Last week, we presented a webinar titled “7 Reasons to Upgrade to Splunk 7.” During the presentation, we provided an overview of the top features in both versions 7.0 and 7.1, along with upgrade best practices.
If you were unable to attend the live event, you can access the on-demand version of the webinar here. Let’s recap the 7 reasons to upgrade to Splunk 7, along with additional resources from the webinar.
1 – Faster Data Model Acceleration – Splunk 7.0
Splunk 7.0 provides significant improvements to Data Model acceleration over previous versions. Acceleration lag is up to 1/3 less than that which occurred in version 6.5, and the acceleration search runtime is up to 3 times faster than version 6.5. This means that fewer CPUs are occupied at any given time and hardware usage is more efficient. Acceleration data is also now available immediately so there’s no need to wait for a large bucket to be accelerated.
This feature is primarily targeted to Splunk Enterprise Security (ES) users because data models power ES. However, by installing the Common Information Model add on, anyone can take advantage of Data Model acceleration.
2 – Event Annotation and Chart Enhancements – Splunk 7.0
Event annotations provide the ability to correlate discrete events with time-series metrics to provide deeper context for your data. If you have any type of chart and you want to place any type of events on the chart, event annotation is a great way to do that.
Some example use cases for Event Annotation include:
- Correlate code check-ins against application performance metrics
- Overlay marketing events such as campaigns or news announcements
- Overlay service monitoring events with specific application metrics to identify chain effects
- Correlate firewall changes to increases or decreases in traffic volume
There are some limitations to Event Annotation. First, event annotation can only be applied to time-series charts such as line, column, or area charts. Also, in Splunk 7.0 and 7.1, event annotations can only be configured using SimpleXML, and a PDF export will not show the annotation.
In addition to Event Annotation, new chart enhancements provide a better monitoring experience in dashboards. New chart options include:
- charting.lineWidth – Change line width (pixels) for all line series in a chart
- charting.data.fieldHideList – Defines list of fields to hide from results
- charting.legend.mode – Choose Standard or SeriesCompare. Standard is default and SeriesCompare is useful for comparing series data. This feature disables shortening of the field name in the legend which makes most charts more readable.
- charting.fieldDashStyles – Select dash line styles to use for each field (11 options available). Be sure to select a style that represents your data without giving the appearance of missing data. You can see examples of this in the video below.
This feature is, of course, only available for Splunk Cloud customers. In the past, most app management was done through Splunk Cloud support. Now Splunk is allowing customers to perform more app management within Splunk Cloud.
Self-service app management is available for most Splunk certified and internally built apps and add-ons. The new app management interface allows for easier management, app updates, self-service installation, and resolution of dynamic app dependencies. Self-service app management provides more robust app deployment with self-service action retries and better restart notifications.
Note that one of the limitations of self-service app management is Enterprise Security instances do not have the ability to be controlled via self-service so app and add-on installs for Cloud ES SHs need to be done through a ticket with Splunk Cloud.
4 – Refined Splunk User Interface – Splunk 7.1
The new Splunk interface has a clean, modern look, with a standardized style across Splunk products and Splunk.com. The updated interface also improves usability with an updated search page, events viewer, listing pages, and tables.
5 – Site Wide Diagnostic Generation – Splunk 7.1
This feature is particularly useful for those who are managing Splunk in a distributed environment. It provides an easy to use interface for generating diags from Splunkweb across a distributed deployment.
This feature provides easy to configure diag parameters, and you can recreate the diag based on previous parameters. The settings that you use for the original diag will be maintained and you can quickly generate a new diag. This is helpful in working with Splunk Support when you may want to create, troubleshoot, and later recreate a diag.
Diags can be generated from any instance but common choices are those Splunk instances with several search peers such as the Monitoring Console (Distributed) or Search Head. They can also be downloaded and deleted when cleanup is needed.
6 – Rolling Upgrades for an Indexer or Search Head Cluster – Splunk 7.1
To be honest, when reviewing this feature, I had doubts about how robust it would be. But on further review, this is really an amazing new feature in Splunk 7.1.
This feature allows an engineer to sequentially upgrade indexer or search head members with minimal search impact. It preserves the ability to perform searches across your environment. The limitation to this feature is that you must be running Splunk version 7.1.0 or higher to take advantage of it.
You can watch an overview of the process for upgrading both the Index cluster and the Search Head cluster below.
7 – Local Login Password Refinements – Splunk 7.1
These refinements are really nice because Splunk now enables you to enforce password policies for new installations, including:
• Minimum number of characters in a password
• Complexity requirements – use of numerals, special characters, upper and lower-case letters
• Users with weak passwords can be forced to change them
• User lockout after repeated failed login attempts
• Expiration of passwords and preventing reuse of old passwords
• Splunk Enterprise no longer ships with a default password – the administrator must set one
• All these changes apply to new installation and do not impact software upgrades
These changes don’t affect existing installation, nor do they affect users who log in through Active Directory or SAML.
Bonus Feature – Metrics!
Metrics are a valuable new feature in Splunk 7 and have been further refined in Splunk 7.1. Metrics provides a method to send numeric data into Splunk in a structured format that is much more efficient than previous methods. A metric is a specific measurement containing a timestamp, name, value, and dimension, where dimension provides metadata about the metric. Using Metrics can result in significant performance improvements for this type of data.
Splunk 7.0 and 7.1 Upgrade Considerations
When planning your upgrade, it’s important to always check app compatibility. This is especially true for Enterprise Security, which can be tricky about version compatibility.
Splunk version 7.0 and 7.1 are very stable, and now is the time to upgrade. There will likely be numerous additional features released later this year at .conf18. Now is the time to get to version 7.1 and catch up on new features before new ones are released!
Additional Resources and References for Splunk 7
- What’s New in Splunk Enterprise 7.0
- Splunk 7.0 Overview App
- Splunk 7.1 Overview App
- Search Performance Improvements – 2017 Conf Presentation
- Event Annotations for Charts
- Create App Button for Splunk Cloud
- Overview of Metrics
Aditum is North America’s fastest-growing Splunk services firm. Our Splunk SMEs deliver Splunk Professional Services and Splunk Managed Services with a demonstrable record of customer success. Our fully certified consultants, which focus exclusively on Splunk, combined with our prescriptive Customer Success Methodology for Splunk, empower your team to maximize the value of your Splunk platform.
We manage successful deployments of core Splunk and premium apps, upgrades, scaling, search, report, and dashboard creation, new data onboarding, and Splunk Health Checks. We also have a team of accomplished Splunk Developers that focus on building Splunk apps and TA’s.
Contact us directly to learn more.