Splunk .conf2017: Splunk 7 released and other news
In the Splunk universe September is hotly anticipated; not because of the equinox or changing seasons, but because of the international Splunk user and partner conference, .conf, held this year in Washington, D.C.
On Tuesday during his opening keynote, Doug Merritt, Splunk CEO, announced the release of Splunk version 7 (read on for more a brief overview), alongside numerous other significant updates, including:
- End of Life for Splunk 5.0.x, taking effect as of 30 November 2017.
- Updates for IT Service Intelligence (ITSI), User Behaviour Analytics (UBA), and the Machine Learning Toolkit (MLTK).
- New pricing options relevant to all Splunk users, from new adopters to large enterprises.
- New enterprise security content packs, for a guided way to implement specific use cases for enterprise security as subscription-based content packs. At NCC Group we think these will be a valuable addition to Splunk, enabling maximum value to be gained from a Splunk Enterprise Security (ES) investment. However, as with any SIEM implementation, picking the right use cases for your deployment environment and data sources that will give you the most business value is key.
- New customer success planning, including web-based self-assessment and proactive analysis support from Splunk.
- A key mention about Splunk Pledge (whereby free software is provided to charities and NGOs) from the Global Emancipation Network, who are using Splunk to help fight human trafficking and modern day slavery 1.
We will be exploring these topics in more depth over the next few weeks, including what effects they will have on our Splunk users, so keep an eye out for more blogs.
Meanwhile we will start with the most pressing topic: version 7.
Version 7 key features and benefits
|Feature||Information and Benefits|
|Metrics||A new way to receive, store, and search metrics-based data such as new native support for ingesting StatsD or CollectD output, or other similar telemetry data from other sources. Storing metric data in the new metrics engine can produce 2-200x performance improvements searching these types of data.|
|Event Annotations||Visualising the output of a second search to overlay correlated information onto a graph visualisation. This looks very interesting to provide context and turn graphs from information into intelligence.|
|Charting Improvements||More customisable options for existing charting visualisations, such as line thicknesses and types. This will be excellent to create exactly the right format for visual presentation of information, making it much easier to go from wireframe and raw data to appropriate information visualisation (especially when coupled with the event annotations).|
|Report Actions||Custom Alert Actions are now in the ‘create report schedule’ workflow (making a report from a dashboard). This makes things more consistent within Splunk, and allows for more interesting opportunities for integrations.|
|Monitoring Console||More panels in some of the monitoring console panels to allow for more accurate analysis of indexing pipeline performance.|
|Faster Search Performance||More parallelisation and improved refactored techniques that can (according to the Splunk lab devs!), improve search performance for some types of searches in Enterprise Security by three times, or get the same performance from one third of the infrastructure. For other types of searches, search performance improvements from two times to ten times have been seen. This will be a really good opportunity to update a Splunk environment on the same hardware and gain significant performance improvements, or to reduce the footprint of a new environment to improve TCO proposition. Alternatively, a blend between the two could also be implemented to improve performance and increase what Splunk is being used for. This will be a huge opportunity for Splunk environments that are still using 5.0 in particular, as a way to get a lot more out of your existing investment in data and infrastructure.|
Getting Splunk version 7
Splunk 7.0.0 is available now and can be obtained by following these steps:
- Click “Free Splunk” on https://www.splunk.com/
- Existing users sign in to your account or new users can register for one
- Select the download platform of your choice and download
We would recommend trying the latest version and features in a non-production environment first, before carefully planning any upgrades or new deployments.
There is also a free showcase app (Splunk Enterprise 7.0 Overview 2) available on Splunkbase; Splunk’s content catalogue of first and third party developed apps and add-ons. This can easily be installed from inside a Splunk 7 instance through the GUI, and will show what’s new in Splunk 7. An additional free app on Splunkbase (Splunk Dashboard Examples 3) has particularly good examples of the various UI and visualisation possibilities, and covers versions 6.0 through to 7.0.
How NCC Group can help
NCC Group is a long-standing Splunk Partner in UK and EMEA. We have highly capable, experienced and qualified professional services consultants that specialise in Splunk, from data-ingest, through data-science, to visualisation and integration, ready to assist you in getting the most intelligence and information possible out of your data. We have delivered stand-alone and integrated transformational Security Intelligence, Operational Intelligence, and Business Intelligence services for hundreds of Splunk customers, working with everyone from small start-ups to global enterprises, at data volumes from less than one gigabyte per day to multiple terabytes per day.
If your organisation is already using Splunk then a good starting point is our health check service, where we will check the state and maturity of your current deployment. We then highlight what improvements could be made, how things could run more efficiently, and share business value generation opportunities that can be achieved by upgrading, putting more data in, or handling data currently in Splunk differently, to maximise return on your existing Splunk investment.
If your organisation is not currently using Splunk, then get in touch via email@example.com to talk to us about a demonstration and a discussion of the potential value it could bring to you and your business.
Published date:  29 September 2017
Written by:  Jamie McCallion and Paul McDonough