#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

Splunk 6.6 out now. Features you like the most?

koshyk
Super Champion

This is not technically a question, but I can see some good enhancements/features as part of the release

  • Search optimizer improvements (Automatically apply Projection Elimination to remove calculations and evals that are not needed in final results . Atlast, I don't need to edit eventtypes.conf and tags.conf) !!
  • Search Head Clustering enhancements (Resilient configuration replication, intelligent captain selection etc.)
  • Indexer clustering enhancements
  • Indexer clustering management
  • Volume-based data forwarding
  • Data quality dashboard

Please let me know your thoughts if you haveimplemented in clustered systems. I will wait for a release or two before implementing into our prod.

fsuzuki
Explorer

this is the 6.6 features in Japanese
Ver.6.6 の日本語資料はこちらです。
https://www.macnica.net/splunk/release66.html/

0 Karma

a212830
Champion

what is "volume-based data forwarding"?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

@a212830, or as I lovingly call you, Mr. Lazy Pants 🙂

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/MeetSplunk#What.27s_New_in_6.6

(We know each other IRL. Hence this is teasing, not trolling...yet lol)

0 Karma

coltwanger
Contributor

It sounds like this feature will be my number one reason to move forward to 6.6 sooner rather than later:

"Avoidance of search disruption by automatically ensuring replicated data is available prior to taking a node offline."

We regularly get complaints from users about seeing "Your search results may be incomplete" during a cluster restart. However, the release notes aren't super clear whether this applies to a rolling restart or just "./splunk offline". I reached out to my SE for more info, and I also posted on the blog post iventsekar linked.

I'm also looking forward to line numbers in the SPL -- this will make documenting changes to alerts/reports a little more straight forward. I have had some users beg me to install 6.6 today for the dark themed search bar 🙂

coltwanger
Contributor

I want to note that I heard from my SE and this change is only for taking down a single peer, but will be expanded to rolling-restarts in the future.

0 Karma

koshyk
Super Champion

Completely agree. There are so much good improvements as per release notes

0 Karma

inventsekar
Ultra Champion

Good reading -

https://www.splunk.com/blog/2017/05/02/what-s-new-in-splunk-enterprise-6-6-and-splunk-cloud.html?lin...

I am looking for the dataset and dashboard related features, will check them and update.

Next up is the new Trellis Layout, which provides a more efficient way to run the dashboard and saves time building multiple panels! Have you ever needed to create multiple single value indicators across the top of your dashboard? What about multiple timecharts, with each showing a slightly different measure on the same search? To do this you probably had to edit the Simple XML, copy & paste the original chart over and over again and change the search parameters ever so slightly. Now with Trellis, this can be done directly from the GUI. Multiple charts will be created on the fly—all using a single base search. Here’s an example. ( Pic at the blog)

NetFlow_Logic
Contributor

I love Trellis Layout. Makes it so much easier to compare trends!

0 Karma

burwell
SplunkTrust
SplunkTrust

Trellis graphs are very cool! Love them.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Docs for Trellis Layout are available here. They describe how you can use trellis layout to split search results over a field or aggregation and generate visualization fragments for each field value:

docs.splunk.com/Documentation/Splunk/6.6.0/Viz/VisualizationTrellis

frobinson_splun
Splunk Employee
Splunk Employee

And docs for the new drilldown editor UI (as well as new content on using drilldown for dashboard interactivity) are available here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/DrilldownIntro

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...