Releasebot
Create account

Splunk Release Notes

Follow

Last updated: Sep 17, 2025

RSS Email Slack API

Splunk Products

All Splunk Release Notes

  • Sep 9, 2025
    • Parsed from source:
      Sep 9, 2025
    • Detected by Releasebot:
      Sep 17, 2025
    • Modified by Releasebot:
      Oct 10, 2025
    Splunk logo

    Splunk Enterprise Security by Splunk

    Splunk Enterprise Security 8.2

    Splunk Enterprise Security 8.2.x rolls out AI assist, enhanced investigations, and expanded APIs across 8.2.0 to 8.2.3 plus TaxII 2 support and improved finding groups. Upgrade guidance warns one-way upgrade with backups; many features and add-ons are deprecated or moved.

    What's new

    What's new in 8.2.3

    Splunk Enterprise Security version 8.2.3 was released on October 7, 2025 and includes patch fixes. For more information, see Splunk Enterprise Security 8.2.3 fixed issues.

    What's new in 8.2.2

    Splunk Enterprise Security version 8.2.2 was released on September 24, 2025 and includes a patch fix. See Splunk Enterprise Security 8.2.2 fixed issues.

    What's new in 8.2.1

    Splunk Enterprise Security version 8.2.1 was released on September 17, 2025 and includes the following new enhancements:

    • AI Assistant improvements: You can now use the AI Assistant to summarize individual findings in the analyst queue. For details, see Summarize findings with the AI Assistant. You can also choose between Frontier or Splunk-hosted models for the AI Assistant to use based on your organization's compliance requirements. See Choose which models the AI Assistant uses.
    • Hybrid pairing with Splunk SOAR: You can now pair Enterprise Security (Cloud) with a single Splunk SOAR (On-premises) instance. For details, see Splunk SOAR compatibility later in the release notes and Pair Splunk Enterprise Security with Splunk SOAR.

    What's new in 8.2.0

    Splunk Enterprise Security version 8.2.0 was released on September 9, 2025 and includes the following new enhancements:

    • AI Assistant for investigations: Summarize findings, get an SPL search, and generate an investigation report with the AI Assistant. See Scenario: Jordan uses the AI Assistant to summarize an investigation and generate SPL. Note: The AI Assistant for Splunk Enterprise Security is not automatically available by default. An administrator must reach out to their account management team to get started.
    • Version activity for detections: Ability to view the version activity of a detection. For more information, see Use detection versioning in Splunk Enterprise Security.
    • Detection audit trail: Monitor when detections are turned on or off, modified, or deployed, including who made changes and when. This is essential for compliance and change management of security rules.
    • Testing detections in the detection editor: Ability to evaluate detection performance and efficiency within your SOC workflow by testing detections and reviewing search results. For more information, see Validate detections in Splunk Enterprise Security.
    • Validate the SPL of a custom finding-based detection: Ability to validate the SPL query conditions for a custom finding-based detection in the detection editor. For more information, see Guidelines to create a custom finding-based detection.
    • Viewing notes on the findings or finding groups included in an investigation: Ability to view notes on the findings or finding groups that are included in an investigation to get the complete context of linked findings when reviewing investigations. For more information, see Create and share notes on an investigation.
    • Option to keep finding groups closed: Ability to configure in the detection editor whether closed finding groups are reopened or not if additional findings or intermediate findings are added to the finding group. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
    • Lookback finding groups: Ability to create lookback finding groups to group historical findings based on the first time the detection runs. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
    • Overlap finding groups: Ability to create overlap finding groups to prevent overlooking edge cases that might represent risk. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
    • Button options for filtering the analyst queue by type: Findings, Investigations, Finding groups, or All types. Quickly filter the analyst queue by type using the buttons above the queue. See Filter the findings and investigations.
    • Making notes optional or required: Enforce notes or make them optional when an analyst updates a finding or investigation. See Make notes required or optional.
    • Making note titles optional or required: Change the note title requirement setting to make note titles required or optional when analysts update a finding or investigation. See Make note titles required or optional.
    • ESSID-I-426: Hiding duplicate findings that have been added to an investigation. A finding that is part of an investigation can appear both nested under the investigation and also as a separate listing in the analyst queue. You can opt to show the finding in both locations, or you can hide the finding so that it only appears nested under an investigation. See Hide or show duplicate findings that have been added to an investigation.
    • Redesigned quick actions in the analyst queue: Refresh the analyst queue manually or with auto-refresh, now in the quick actions menu at the top of the analyst queue. See Refresh the analyst queue.
    • ESSID-I-425, ESSID-I-457: Syncing changes with included findings. Apply changes made in an investigation or finding group to all of its included findings. See Sync changes with included findings.
    • Optimizing storage with KV Store retention policy: Turn on the KV Store retention policy to automatically remove old records from KV Store collections based on a configured time-based or size-based policy. See Optimizing storage with KV Store retention policy.
    • ESSID-I-465: Expanded API capabilities: To create Findings, Add findings to investigations, Create, read, update, and delete notes.
    • Adding a TAXII 2 threat intelligence feed: Splunk Enterprise Security versions 8.2 and later now support TAXII version 2.0 and TAXII version 2.1. Add threat intelligence from a TAXII 2 feed to Splunk Enterprise Security. See Add a TAXII 2 feed.
    • Other key highlights: Your preferences for viewing charts, timelines, filters, and the count on the analyst queue count persists throughout your session. Findings that are part of an investigation are hidden from the top-level of the Analyst Queue by default so that you can focus on actionable alerts. New Splunk Enterprise Security APIs are now searchable using SPL REST command. Performance-based enhancements: The search ID reuse improves load times across the Analyst Queue and investigations by reusing the results of cached search jobs. SAML user tokens support is no longer required for native SOAR functionality.

    Upgrade notice for 8.x

    Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
    When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
    If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
    See Upgrade Splunk Enterprise Security.
    Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
    Other important notes for upgrading include the following:

    • You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
    • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
    • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

    Share threat data in Splunk Enterprise Security

    Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

    Compatibility and support

    • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
    • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

    Deprecated or removed features

    The following features have been deprecated from Splunk Enterprise Security 8.x:

    • Configuring the investigation type macro is no longer available.
    • Incident Review row expansion is no longer available.
    • Enhanced workflows are no longer available.
    • Sequence templates are no longer available.
    • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
    • Service level agreements (SLAs) and role-based incident type filtering are not available.
    • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
    • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
    • Capabilities such as edit_timeline and manage_all_investigations have been removed.
    • The Comments feature is replaced by an enhanced capability to add notes.
    • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

    Add-ons

    Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
    Note: Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
    Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
    To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

    • DA-ESS-AccessProtection
    • DA-ESS-EndpointProtection
    • DA-ESS-IdentityManagement
    • DA-ESS-NetworkProtection
    • DA-ESS-ThreatIntelligence
    • SA-AccessProtection
    • SA-AuditAndDataProtection
    • SA-EndpointProtection
    • SA-IdentityManagement
    • SA-NetworkProtection
    • SA-ThreatIntelligence
    • Splunk_SA_CIM
    • Splunk_SA_Scientific_Python_linux_x86_64
    • SplunkEnterpriseSecuritySuite
    • Splunk_ML_Toolkit

    Deprecated or removed add-ons

    Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
    The following technology add-ons are removed from the installer, but still supported:

    • Splunk Add-on for Blue Coat ProxySG
    • Splunk Add-on for McAfee
    • Splunk Add-on for Juniper
    • Splunk Add-on for Microsoft Windows
    • Splunk Add-on for Oracle Database
    • Splunk Add-on for OSSEC
    • Splunk Add-on for RSA SecurID
    • Splunk Add-on for Sophos
    • Splunk Add-on for FireSIGHT
    • Splunk Add-on for Symantec Endpoint Protection
    • Splunk Add-on for Unix and Linux
    • Splunk Add-on for Websense Content Gateway
      The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
    • TA-airdefense
    • TA-alcatel
    • TA-cef
    • TA-fortinet
    • TA-ftp
    • TA-nmap
    • TA-tippingpoint
    • TA-trendmicro

    Updated add-ons

    The Common Information Model Add-on is updated to version 6.2.0.

    Libraries

    The following libraries are included in this release:

    • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
    • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
    • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0
    Original source Report a problem
  • September 2025
    • No date parsed from source.
    • Detected by Releasebot:
      Sep 17, 2025
    Splunk logo

    Splunk Cloud Platform by Splunk

    Splunk Cloud Platform

    Overview of this Splunk Cloud Platform release: cloud features comparable to Splunk Enterprise with some cloud-only options, a firewall-based access model, no SSH/CLI edits (except on forwarders), and configuration via Splunk Web or Admin Config Service with support cases for non-self-service changes.

    Welcome to Splunk Cloud Platform

    This document contains information about this version of Splunk Cloud Platform.

    Splunk Cloud Platform delivers many of the features of Splunk Enterprise, plus some features that are available only to Splunk Cloud Platform subscribers. The features in your Splunk Cloud Platform environment might vary from those in Splunk Enterprise because of your topology, deployment, and configuration settings.

    Splunk Cloud Platform uses a firewall to prevent unauthorized user access. The firewall prevents SSH access to the Splunk Cloud Platform deployment, which means that you cannot edit configuration files or use the command line interface (CLI) to configure your Splunk Cloud Platform deployment (except on forwarder hosts, which run in your corporate network). To configure settings, use Splunk Web or Admin Config Service. If you need to modify your configuration in a way that is not self-serviceable, submit a case on the Support Portal.

    Original source Report a problem
  • Jul 31, 2025
    • Parsed from source:
      Jul 31, 2025
    • Detected by Releasebot:
      Sep 17, 2025
    Splunk logo

    Splunk Enterprise by Splunk

    What's new in 9.4.4

    Splunk Enterprise 9.4.4 was released on July 31, 2025. It resolves the issues described in Fixed issues.

    Original source Report a problem
  • Jul 28, 2025
    • Parsed from source:
      Jul 28, 2025
    • Detected by Releasebot:
      Sep 17, 2025
    • Modified by Releasebot:
      Nov 15, 2025
    Splunk logo

    Splunk Enterprise by Splunk

    Splunk Enterprise 10.0

    Splunk Enterprise 10.0 arrives with edge data processing, stronger security (mTLS and FIPS 140-3), OpenSSL 3.0 and Python 3.9, richer access controls, new dashboards and observability features, and expanded data movement plus admin enhancements for faster, safer deployments.

    Splunk Enterprise 10.0 Release Notes

    Splunk Enterprise 10.0 was released on July 28, 2025.
    If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
    For system requirements information, see the Installation Manual.
    Before proceeding, review the Known Issues for this release.

    Planning to upgrade from an earlier version?

    If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
    See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
    The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

    What's New in 10.0

    • Edge Processor service: The Edge Processor solution is a service hosted within your Splunk Enterprise deployment designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments.
    • Updated support for Federal Information Processing Standards (FIPS): Splunk Enterprise now has updated support for the FIPS Publication #140-2 module and new support for Publication #140-3 module. These modules let you run Splunk Enterprise in FIPS mode to comply with these guidelines. The updated FIPS 140-2 module that comes with Splunk Enterprise 10.0 is valid until March of 2026. This gives you time to move over to the new FIPS 140-3 module after you upgrade both Splunk Enterprise components and your forwarding tier infrastructure to version 10.
    • Support for encryption with mutual transport layer security (mTLS): Splunk Enterprise now supports the configuration of mTLS for encryption of network connections between Splunk Enterprise instances and services.
    • OpenSSL version 3.0 support: Splunk Enterprise version 10.0 brings support for OpenSSL version 3.0, which replaces the deprecated OpenSSL version 1.0.2. Additionally, the software is bound to version 3.9 of the Python runtime environment for secure connections to services and APIs.
    • Fine-grained access to search knowledge objects: Splunk admins now have improved options for assigning permissions to roles for access to knowledge objects. Three new capabilities grant admins increased flexibility in assigning access to the objects and replace the admin_all_objects capability, which was the only option available previously.
    • Sidecars: Sidecars are processes that run alongside the splunkd process to fulfill specific functions. They support introducing new features to the Splunk platform. For example, several sidecars support enhanced data management in the on-premises environment.
    • Dashboards Trusted Domains List: Admins can add and remove domains using the Dashboards Trusted Domains List page.
    • Dashboards in the Audit Trail app: Using the Audit Trail app, you can quickly gain insights on security, compliance, and the operation of a Splunk platform instance. The dashboards help you monitor user activities and changes of knowledge objects in real time, based on data from the audit index, index=_audit.
    • Support for the savedsearch command in standard mode federated searches: You can now use the savedsearch command to run federated searches over remote saved search datasets located on standard mode federated providers.
    • Expanded SPL support for standard mode searches in Federated Search for Splunk: Support has been added for the following commands in standard mode federated searches for Federated Search for Splunk: mcollect, sendalert, sendemail.
    • Email domains enhancement: A new enhancement for the Email Domains setting under Server settings in Splunk Web lets administrators specify whether to allow or deny all email domains, or use email domains in a comma-separated list.
    • OAuth 2.0 support for email server authentication: Splunk Enterprise now supports OAuth 2.0 for SMTP server authentication. This release adds support for Microsoft Exchange Server.
    • Splunk Enterprise Python 3.9: Python version 3.7 has been removed from Splunk Enterprise 10.0 and higher. Python 3.9 is the only interpreter available in this release.
    • Dashboard Studio enhancements: See What's new in Dashboard Studio.
    • Preview feature: Field filters now support the typeahead and walklex commands.
    • Preview feature: Field filters are now first in the sequence of search-time operations, which has implications for downstream operations.
    • Dynamic limit for scheduled searches: Splunk Enterprise 10.0 introduces the dynamic_max_searches_perc setting to automatically adjust the scheduled search concurrency limit.
    • Effective configuration: This feature lets you view the actual configuration installed on your forwarders without logging into the machines or running btool.
    • Bulk Data Move: Allows users to efficiently reorganize indexes and move data between them using specific search criteria. Available for Standalone deployments only.
    • OpenTelemetry Collectors: View information about OTel Collectors you manage, helping monitor status of your agents in one place.
    • Observability metrics in Dashboard Studio: Create charts based on observability metrics or import existing Splunk Observability Cloud charts.
    • Preview observability data in the Search app: See previews of Splunk Observability Cloud data related to events in the Search & Reporting application.
    • View an observability service map in Dashboard Studio dashboards: Add a service map for services monitored in Splunk Observability Cloud into Dashboard Studio.
    • SPL2 module permissions: Module creators are automatically given execute, read, and write permissions on that module.
    • Deprecated version 1.0 endpoints for the Search API are now deactivated by default.
    • Sunsetting of the Upgrade Readiness App: Support for the Upgrade Readiness App has ended and it has been removed from this version.
    • Updated alerts page: The alerts page is updated for usability and accessibility.
    • Favorite knowledge objects: Users can now add and remove reports from favorites.
    • Agent management can upgrade universal forwarders: Upgrade universal forwarders centrally through agent management or deployment server after one-time setup.
    • Ingest Actions Live Capture on search heads: Live Capture improves accuracy of event previews in Ingest Actions, available in both Splunk Cloud and Splunk Enterprise deployments.
    Original source Report a problem
  • Jul 17, 2025
    • Parsed from source:
      Jul 17, 2025
    • Detected by Releasebot:
      Oct 3, 2025
    Splunk logo

    Splunk Enterprise Security by Splunk

    Splunk Enterprise Security 8.1.1

    Splunk Enterprise Security 8.1.x adds detection version comparisons, UI improvements, SOAR pairing, and a revamped detections editor plus API and threat intel enhancements. It also covers upgrade notices, compatibility, deprecated features, add-ons, and bundled libraries.

    What's new in 8.x

    What's new in 8.1.1

    Splunk Enterprise Security 8.1.1 was released on July 17, 2025. It resolves the issues described in Fixed issues.

    What's new in 8.1.0

    Splunk Enterprise Security version 8.1.0 was released on June 10, 2025 and includes the following new enhancements:

    • New feature: Comparison between versions of detections
      Description: Ability to compare the differences between detection versions to determine if an outdated version is turned on or to troubleshoot a detection that is generating false positive alerts. For more information, see Reviewing differences between detection versions.

    • New feature: UI improvements to the Intermediate findings timeline visualization
      Description: Enhanced ability to interact with the visualization to analyze the relationship between intermediate findings and their associated risk scores. The Intermediate findings timeline visualization was previously referred to as the Risk timeline visualization in Splunk Enterprise Security versions 8.0.x. For more information on this visualization, see Reviewing findings using the intermediate findings timeline in Splunk Enterprise Security Access the intermediate findings timeline to review findings in Splunk Enterprise Security.

    • New feature: Pairing with Splunk SOAR (On-premises)
      Description: You can now pair Splunk SOAR (On-premises), in addition to pairing with Splunk SOAR (Cloud) to run actions, run playbooks, and review automation history in Splunk Enterprise Security. For more information, see Pair Splunk Enterprise Security with Splunk SOAR. For compatibility information, see Splunk SOAR compatibility in the Splunk Enterprise Security Compatibility matrix article.

    • New feature: Enhancements to the detection editor
      Description: Following improvements have been included for the detection editor in this release:

      • Use only event-based detections to create finding groups
      • Select security annotations from various cyber-security frameworks using the drop-down menu in the detection editor
      • Multiple drill-down searches associated with a detection can no longer have the same name
      • Ability to delete a drill-down search with the same name if it is not the first drill down search
      • Ability to view, delete, add, or modify the pre-populated suppressed fields in the finding-based detection editor
      • Improve search experience by automatically expanding the tokens in the titles and descriptions of findings and detections prior to storing the findings and finding groups in the notable index.
      • Preview the search and test the search results for the finding-based detection in the detection editor to ensure that the detection fits your use case.
      • PCI governance controls added as annotation to monitor PCI DSS 4.0 requirements
        For more information on improvements to the user interface for creating detections, see Create finding groups in Splunk Enterprise Security, Add annotations to detections in Splunk Enterprise Security, Modify drill-down searches to use uniquely identifiable keys, Troubleshoot drill-down searches in Splunk Enterprise Security, Suppress and modify specific fields within finding-based detections, Expand tokens in findings and detections to improve the search experience, Create finding-based detections in Splunk Enterprise Security.

    • New feature: Reduced alert noise on the analyst queue since event-based detections can generate both findings and intermediate findings
      Description: Event-based detections can be configured to generate both findings and intermediate findings with assigned risk scores that can be modified to reflect accurate risk levels. For more information, see Event-based detections, Assign risk using risk modifiers in Splunk Enterprise Security.

    • New feature: Support for Splunk API
      Description: The Splunk Enterprise Security API allows you to use and modify findings, investigations, risk scores, assets, and identities in Splunk Enterprise Security. Additionally, Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search and build integration applications for use with Splunk Enterprise Security. For more information, see Splunk Enterprise Security API reference.

    • New feature: Intelligence summary for findings in the analyst queue
      Description: Review threat intelligence attributes associated with a finding in the side panel of the analyst queue. Use threat intelligence attributes to help you determine whether you need to start an investigation based on that finding. Threat intelligence attributes include threat actors, MITRE tactics, CVEs, and malware associated with one or more observables present in the finding. For more information, see Review threat intelligence attributes for a finding in Splunk Enterprise Security, Fields containing observables in Splunk Enterprise Security.

    • New feature: New default views in a collapsible side panel for filtering the analyst queue
      Description: Filter the analyst queue by new default views such as Owned by me or Risk score. In a new collapsible side panel, you can select from different saved views to make the triage process easier. For more information, see Filter by a default view in the analyst queue, Manage saved views.

    Upgrade notice for 8.x

    Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

    • When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
    • If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
    • See Upgrade Splunk Enterprise Security.
    • Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.

    Other important notes for upgrading include the following:

    • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
    • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

    Share threat data in Splunk Enterprise Security
    Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

    Compatibility and support

    • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
    • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

    Deprecated or removed features

    The following features have been deprecated from Splunk Enterprise Security 8.x:

    • Configuring the investigation type macro is no longer available.
    • Incident Review row expansion is no longer available.
    • Enhanced workflows are no longer available.
    • Sequence templates are no longer available.
    • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
    • Service level agreements (SLAs) and role-based incident type filtering are not available.
    • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
    • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
    • Capabilities such as edit_timeline and manage_all_investigations have been removed.
    • The Comments feature is replaced by an enhanced capability to add notes.
    • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

    Add-ons

    • Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
    • Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
    • Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
    • To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.
      • DA-ESS-AccessProtection
      • DA-ESS-EndpointProtection
      • DA-ESS-IdentityManagement
      • DA-ESS-NetworkProtection
      • DA-ESS-ThreatIntelligence
      • SA-AccessProtection
      • SA-AuditAndDataProtection
      • SA-EndpointProtection
      • SA-IdentityManagement
      • SA-NetworkProtection
      • SA-ThreatIntelligence
      • Splunk_SA_CIM
      • Splunk_SA_Scientific_Python_linux_x86_64
      • SplunkEnterpriseSecuritySuite
      • Splunk_ML_Toolkit

    Deprecated or removed add-ons

    Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
    The following technology add-ons are removed from the installer, but still supported:

    • Splunk Add-on for Blue Coat ProxySG
    • Splunk Add-on for McAfee
    • Splunk Add-on for Juniper
    • Splunk Add-on for Microsoft Windows
    • Splunk Add-on for Oracle Database
    • Splunk Add-on for OSSEC
    • Splunk Add-on for RSA SecurID
    • Splunk Add-on for Sophos
    • Splunk Add-on for FireSIGHT
    • Splunk Add-on for Symantec Endpoint Protection
    • Splunk Add-on for Unix and Linux
    • Splunk Add-on for Websense Content Gateway
      The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
    • TA-airdefense
    • TA-alcatel
    • TA-cef
    • TA-fortinet
    • TA-ftp
    • TA-nmap
    • TA-tippingpoint
    • TA-trendmicro

    Updated add-ons

    • The Common Information Model Add-on is updated to version 6.1.0.

    Libraries

    The following libraries are included in this release:

    • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
    • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
    • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0
    Original source Report a problem
  • Jun 5, 2025
    • Parsed from source:
      Jun 5, 2025
    • Detected by Releasebot:
      Sep 17, 2025
    Splunk logo

    Splunk Enterprise by Splunk

    What's new in 9.4.3

    Splunk Enterprise 9.4.3 is out, dated June 5, 2025. The release shifts KV store server to version 7.0 for all 9.4+ deployments, delivering security improvements and better performance. The upgrade happens automatically during the Splunk Enterprise 9.4 upgrade, and users are guided to plan the KV store upgrade per the Splunk Support Policy and Admin manual. This release emphasizes security, policy,

    Splunk Enterprise 9.4.3 was released on June 5, 2025. It resolves the issues described in Fixed issues.

    • Splunk Enterprise versions 9.4 and higher no longer support KV store server version 4.2.
    • Upgrade to KV store server version 7.0 for continued support and security, and to comply with Splunk Support Policy open_in_new. For more details, see Splunk Support Policy open_in_new. Your deployment automatically upgrades your KV store during your upgrade to Splunk Enterprise 9.4. This new server version includes security enhancements and improves the performance of your KV store. See Upgrade the KV store server version open_in_new in the Admin manual to plan your upgrade.
    Original source Report a problem
  • Apr 28, 2025
    • Parsed from source:
      Apr 28, 2025
    • Detected by Releasebot:
      Sep 17, 2025
    Splunk logo

    Splunk Enterprise by Splunk

    What's new in 9.4.2

    Splunk Enterprise 9.4.2 was released on April 28, 2025. It resolves the issues described in Fixed issues.

    Original source Report a problem
  • Feb 26, 2025
    • Parsed from source:
      Feb 26, 2025
    • Detected by Releasebot:
      Sep 17, 2025
    Splunk logo

    Splunk Enterprise by Splunk

    What's New in 9.4.1

    Fixed issues

    Splunk Enterprise 9.4.1 was released on February 26, 2025. It resolves the issues described in Fixed issues.

    Original source Report a problem
  • Dec 16, 2024
    • Parsed from source:
      Dec 16, 2024
    • Detected by Releasebot:
      Sep 17, 2025
    Splunk logo

    Splunk Enterprise by Splunk

    Welcome to Splunk Enterprise 9.4

    Splunk Enterprise 9.4 drops with a broad feature set: revamped Deployment Server UI and health views, upgraded KV store to v7.0, SPL2 support via API, enhanced eval functions, and improved SHC resilience. Federated Search gains metric index support, eventcount, and mcatalog compatibility, plus workload and S2S queue enhancements and cgroups v2 default.

    Splunk Enterprise 9.4 was released on December 16, 2024.
    If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.
    For system requirements information, see the Installation Manual.
    Before proceeding, review the Known Issues for this release.

    Planning to upgrade from an earlier version?
    If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.
    See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.
    The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

    What's New in 9.4

    • Deployment server version 9.4: Deployment Server provides a centralized location and user-interface to manage, maintain, and troubleshoot all types of Splunk agents, such as the Universal Forwarder and the Heavy Forwarder. Deployment Server 9.4.0 provides the following new capabilities: Overview of the health and status of your agents, A new UI with a shorter load time and updated user experience, Accessibility compliance
    • Upgrade KV store server version from 4.2 to 7.0: Splunk Enterprise versions 9.4 and higher work best with KV store server version 7.0. Your deployment automatically upgrades your KV store during your upgrade to Splunk Enterprise 9.4. This new server version includes security enhancements and improves the performance of your KV store. See Upgrade the KV store server version in the Admin manual to plan your upgrade.
    • Stats V1 removal: Version 1 of the stats command has been removed and replaced with version 2 of the stats command.
    • Enhancement to the foreach command: A new auto_collections mode has been added the foreach command. The auto_collections mode dynamically iterates over a JSON array or multivalue field depending on which element is present in the search. See foreach in the Search Reference.
    • Federated Search for Splunk: Metric indexes now supported as a new dataset type for federated searches: With this release, Federated Search for Splunk adds a new dataset type for standard mode federated searches: metric indexes. You can now run federated searches over metric index datasets. Additional error handling has been added to ensure that you apply event generating commands to event index datasets and apply metric generating commands to metric index datasets. Note: This is a breaking change for previous federated searches of metric indexes. If you are upgrading the federated search head on your local deployment from a previous version of the Splunk platform, and you have defined federated indexes on that federated search head that map to index datasets which contain metric data, you must replace those federated indexes with new federated indexes that map to metric index datasets. This update does not require you to make any changes to the remote deployment. For more information about defining federated indexes that map to metric index datasets, see Map a federated index to a remote Splunk dataset in Federated Search. For more information about writing federated searches for metric index datasets, see Run federated searches over remote Splunk platform deployments in Federated Search.
    • Federated Search for Splunk: Support for eventcount across Standard and Transparent mode: The eventcount command is now supported by Federated Search for Splunk. This support includes the option to have eventcount return event counts for indexes on remote Splunk platform deployments that are designated as federated providers. eventcount search results now include a provider column that identifies the federated providers that listed indexes belong to. For more information, see eventcount in the Search Reference.
    • Federated Search for Splunk: Standard mode federated search support for the mcatalog command: The mcatalog command is now supported for standard mode federated searches. For more information, see the following topics: Run federated searches over remote Splunk platform deployments, in Federated Search. mcatalog, in the Search Reference.
    • Internal Library Settings: The Internal Library Settings page is removed. Deprecated libraries and unsupported hotlinked imports are restricted, and Splunk Cloud Platform no longer offers a self-service option to use them. For more information about Internal Library Settings, see Control access to jQuery and other internal librariesopen_in_new in the jQuery Upgrade Readiness manual.
    • Dashboard Studio enhancements: See What's new in Dashboard Studio.
    • SPL2-based application development: This version of Splunk Enterprise supports SPL2 via API, to help admins create powerful apps to gain more control over their ecosystem while allowing developers massive flexibility for the custom apps they can build. Admins and developers can use the API or the Splunk Extension for VS Code to create their apps. Admins and developers can ship SPL2 module files that define custom functions, views, data types, and more to curate resources within their application for users. Users can leverage these resources in the Splunk search bar to create dashboards and reports, by writing single-statement SPL2 searches. See Create SPL2-based appsopen_in_new in the Splunk Developer Guide on dev.splunk.com Admins can use SPL2 views with run-as-owner permissions. This applies special permissions on modules to execute views under a more privileged context, allowing multiple roles to access sensitive data with different levels of custom data masking. See Manage SPL2-based apps in the Splunk Enterprise Admin Manual.
    • Eval function enhancements for data type conversion and type testing: You can use the following new eval data type conversion functions to manipulate values in eval searches. toarray to convert a value to an array value. tobool to convert a value to a boolean value. todouble to convert a value to a double value. toint to convert a value to an integer value. tomv to convert a value to a multivalue. toobject to convert a value to the equivalent object value of the field, if any. json_entries to convert a value to an array of JSON objects with key and value fields. You can use the following new eval functions to return information about values in eval searches. isarray to test whether a value is an array value. isdouble to test whether a value is a double value. ismv to test whether a value is a multivalue. isobjectto test whether a value is an object. json_has_key_exact to test whether a JSON key is in a JSON object. For more information, see Common eval functions in the Splunk Enterprise Search Reference.
    • Eliminate SHC out-of-sync issues: Search head cluster (SHC) replication has been improved to reduce out-of-sync errors. Previously, large CSV lookup files that exceeded the 5GB file size limit could block replication and cause cluster members to go out of sync, often requiring a "destructive resync" to remediate. Now if a CSV lookup exceeds the lookup file size limit, the cluster automatically quarantines the lookup on the search head on which it is generated, without blocking replication of other objects. The splunkd health report shows the number of quarantined lookups and admins can run a search to get details on these lookups for remediation. For more information, see Quarantining large CSV lookup files in search head clusters in the Knowledge Manager Manual.
    • Workload management - Support for cgroups version 2: Workload management now supports Linux operating systems that use cgroups version 2. Splunk Enterprise 9.4 is enabled by default to automatically detect and switch to cgroups v2. For more information, see Configure cgroups v2 in Splunk Enterprise in Workload Management.
    • Support for persistent queues for Output queues with Splunk to Splunk (S2S) protocol: Ability to leverage persistent queues on output queues to automatically fallback to disk and recover, in case of destination or network failure. Use cases are for collection purpose for remote Splunk deployment (intermittent connectivity or need to survive a long network outage) and/or cloning data to one or multiple Splunk destinations, via S2S protocol, with no data loss and minimal impact in case of destination unavailability.
    Original source Report a problem

This is the end. You've seen all the release notes in this feed!

Related vendors