen a number of customers holding out on switching to Dashboard Studio because they had no trellis option. You can do this now!
Instead of uploading additional CA certificates you are now able to integrate with a OS trust/certificate store. This makes it easier for companies to use their own CA’s without having to upload it to each Splunk instance.
You are now able to abort a user-initiated rolling restart of an indexer cluster, you cannot abort a rolling restart that happens with a bundle push because that would leave the cluster in an inconsistent state.
Although 9.2 does not introduce new functionality it does fix three bugs that could crash the forwarder. If you upgrade from 9.0.x please note that the default user changes from splunk to splunkfwd which can create issues reading logfiles/winventlog on your systems!
We have seen multiple companies that thought their upgrade went smoothly only to find out that some of their logging was no longer going to Splunk. You can check your environment with the following search:
index=_internal sourcetype=splunkd cannot_open
Splunk Enterprise Release notes:
https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes
Deployment server scalability:
https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Implementascalabledeploymentserversolution
https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers
Dashboard studio:
https://docs.splunk.com/Documentation/Splunk/latest/DashStudio/WhatNew
http://docs.splunk.com/Documentation/Splunk/9.2.0/DashStudio/ConvertSXML
http://docs.splunk.com/Documentation/Splunk/9.2.0/DashStudio/linkURL
http://docs.splunk.com/Documentation/Splunk/9.2.0/DashStudio/trellisLayout
Abort rolling restart:
https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Userollingrestart#Abort_a_rolling_restart_of_an_indexer_cluster