All Splunk Release Notes (13)

• Feb 4, 2026

  • Date parsed from source:
    Feb 4, 2026
  • First seen by Releasebot:
    Feb 5, 2026
  

  Splunk Enterprise Security by Splunk

  Splunk Enterprise Security 8

  Splunk Enterprise Security 8.4.0 delivers Detection Studio improvements, smarter event and finding based detections, new macros, default detection versioning, enhanced investigations, AI Assistant, GCP with SOAR, unified threat data configuration, and team-based queues. Upgrade notes cover backup and compatibility.

  What's new

  Splunk Enterprise Security version 8.4.0 was released on February 4, 2026 and includes the following new enhancements:

  Identify and leverage the most powerful detections using Detection Studio

  Ability to identify the most effective and powerful detections based on your data and security environment to improve search accuracy and reduce alert volume. For more information, see Identify the most optimal detections using Splunk Enterprise Security.

  Improvements in the detection editor for creating event-based detections

  Ability to edit event-based detections is enhanced significantly and includes the following features:

  • Ability to specify findings and intermediate findings in separate sections of the detection editor along with their specific required fields.
  • Information on threat objects, drill-down searches, drill-down dashboards, annotations, and so on, which are​ common to both findings and intermediate findings can be specified in the Analyst Queue section of the detection editor in collapsible panels.
  • Risk scores are optional for findings and can be empty.
  • Entities are not required for a finding and risk messages are not required for entities of a finding.
  • If an intermediate finding output type is selected, at least one entity is required​.
    For more information, see Create event-based detections in Splunk Enterprise Security.

  Improvements in the detection editor for creating finding-based detections

  Ability to edit finding-based detections is enhanced significantly and includes the following features:

  • Content from ESCU and other simpler, easy to use content templates are included.
  • Fewer required fields and a streamlined design aligned with risk-based alerting best practices.
  • Default information type such as entity, kill-chain are removed.​
  • Panels to group findings based on entity type is deprecated
    For more information, see Create finding-based detections in Splunk Enterprise Security.

  New macros introduced to simplify the composition of the searches for finding-based detections

  Using these macros helps to standardize the aggregation of findings and group them based on entities. Macros also help to ensure consistency and maintainability of the search structure for finding-based detections. Following is a list of the new macros:

  • generate_findings_summary
  • calculate_findings_fields
  • generate_findings_summary_on_entity

  Detection versioning is a default feature

  Turning on detection versioning is no longer optional but available by default when you install or upgrade to Splunk Enterprise Security version 8.4.

  Allow skew detection

  Ability to offset the time to run detections based on scheduler load can automatically distribute search loads across time and improve performance. For more information, see Skew the scheduled time to run detections.

  Simplify the ability to create findings and investigations

  Create investigations from scratch or add findings to investigations while creating the finding. Additionally, the number of required fields for creating findings has been reduced. This helps to instantly track emerging threats and reduces the number of required steps to open a case immediately and populate details as they become known. For more information, see Create a simple finding or investigation in Splunk Enterprise Security.

  Add events to an investigation

  Ability to provide context for robust security use cases using the ability to add events to investigations and bridge the gap between detection and evidence. Adding events to investigations lets you pull relevant raw events directly into their active investigations. For more information, see Add events to an investigation in Splunk Enterprise Security.

  GCP pairing with Splunk SOAR

  You can now pair Splunk Enterprise Security on GCP with Splunk SOAR on GCP. For more information, see Splunk SOAR Compatibility.

  Unified data source configuration for Threat Intelligence Management

  Activate and deactivate data sources for native threat intelligence or Threat Intelligence Management (Cloud) in a unified interface. See Configure threat intelligence sources in Splunk Enterprise Security.

  Team-based work queues

  Team-based queues organize findings and investigations into focused work-spaces that reflect each team's responsibilities. This can help teams stay focused, reduce noise, and respond to threats faster. See Analyst and team-based queues in Splunk Enterprise Security.

  Turning the AI Assistant on or off

  The AI Assistant in Splunk Enterprise Security helps you work through investigations by summarizing findings, explaining activity in clear language, and suggesting next steps. You can turn the AI Assistant on or off at any time in the configuration settings. See Turn the AI Assistant on or off in Splunk Enterprise Security.

  Import and export response plans

  Import your own response plans as JSON files into Splunk Enterprise Security, or export existing response plans. See Import response plans and Manage response plans.

  Cisco Talos integration

  Cisco Talos data is now available in the Intelligence tab of investigations. Access premium threat intelligence to enrich your findings for easier triage and detecting threats. Cisco Talos Intelligence helps to examine URLs, IP addresses, domain names and so on for security threat classifications and related threat intelligence. See Overview of threat intelligence in Splunk Enterprise Security.

  Create a UEBA finding exclusion rule using an entity list

  Create finding exclusion rules to suppress known safe or irrelevant activity that might otherwise inflate entity risk scores or create alert fatigue. You can now reuse existing entity lists to apply exclusions more effectively and consistently across key users and entities. See Create a finding exclusion rule using UEBA configuration page.

  Upgrade notice for 8.x

  Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
  When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
  If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
  See Upgrade Splunk Enterprise Security.
  Note:
  Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
  Other important notes for upgrading include the following:

  • You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

  Share threat data in Splunk Enterprise Security

  Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

  Compatibility and support

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

  Deprecated or removed features

  The following features have been deprecated from Splunk Enterprise Security 8.x:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

  Add-ons

  Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
  Note:
  Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
  Note:
  Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
  To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

  • DA-ESS-AccessProtection
  • DA-ESS-EndpointProtection
  • DA-ESS-IdentityManagement
  • DA-ESS-NetworkProtection
  • DA-ESS-ThreatIntelligence
  • SA-AccessProtection
  • SA-AuditAndDataProtection
  • SA-EndpointProtection
  • SA-IdentityManagement
  • SA-NetworkProtection
  • SA-ThreatIntelligence
  • Splunk_SA_CIM
  • Splunk_SA_Scientific_Python_linux_x86_64
  • SplunkEnterpriseSecuritySuite
  • Splunk_ML_Toolkit

  Deprecated or removed add-ons

  Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
  The following technology add-ons are removed from the installer, but still supported:

  • Splunk Add-on for Blue Coat ProxySG
  • Splunk Add-on for McAfee
  • Splunk Add-on for Juniper
  • Splunk Add-on for Microsoft Windows
  • Splunk Add-on for Oracle Database
  • Splunk Add-on for OSSEC
  • Splunk Add-on for RSA SecurID
  • Splunk Add-on for Sophos
  • Splunk Add-on for FireSIGHT
  • Splunk Add-on for Symantec Endpoint Protection
  • Splunk Add-on for Unix and Linux
  • Splunk Add-on for Websense Content Gateway
    The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

  Updated add-ons

  The Common Information Model Add-on is updated to version 6.4.0.

  Libraries

  The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0

  Original source Report a problem

  Show more
• Jan 15, 2026

  • Date parsed from source:
    Jan 15, 2026
  • First seen by Releasebot:
    Feb 4, 2026
  • Modified by Releasebot:
    Feb 11, 2026
  

  Splunk Enterprise by Splunk

  Welcome to Splunk Enterprise 10.2

  Splunk Enterprise 10.2 launches with field filters by default, Parquet data in S3, Edge Processor upgrades and SPL2 expansions. It also adds AI Assistant for SPL, OAuth2 support, OTel metrics improvements and revamped dashboards.

  Splunk Enterprise 10.2 was released on January 15, 2026.

  If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

  For system requirements information, see the Installation Manual.

  Before proceeding, review the Known Issues for this release.

  Planning to upgrade from an earlier version?

  If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

  See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

  The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

  What's New in 10.2

  • Preview Update 2 feature: Field filters are now available by default, and now protect sensitive fields in searches that use the tstats command. To protect your personal identifiable information (PII) and protected health information (PHI) data, and meet data privacy requirements such as GDPR or other privacy regulations, you can use field filters in the Splunk Platform to limit access to your sensitive data. Field filters let you limit access to confidential information by redacting or obfuscating fields in events within searches, with optional role-based exemptions. Field filters are now visible for customer use by default, eliminating the requirement for administrators to turn on the feature by configuring limits.conf and web-features.conf files. Field filters now provide native support for the tstats command and the tstats command can now be used without restrictions on indexes protected by field filters. Note: Plan carefully before deploying field filters, especially if using downstream configurations or Splunk Enterprise Security.

  • Parquet format for data sent to Amazon S3 from Edge Processor: You can now choose to store data as parquet files when sending data from an Edge Processor to Amazon S3.

  • Edge Processor on Splunk Enterprise operating system version support: Several OS versions are no longer supported (Amazon Linux 2, Centos 7, Debian 10 and 11, RHEL 8.0, SUSE Linux Enterprise 15.0, Ubuntu 20.04 LTS) and newer versions are now supported (Debian 12+, RHEL 9+, RockyLinux 9+, SUSE Linux Enterprise 15.0 SP6+, Ubuntu 24.04 LTS). Users must upgrade unsupported OS versions before upgrading their data management control plane to avoid data loss.

  • Edge Processor on Splunk Enterprise support for JSON array format as input: Now supports JSON array format input allowing square brackets and comma-separated objects.

  • Edge Processor on Splunk Enterprise monitoring dashboards: Updated UI to visualize metrics and health of Edge Processors, including inbound/outbound data volume and logs.

  • Updated systemd configuration instructions: Updated to ensure more graceful shutdown procedures by specifying KillMode=mixed in systemd unit file.

  • Support for OAuth2.0 for 3rd party and external applications: Administrators can configure OAuth 2.0 for products like Data Analytics and User Behavior Analysis tools to connect to Splunk platform through REST APIs.

  • Improvements to O11y Metrics & Charts in Splunk Dashboard Studio: Users can leverage observability application service map views in dashboards with incremental improvements and bug fixes.

  • Splunk AI Assistant for SPL in the Search app is now available in Splunk Enterprise: Helps users generate, explain, and translate SPL using natural language, supporting faster onboarding and improved productivity. Requires Splunk AI Assistant for SPL app version 1.3.2 or higher.

  • Remove Node.JS: Node.js is removed; customers must update apps dependent on Node.js to bundle their own version.

  • SPL2: Extends SPL language with powerful features, supports SPL or SQL syntax, unified search and streaming language, fully compatible with SPL. Some Linux versions not supported in 10.2.

  • Federated provider names are now case-insensitive: Provider names must be unique regardless of case; duplicate names must be changed.

  • SPL2 support for Dashboard Studio: Use SPL2 data sources in dashboards by creating SPL2 queries or referencing existing views.

  • Other Dashboard Studio enhancements: See What's new in Dashboard Studio.

  • Ingest-Tier Scaling: High-throughput, scalable data ingestion for self-managed Splunk deployments.

  • Bulk Data Movement between Indexes: Efficiently reorganize indexes and move data using specific search criteria; available only in non-SmartStore clustered environments.

  • Effective configuration of OTel Collectors: View complete active configuration for each OTel Collector agent communicating using OpAMP.

  • Agents lookup: Improves performance in agent management UI by retrieving agent data from cached CSV lookup file.

  • Agent management UI/UX enhancements: Unified forwarders and OpenTelemetry management with automated wizard for server class creation.

  • Destination configuration on agent management: Configure S3 and file system destinations directly from agent management; requires agent management version 10.2 or higher.

  • Queued ad hoc search quotas: Configurable limits on number of ad hoc searches queued at system and role levels to prevent performance issues.

  • TLS verification for inter-sidecar communication: Sidecars use server data plane certificates and verify certificates over TLS connections.

  • Using Nascent to ensure correct configuration on search head clusters: Nascent sidecar manages etcd service for consistent configuration and service discovery.

  • Audit Trail Log v2: Structured audit log format using JSON compliant with Common Information Model (CIM), suitable for compliance.

  • Python 3.13 is available on an opt-in basis: Splunk platform uses Python 3.9 by default; Splunk Web uses Python 3.13 only.

  • KV store server version 8.0 is available: Upgrade from version 7.0; version 7.0 will be removed in future releases.

  • Run Splunk Enterprise without the root option: Splunk Enterprise no longer runs as root by default; use --run-as-root to run as root.

  • Monitoring Console Overview Dashboard (beta) redesign: Updated dashboard for improved user experience and efficiency with personalized metrics and alerts.

  For more detailed information, see the respective linked documentation and release notes.

  Original source Report a problem

  Show more
• All of your release notes in one place

  Join Releasebot and get updates from Splunk and hundreds of other software products.

  Create account

  Subscribe with: RSS Email API Slack n8n Zapier
• Jan 15, 2026

  • Date parsed from source:
    Jan 15, 2026
  • First seen by Releasebot:
    Jan 16, 2026
  • Modified by Releasebot:
    Jan 17, 2026
  

  Splunk Enterprise by Splunk

  Splunk Enterprise 10.2

  Splunk Enterprise 10.2 arrives with field filters on by default, Parquet data on S3, Edge Processor OS updates, OAuth2.0 support, SPL2 and AI Assistant for SPL, plus Dashboard Studio and admin UI improvements for a faster, more secure on‑prem experience.

  Splunk Enterprise 10.2

  Splunk Enterprise 10.2 was released on January 15, 2026.

  If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

  For system requirements information, see the Installation Manual.

  Before proceeding, review the Known Issues for this release.

  Planning to upgrade from an earlier version?

  If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

  See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

  The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

  What's New in 10.2:

  • Preview Update 2 feature: Field filters are now available by default, and now protect sensitive fields in searches that use the tstats command. To protect your personal identifiable information (PII) and protected health information (PHI) data, and meet data privacy requirements such as General Data Protection Regulation (GDPR) or other privacy regulations, you can use field filters in the Splunk Platform to limit access to your sensitive data. Field filters let you limit access to confidential information by redacting or obfuscating fields in events within searches, with optional role-based exemptions. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters and Plan for field filters in your organization. With the Preview Update 2 release: Field filters are now visible for customer use by default, which eliminates the requirement for administrators to turn on the feature by configuring the limits.conf and web-features.conf files. Field filters now provide native support for the tstats command and the tstats command can now be used without restrictions on indexes protected by field filters. READ THIS FIRST: Should you deploy field filters in your organization? Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

  • Parquet format for data sent to Amazon S3 from Edge Processor: When sending data from an Edge Processor to Amazon S3, you can now choose to store the data as parquet files. See Send data from Edge Processors to Amazon S3 for more information.

  • Edge Processor on Splunk Enterprise operating system version support: Due to updates in Splunk Enterprise 10.2 that address CVEs, breaking changes have been made to Edge Processor on Splunk Enterprise-supported operating systems. Amazon Linux 2 is no longer supported. Centos 7 is no longer supported. Debian 10 and 11 are no longer supported. Debian 12 and higher is now supported. Red Hat Enterprise Linux (RHEL) 8.0 is no longer supported. RHEL 9.0 and higher is now supported. RockyLinux 9 and higher is now supported. SUSE Linux Enterprise 15.0 is no longer supported. SUSE Linux Enterprise 15.0 SP6 and higher is now supported. Ubuntu 20.04 LTS is no longer supported. Ubuntu 24.04 LTS is now supported. Users running their data management control plane and edge processors on any non-supported operating systems must upgrade to a supported version of that operating system before upgrading their data management control plane to Splunk Enterprise 10.2 to avoid any data loss from their edge processors. Other Splunk Enterprise deployment components outside of your data management control plane are not impacted by this change. See Installation requirements in the Use Edge Processors for Splunk Enterprise manual for a list of supported operating systems.

  • Edge Processor on Splunk Enterprise support for JSON array format as input: Edge Processor on Splunk Enterprise now supports JSON array format as input. This enhancement allows input to contain square brackets and objects to be separated by commas. For more information, see Get data into an Edge Processor using HTTP Event Collector.

  • Edge Processor on Splunk Enterprise monitoring dashboards: The Edge Processor on Splunk Enterprise solution now includes an updated user-interface that allows you to quickly visualize the metrics and health of your Edge Processors. View the inbound and outbound data volume of each pipeline, and the logs of your Edge Processors, for different lengths of time. Use Edge Processor monitoring dashboards to understand the health of your Edge Processors. Visualize the flow of data into destination queues and check pipeline connections.

  • Updated systemd configuration instructions: The instructions for configuring systemd to manage the underlying process of your Edge Processor instance has been updated to ensure more graceful shutdown procedures. Previously, when you ran the restart or stop commands from systemctl, the Edge Processor supervisor and systemd both sent terminating signals to the Edge Processor instance, causing the instance to terminate abruptly. You can now prevent this issue by specifying the KillMode=mixed setting in the systemd unit file. See the Install an instance and configure systemd section in Set up an Edge Processor for more information.

  • Support for OAuth2.0 for 3rd party and external applications: Customers can easily and securely authenticate their 3rd party applications using the standardized processes and workflows offered through version 2 of the Open Authorization (OAuth 2.0) protocol. Administrators can now configure OAuth 2.0 for use with products like Data Analytics and User Behavior Analysis (UBA) tools to connect to Splunk platform through REST APIs, so end users can get data and insights, make decisions faster, and turn data into doing. See Configure an external Open Authorization 2.0 authorization server.

  • Improvements to O11y Metrics & Charts in Splunk Dashboard Studio: Users can leverage observability application service map views in both published and exported dashboards, and incremental improvements and bug fixing to feature Splunk Observability Cloud metrics and charts in Splunk Dashboard Studio. See Add a Splunk Observability Cloud service map to Dashboard Studio dashboards.

  • Splunk AI Assistant for SPL in the Search app is now available in Splunk Enterprise: Splunk AI Assistant for SPL is now available in the Search app for hybrid on-premises Splunk platform deployments. The Splunk AI Assistant helps users generate, explain, and translate SPL using natural language. This generative AI-powered experience is designed to support both new and advanced users by providing query suggestions, detailed explanations, and direct access to Splunk platform documentation. The AI assistant enables faster onboarding, improved productivity, and more effective investigations. The Splunk AI Assistant for SPL app version 1.3.2 or higher must be installed before you can use the AI Assistant in searches in Splunk Web. To learn more, see Use Splunk AI Assistant for SPL in the Search app.

  • Remove Node.JS: Splunk previously announced deprecation of Node.js and is now removing it. Customers using apps dependent on Node.js will need to update their apps to bundle their own version of Node.js. Failure to do so may result in App/TA functionality degradation and unexpected behavior.

  • SPL2: SPL2 extends the existing SPL language by incorporating several powerful features. These features simplify data access and analysis while also providing support for complex investigations and data management workflows. With SPL2, you can write searches using either SPL or SQL syntax. This simplifies learning and using the language, and adds consistency to the language. SPL2 is a unified search and streaming language, offering a single syntax for searching data in Splunk indexes, accessing federated data stores, and preparing data in-stream across various Splunk products. SPL2 is fully compatible, and can operate in parallel, with SPL. For information about what's new, known issues, and fixed issues, see SPL2 release notes in the SPL2 Overview manual.

  • Federated provider names are now case-insensitive: As of this release, federated provider names are case-insensitive for Federated Search for Splunk. For example, say you have a provider named MyProvider and you try to create a new provider with a Provider name of myprovider. In this instance, Splunk software prevents you from creating the new provider until you choose a Provider name that is unique, regardless of alphabetical character case. Note: If you are upgrading from a previous version of the Splunk platform, this might be a breaking change. If you have two or more federated providers in your Splunk platform deployment with names that differ only by case (such as one named MyProvider and another named myprovider), you must change the duplicate provider names to unique strings. There are two ways to accomplish this: You can delete and recreate the federated providers with duplicate names. If you have access to the .conf files for your Splunk platform deployment, you can edit the duplicate federated provider names directly in federated.conf. You cannot edit federated provider names in Splunk Web. If you choose to not delete or replace duplicate provider names, Splunk software uses the first name that appears in federated.conf. For example, if the MyProvider stanza appears before the myprovider stanza in federated.conf, Splunk software references only the MyProvider stanza when it receives any version of the string "myprovider".

  • SPL2 support for Dashboard Studio: In Dashboard Studio, you can use SPL2 data sources in dashboards by doing one of the following: Create an SPL2 query from within a dashboard or Reference an existing view from an SPL2 module. See Create search-based visualizations with SPL2.

  • Other Dashboard Studio enhancements: See What's new in Dashboard Studio.

  • Ingest-Tier Scaling: Ingest-Tier Scaling delivers high-throughput, scalable data ingestion for self-managed Splunk deployments, enabling customers to handle larger data volumes with improved resilience, operational efficiency, and clearer separation of ingest and indexing tiers. See Ingest-Tier Scaling.

  • Bulk Data Movement between Indexes: Clustering: Bulk Data Move allows Splunk Enterprise users to efficiently reorganize indexes and move data between them using specific search criteria. Reclaim storage and manage sensitive information without requiring full index removal. Available only non-SmartStore clustered environments. See Bulk Data Move for indexer clusters.

  • Effective configuration of OTel Collectors: We have enhanced the visibility and management of OpenTelemetry (OTel) Collector agent configurations within the Splunk platform. Now you can view the complete, active configuration for each OTel Collector agent that communicates using OpAMP (Open Agent Management Protocol). For more information, see Effective configuration of OTel Collectors.

  • Agents lookup: To improve performance when managing a large number of agents, we have introduced the agents lookup feature for the agent management user interface. When enabled, this feature significantly reduces UI load times by retrieving agent data from a cached CSV lookup file generated by a saved search, instead of querying the index directly for every interaction. For more information, see Agents lookup.

  • Agent management UI/UX enhancements: To improve the admin experience, we have enhanced the agent management user interface and user experience. Forwarders and OpenTelemetry management are now unified into a single-stop console, and an automated wizard has been introduced for simplified server class creation.

  • Destination configuration on agent management: You can now configure S3 and file system destinations directly from agent management, and these changes will automatically be propagated to your connected agents. To maintain consistency, always configure destinations from agent management. This feature requires agent management version 10.2 or higher, while there is no version restriction for compatible agents. You can enable or disable this feature using the enableS3ConfigOnDs flag in the limits.conf file. For more information, see Create an S3 destination.

  • Queued ad hoc search quotas: This feature introduces configurable limits on the number of ad hoc searches that Splunk software can queue at both the system level and the role level. These limits are designed to prevent unbounded queuing of ad hoc searches, which can negatively impact system performance and resource utilization. For more information, see Create and manage roles in Splunk Enterprise using authorize.conf.

  • TLS verification for inter-sidecar communication: To enhance security, each sidecar uses a server data plane certificate when communicating with other sidecars through the direct port of the destination sidecar. Over a Transport Layer Security (TLS) connection on the direct port, the connecting sidecar verifies the certificate of the destination sidecar to ensure a trusted connection. For more information, see Inter-sidecar communication.

  • Using Nascent to ensure correct configuration on search head clusters: The Nascent sidecar ensures that the etcd service runs with the correct configuration on each search head in the cluster. By managing the etcd cluster, it provides consistent configuration and service discovery throughout the cluster. This sidecar is necessary for the proper functioning of the Storage sidecar due to its dependency on etcd. For more information, see About the Nascent sidecar.

  • Audit Trail Log v2: structured audit log format: The structured format of audit trail logs, also known as Audit Trail Log v2, complies with the Common Information Model (CIM). It uses JSON, which makes logs easier to parse and interpret. Audit Trail Log v2 includes comprehensive metadata, making it suitable for compliance purposes. This is the first phase in delivering Splunk Idea E-I-49open_in_new. To learn about this format, see About structured audit trail logs.

  • Python 3.13 is available on an opt-in basis: You can opt in to use Python 3.13 instead of Python 3.9. Splunk platform still uses Python 3.9 by default, but Splunk Web uses Python 3.13 only. To learn how to switch between Python versions, see Python compatibility in Splunk appsopen_in_new.

  • KV store server version 8.0 is available: Upgrade to KV store server version 8.0. Splunk Enterprise 10.2 still supports KV store server version 7.0, but this server version will be removed in future versions of Splunk Enterprise. To learn how to upgrade your KV store server version, see Upgrade the KV store server version.

  • Run Splunk Enterprise without the root option: Splunk Enterprise no longer runs as root by default. To start, stop, or restart Splunk Enterprise as root, append --run-as-root to the command.

  • Monitoring Console Overview Dashboard (beta) redesign: The Overview (beta) dashboard has been updated for improved user experience and efficiency. The dashboard provides a summary of your deployment's most important metrics: View a summary of your deployment's license entitlements and understand your resource usage with status indicators for each license entitlement metric. Personalize your dashboard and choose the metrics that are most important to your users. Access action items such as Refresh and Open in search in each metric's ellipses menu. Provide feedback to the Splunk MC team using the Feedback button. Monitor forwarders and get alerts when forwarders are missing. To learn more about the Overview (beta) dashboard, see Overview Dashboard.

  Original source Report a problem

  Show more
• Nov 19, 2025

  • Date parsed from source:
    Nov 19, 2025
  • First seen by Releasebot:
    Nov 20, 2025
  • Modified by Releasebot:
    Nov 21, 2025
  

  Splunk Enterprise Security by Splunk

  Splunk Enterprise Security 8.3.0

  Splunk Enterprise Security 8.3.0 brings entity risk scoring, UEBA, and enhanced detection versioning. It delivers faster analyst queues, pinned fields, nested findings, and SOAR clustering support, plus an upgrade path for legacy investigations.

  Splunk Enterprise Security version 8.3.0 release highlights

  Splunk Enterprise Security version 8.3.0 was released on November 19, 2025 and includes the following new enhancements:

  • Enhanced version management and tracking: Ability to view the active and the latest version of a detection along with the full author names instead of user IDs. For more information, see Create multiple versions of a detection in Splunk Enterprise Security.

  • Streamlined UI workflow in detection versioning: Includes sortable columns, dialog flash fixes, panel state persistence, and the ability to download links for version and activity history of detections. For more information, see Create multiple versions of a detection in Splunk Enterprise Security.

  • Turning on or off the ability to edit notes: Ability to choose whether users can edit notes that exist for findings and investigations after they're saved. For more information, see Turn on or turn off the ability to edit notes.

  • Pairing with Splunk SOAR clusters and warm standby: Ability to pair Splunk Enterprise Security with Splunk SOAR (On-premises) clustered environments, including using warm standby and backup and restore. For more information, see Pair Splunk Enterprise Security with Splunk SOAR in Administer Splunk Enterprise Security and Splunk SOAR Compatibility in the release notes.

  • Pinning finding and investigation fields in the analyst queue: Ability to pin specific fields in the side panel of a finding or investigation or on the investigation overview page to keep the information you care about most easily accessible. For more information, see Pin fields for findings and investigations in Splunk Enterprise Security.

  • Nested findings in the analyst queue: Ability to navigate complex investigations more efficiently by reducing visual clutter and maintaining context as you drill deeper into related data. Nested findings organize related findings and finding groups into a clear, hierarchical structure across the analyst queue and investigation overview page. For more information, see Navigate nested findings for triage.

  • Finishing existing legacy investigations: Ability to finish your existing work, export data for reports, and maintain visibility into past findings with the legacy investigations interface. If you previously created investigations in Splunk Enterprise Security 7.x, you can still review and complete them after upgrading to version 8.x. For more information, see Review and finish existing legacy investigations.

  • Entity risk scoring: Includes the new entity risk score (ERS), an enhanced version of the original risk score in Splunk Enterprise Security. It measures the overall risk level of an entity, such as a user or asset, based on findings associated with that entity. For more information, see Entity risk scoring in Splunk Enterprise Security and Using entity risk scores for detections in Splunk Enterprise Security.

  • Threat intelligence storage optimization: Ability to optimize data retention for threat intelligence KV Store collections in Splunk Enterprise Security. For more information, see Threat intelligence collections in Splunk Enterprise Security.

  • User and Entity Behavior Analytics (UEBA) for Splunk Enterprise Security Premier: Ability to detect insider threats, reduce false positives, and prioritize investigations based on risk with UEBA. UEBA identifies anomalies by comparing current activity against learned baselines for users and assets. See the following documentation to get started: User and entity behavior analytics (UEBA) overview in Splunk Enterprise Security, Installing UEBA for Splunk Enterprise Security, Configuration checklist for UEBA in Splunk Enterprise Security.

  • Analyst queue performance improvements: Searching, automating, and interacting with findings on the analyst queue will load them into the KV Store collection for faster retrieval and load times. For more information, see Optimizing storage with KV Store retention policy.

  • Updates to hide finding settings for finding groups: Hide findings setting now also hides findings that belong to finding groups. Help text for this feature has been updated to indicate that findings will still appear nested under the investigation or finding group to which they belong.

  Upgrade notice for 8.x:

  • Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
  • When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
  • If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
  • Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
  • You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line.
  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

  Share threat data in Splunk Enterprise Security:

  • Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025.

  Compatibility and support:

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

  Deprecated or removed features:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.

  Add-ons:

  • Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework.
  • To ensure that the Splunk Enterprise Security app works correctly, turn on specific add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.
  • Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
  • Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.

  Deprecated or removed add-ons:

  • Many technology add-ons are no longer included in the Splunk Enterprise Security package installer but can be downloaded from Splunkbase.
  • Some technology add-ons are removed from the installer, supported for the next year, but deprecated and will reach end of support one year from the release date of this Enterprise Security version.

  Updated add-ons:

  • The Common Information Model Add-on is updated to version 6.3.0.

  Libraries:

  • Included libraries in this release are Splunk_ML_Toolkit-5.3.0-1631633293630.tgz, Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0, and Splunk_SA_Scientific_Python_windows_x86_64-3.0.0.

  Original source Report a problem

  Show more
• September 2025

  • No date parsed from source.
  • First seen by Releasebot:
    Sep 17, 2025
  

  Splunk Cloud Platform by Splunk

  Splunk Cloud Platform

  Overview of this Splunk Cloud Platform release: cloud features comparable to Splunk Enterprise with some cloud-only options, a firewall-based access model, no SSH/CLI edits (except on forwarders), and configuration via Splunk Web or Admin Config Service with support cases for non-self-service changes.

  Welcome to Splunk Cloud Platform

  This document contains information about this version of Splunk Cloud Platform.

  Splunk Cloud Platform delivers many of the features of Splunk Enterprise, plus some features that are available only to Splunk Cloud Platform subscribers. The features in your Splunk Cloud Platform environment might vary from those in Splunk Enterprise because of your topology, deployment, and configuration settings.

  Splunk Cloud Platform uses a firewall to prevent unauthorized user access. The firewall prevents SSH access to the Splunk Cloud Platform deployment, which means that you cannot edit configuration files or use the command line interface (CLI) to configure your Splunk Cloud Platform deployment (except on forwarder hosts, which run in your corporate network). To configure settings, use Splunk Web or Admin Config Service. If you need to modify your configuration in a way that is not self-serviceable, submit a case on the Support Portal.

  Original source Report a problem

  Show more
• Sep 9, 2025

  • Date parsed from source:
    Sep 9, 2025
  • First seen by Releasebot:
    Sep 17, 2025
  • Modified by Releasebot:
    Oct 10, 2025
  

  Splunk Enterprise Security by Splunk

  Splunk Enterprise Security 8.2

  Splunk Enterprise Security 8.2.x rolls out AI assist, enhanced investigations, and expanded APIs across 8.2.0 to 8.2.3 plus TaxII 2 support and improved finding groups. Upgrade guidance warns one-way upgrade with backups; many features and add-ons are deprecated or moved.

  What's new

  What's new in 8.2.3

  Splunk Enterprise Security version 8.2.3 was released on October 7, 2025 and includes patch fixes. For more information, see Splunk Enterprise Security 8.2.3 fixed issues.

  What's new in 8.2.2

  Splunk Enterprise Security version 8.2.2 was released on September 24, 2025 and includes a patch fix. See Splunk Enterprise Security 8.2.2 fixed issues.

  What's new in 8.2.1

  Splunk Enterprise Security version 8.2.1 was released on September 17, 2025 and includes the following new enhancements:

  • AI Assistant improvements: You can now use the AI Assistant to summarize individual findings in the analyst queue. For details, see Summarize findings with the AI Assistant. You can also choose between Frontier or Splunk-hosted models for the AI Assistant to use based on your organization's compliance requirements. See Choose which models the AI Assistant uses.
  • Hybrid pairing with Splunk SOAR: You can now pair Enterprise Security (Cloud) with a single Splunk SOAR (On-premises) instance. For details, see Splunk SOAR compatibility later in the release notes and Pair Splunk Enterprise Security with Splunk SOAR.

  What's new in 8.2.0

  Splunk Enterprise Security version 8.2.0 was released on September 9, 2025 and includes the following new enhancements:

  • AI Assistant for investigations: Summarize findings, get an SPL search, and generate an investigation report with the AI Assistant. See Scenario: Jordan uses the AI Assistant to summarize an investigation and generate SPL. Note: The AI Assistant for Splunk Enterprise Security is not automatically available by default. An administrator must reach out to their account management team to get started.
  • Version activity for detections: Ability to view the version activity of a detection. For more information, see Use detection versioning in Splunk Enterprise Security.
  • Detection audit trail: Monitor when detections are turned on or off, modified, or deployed, including who made changes and when. This is essential for compliance and change management of security rules.
  • Testing detections in the detection editor: Ability to evaluate detection performance and efficiency within your SOC workflow by testing detections and reviewing search results. For more information, see Validate detections in Splunk Enterprise Security.
  • Validate the SPL of a custom finding-based detection: Ability to validate the SPL query conditions for a custom finding-based detection in the detection editor. For more information, see Guidelines to create a custom finding-based detection.
  • Viewing notes on the findings or finding groups included in an investigation: Ability to view notes on the findings or finding groups that are included in an investigation to get the complete context of linked findings when reviewing investigations. For more information, see Create and share notes on an investigation.
  • Option to keep finding groups closed: Ability to configure in the detection editor whether closed finding groups are reopened or not if additional findings or intermediate findings are added to the finding group. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
  • Lookback finding groups: Ability to create lookback finding groups to group historical findings based on the first time the detection runs. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
  • Overlap finding groups: Ability to create overlap finding groups to prevent overlooking edge cases that might represent risk. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
  • Button options for filtering the analyst queue by type: Findings, Investigations, Finding groups, or All types. Quickly filter the analyst queue by type using the buttons above the queue. See Filter the findings and investigations.
  • Making notes optional or required: Enforce notes or make them optional when an analyst updates a finding or investigation. See Make notes required or optional.
  • Making note titles optional or required: Change the note title requirement setting to make note titles required or optional when analysts update a finding or investigation. See Make note titles required or optional.
  • ESSID-I-426: Hiding duplicate findings that have been added to an investigation. A finding that is part of an investigation can appear both nested under the investigation and also as a separate listing in the analyst queue. You can opt to show the finding in both locations, or you can hide the finding so that it only appears nested under an investigation. See Hide or show duplicate findings that have been added to an investigation.
  • Redesigned quick actions in the analyst queue: Refresh the analyst queue manually or with auto-refresh, now in the quick actions menu at the top of the analyst queue. See Refresh the analyst queue.
  • ESSID-I-425, ESSID-I-457: Syncing changes with included findings. Apply changes made in an investigation or finding group to all of its included findings. See Sync changes with included findings.
  • Optimizing storage with KV Store retention policy: Turn on the KV Store retention policy to automatically remove old records from KV Store collections based on a configured time-based or size-based policy. See Optimizing storage with KV Store retention policy.
  • ESSID-I-465: Expanded API capabilities: To create Findings, Add findings to investigations, Create, read, update, and delete notes.
  • Adding a TAXII 2 threat intelligence feed: Splunk Enterprise Security versions 8.2 and later now support TAXII version 2.0 and TAXII version 2.1. Add threat intelligence from a TAXII 2 feed to Splunk Enterprise Security. See Add a TAXII 2 feed.
  • Other key highlights: Your preferences for viewing charts, timelines, filters, and the count on the analyst queue count persists throughout your session. Findings that are part of an investigation are hidden from the top-level of the Analyst Queue by default so that you can focus on actionable alerts. New Splunk Enterprise Security APIs are now searchable using SPL REST command. Performance-based enhancements: The search ID reuse improves load times across the Analyst Queue and investigations by reusing the results of cached search jobs. SAML user tokens support is no longer required for native SOAR functionality.

  Upgrade notice for 8.x

  Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
  When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
  If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
  See Upgrade Splunk Enterprise Security.
  Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
  Other important notes for upgrading include the following:

  • You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

  Share threat data in Splunk Enterprise Security

  Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

  Compatibility and support

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

  Deprecated or removed features

  The following features have been deprecated from Splunk Enterprise Security 8.x:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

  Add-ons

  Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
  Note: Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
  Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
  To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

  • DA-ESS-AccessProtection
  • DA-ESS-EndpointProtection
  • DA-ESS-IdentityManagement
  • DA-ESS-NetworkProtection
  • DA-ESS-ThreatIntelligence
  • SA-AccessProtection
  • SA-AuditAndDataProtection
  • SA-EndpointProtection
  • SA-IdentityManagement
  • SA-NetworkProtection
  • SA-ThreatIntelligence
  • Splunk_SA_CIM
  • Splunk_SA_Scientific_Python_linux_x86_64
  • SplunkEnterpriseSecuritySuite
  • Splunk_ML_Toolkit

  Deprecated or removed add-ons

  Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
  The following technology add-ons are removed from the installer, but still supported:

  • Splunk Add-on for Blue Coat ProxySG
  • Splunk Add-on for McAfee
  • Splunk Add-on for Juniper
  • Splunk Add-on for Microsoft Windows
  • Splunk Add-on for Oracle Database
  • Splunk Add-on for OSSEC
  • Splunk Add-on for RSA SecurID
  • Splunk Add-on for Sophos
  • Splunk Add-on for FireSIGHT
  • Splunk Add-on for Symantec Endpoint Protection
  • Splunk Add-on for Unix and Linux
  • Splunk Add-on for Websense Content Gateway
    The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

  Updated add-ons

  The Common Information Model Add-on is updated to version 6.2.0.

  Libraries

  The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0

  Original source Report a problem

  Show more
• Jul 31, 2025

  • Date parsed from source:
    Jul 31, 2025
  • First seen by Releasebot:
    Sep 17, 2025
  

  Splunk Enterprise by Splunk

  What's new in 9.4.4

  Splunk Enterprise 9.4.4 was released on July 31, 2025. It resolves the issues described in Fixed issues.

  Original source Report a problem
• Jul 28, 2025

  • Date parsed from source:
    Jul 28, 2025
  • First seen by Releasebot:
    Sep 17, 2025
  • Modified by Releasebot:
    Nov 29, 2025
  

  Splunk Enterprise by Splunk

  Splunk Enterprise 10.0

  Splunk Enterprise 10.0 launches with Edge Processor for on‑site data filtering, updated FIPS support, mTLS encryption, and OpenSSL 3.0 plus Python 3.9. It also brings fine‑grained access, Dashboard Studio and observability improvements, dynamic scheduling, and enhanced APIs.

  Splunk Enterprise 10.0 was released on July 28, 2025.

  If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

  For system requirements information, see the Installation Manual.

  Before proceeding, review the Known Issues for this release.

  Planning to upgrade from an earlier version?

  If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

  See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

  The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

  What's New in 10.0

  • Edge Processor service: The Edge Processor solution is a service hosted within your Splunk Enterprise deployment designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information, see About the Edge Processor solution.

  • Updated support for Federal Information Processing Standards (FIPS): Splunk Enterprise now has updated support for the FIPS Publication #140-2 module and new support for Publication #140-3 module. These modules let you run Splunk Enterprise in FIPS mode to comply with these guidelines. The updated FIPS 140-2 module that comes with Splunk Enterprise 10.0 is valid until March of 2026. This gives you time to move over to the new FIPS 140-3 module after you upgrade both Splunk Enterprise components and your forwarding tier infrastructure to version 10. For more information about Splunk Enterprise and FIPS, see Secure Splunk Enterprise with FIPS. For information about upgrading FIPS in Splunk Enterprise, see Best practice for maintaining compliance with FIPS and Common Criteria in your Splunk Enterprise environment.

  • Support for encryption with mutual transport layer security (mTLS): Splunk Enterprise now supports the configuration of mTLS for encryption of network connections between Splunk Enterprise instances and services.

  • OpenSSL version 3.0 support: Splunk Enterprise version 10.0 brings support for OpenSSL version 3.0, which replaces the deprecated OpenSSL version 1.0.2. Additionally, the software is bound to version 3.9 of the Python runtime environment for secure connections to services and APIs.

  • Fine-grained access to search knowledge objects: Splunk admins now have improved options for assigning permissions to roles for access to knowledge objects. Three new capabilities grant admins increased flexibility in assigning access to the objects and replace the admin_all_objects capability, which was the only option available previously. For more information on configuring fine-grained access for search knowledge objects, see Configure roles for fine-grained management of saved search objects, owners, and properties.

  • Sidecars: Sidecars are processes that run alongside the splunkd process to fulfill specific functions. They support introducing new features to the Splunk platform. For example, several sidecars support enhanced data management in the on-premises environment. Sidecars affect your Splunk Enterprise environment by introducing multiple sidecar processes. Process names of sidecars don't include a splunk prefix. To learn more about sidecars, see About Splunk sidecars.

  • Dashboards Trusted Domains List: Admins can add and remove domains using the Dashboards Trusted Domains List page. To navigate to this page, in the Splunk bar, select Settings > Server settings > Dashboards Trusted Domains List. To learn more, see Configure Dashboards Trusted Domains List.

  • Dashboards in the Audit Trail app: Using the Audit Trail app, you can quickly gain insights on security, compliance, and the operation of a Splunk platform instance. The dashboards help you monitor user activities and changes of knowledge objects in real time, based on data from the audit index, index=_audit. If you notice any issues to troubleshoot or activities to investigate, you can get more details by searching the audit log. It is a good practice to begin an audit of Splunk platform activity by reviewing the Audit Trail dashboards. To learn more about the Audit Trail dashboards, see Auditing activities in a Splunk platform instance.

  • Support for the savedsearch command in standard mode federated searches: You can now use the savedsearch command to run federated searches over remote saved search datasets located on standard mode federated providers. In addition, you can use the savedsearch command's string substitution replacement syntax to replace certain strings in the remote saved search with strings of your design, if the remote saved search string contains replacement placeholder terms such as $replace_me$. Note: This feature will be a breaking change for users of the savedsearch command, if they use savedsearch to reference local searches with names that begin with the string federated:. With this release, the savedsearch command will treat any search referencing a saved search name that begins with federated: as a federated search. See the following topics for more information: Run federated searches over remote Splunk platform deployments in Federated Search. The savedsearch reference topic in Search Reference.

  • Expanded SPL support for standard mode searches in Federated Search for Splunk: Support has been added for the following commands in standard mode federated searches for Federated Search for Splunk: mcollect sendalert sendemail These commands can now run locally on the federated search head. See SPL commands that run on the federated search head in standard mode.

  • Email domains enhancement: A new enhancement for the Email Domains setting under Server settings in Splunk Web lets administrators specify whether to allow or deny all email domains, or use email domains in a comma-separated list. The Email Domains setting restricts the email domains to which alert emails can be sent and prevents users from sending email alerts with search results to any domain, which is a security risk. If you don't want to use Splunk Web to manage email domains, you can configure the allowedDomainList setting in the [email] stanza in the alert_actions.conf file instead.

  • OAuth 2.0 support for email server authentication: Splunk Enterprise now supports OAuth 2.0 for SMTP server authentication. This release adds support for Microsoft Exchange Server. For Gmail SMTP server, you can use a Google app password instead of an account password with simple authentication (username/password). See Configure email notification for Splunk Enterprise

  • Splunk Enterprise Python 3.9: Python version 3.7 has been removed from Splunk Enterprise 10.0 and higher. Python 3.9 is the only interpreter available in this release. Confirm that all apps and add-ons are on the latest version and compatible with Python 3.9, otherwise those applications might break or not function properly with Splunk Enterprise.

  • Dashboard Studio enhancements: See What's new in Dashboard Studio.

  • Preview feature: Field filters now support the typeahead and walklex commands: In previous releases of field filters, the typeahead and walklex commands were restricted commands that the Splunk platform turned off by default on indexes with field filters. As of this release, these commands are no longer restricted. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters. READ THIS FIRST: Should you deploy field filters in your organization? Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but they might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, and tstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on any indexes if field filters are in use in the Securing Splunk platform manual.

  • Preview feature: Field filters are now first in the sequence of search-time operations, which has implications for downstream operations: Field filters have moved to first in the sequence of search-time operations, and are no longer processed fourth in the sequence as in previous releases. Because field filters are processed before all other operations in the sequence, downstream operations that depend on certain field values might break when expected field values are filtered by field filters. See The sequence of search-time operations in the Splunk Platform Knowledge Manager Manual. If your organization uses the Splunk Common Information Model (CIM), and field filters on the Splunk platform to protect sensitive fields, you should also understand the downstream impact of field filters on data model acceleration (DMA). For more information about the impact of field filters on DMA, see Plan for field filters in your organization in the Securing Splunk Platform in the Securing Splunk platform manual.

  • Dynamic limit for scheduled searches: Splunk Enterprise 10.0 introduces the dynamic_max_searches_perc setting. This setting allows the search scheduler to automatically adjust the scheduled search concurrency limit (max_searches_perc) based on the ad hoc and scheduled search workload. This feature can reduce search latency, minimize skipped searches, and help you use search capacity more efficiently between ad hoc and scheduled searches. See Dynamically manage scheduled search concurrency limits.

  • Effective configuration: This feature lets you view the actual configuration installed on your forwarders without logging into the machines or running btool. This means you no longer need to rely on other teams to access configuration details. With this feature, you can see the real, active settings applied on forwarders, including all parameter changes in .conf files. It gives you a complete picture of the configuration currently in use. You can download the effective configuration files and open them in a text editor for further analysis. See View configurations installed on your forwarders.

  • Bulk Data Move: Bulk Data Move allows Splunk Enterprise users to efficiently reorganize indexes and move data between them using specific search criteria. Easily reclaim storage and manage sensitive information with precision, avoiding the friction of full index removal. Available for Standalone (single instance) deployments only. See Split indexed data in the Manage Indexes and Indexer Clusters manual.

  • OpenTelemetry Collectors: This feature allows you to view information about OTel Collectors you manage, helping you monitor status of your agents in one place. You'll see a list of registered OTel Collectors in a table view. You can view more details along with key attributes by selecting an individual agent. This view-only functionality supports better visibility into how your data collection components are operating. See Monitoring the status of OpenTelemetry Collectors in Splunk Enterprise.

  • Observability metrics in Dashboard Studio: You can create charts in Dashboard Studio that are based on observability metrics or import an existing Splunk Observability Cloud chart into Dashboard Studio. You can also filter observability-based metrics charts by dimension to look at something more granularly. See Splunk Observability Cloud metrics in Splunk Cloud Platform.

  • Preview observability data in the Search app: In a new Related Content panel, you can see previews of Splunk Observability Cloud data and context that are related to an event you are investigating in the Search & Reporting application. See Preview observability data in the Related Content panel.

  • View an observability service map in Dashboard Studio dashboards: You can add a service map for services monitored in Splunk Observability Cloud into Dashboard Studio. A service map allows you to see dependencies and connections among your instrumented and inferred services in APM at a glance on the dashboard of your choice in Splunk Cloud Platform. You can then identify performance bottlenecks and error propagation side-by-side with your other charts and graphs. See Add a Splunk Observability Cloud service map to Dashboard Studio dashboards.

  • SPL2 module permissions: When you create a module you are automatically given execute, read, and write permissions on that module. Previously, only users with the admin and power roles were granted these permissions on modules. Permissions for the module owner can't be revoked. You can grant or revoke permissions on the modules that you create. Module permissions are set using the REST API endpoints. See Modify permissions for modules in the Splunk Enterprise Admin Manual.

  • Deprecated version 1.0 endpoints for the Search API are now deactivated by default: Select version 1.0 endpoints for the Search API have been deprecated and deactivated, and will be removed in a future release. Customers and app developers should upgrade usage of these deactivated endpoints to the new API version, Search API version 2.0. These new Semantic Versioned Rest API endpoints for search improve platform contracts and resiliency to platform updates. If your organization has business-critical apps that still need to use the deactivated endpoints, you can turn them on for a limited time as a temporary fix. See Semantic API versioning in the REST API Reference Manual.

  • Sunsetting of the Upgrade Readiness App: Splunk is ending its support of the Upgrade Readiness App. It will no longer be updated and has been removed from this version of Splunk Enterprise. For more information, see Sunsetting of the Upgrade Readiness App.

  • Updated alerts page: The alerts page is updated for usability and accessibility. Note: If you configure a custom alert action with HTML, ensure the HTML doesn't include unsupported or malformed elements. Update your HTML to match the supported custom elements for Splunk Web. For more information, see Create the configuration UI for a custom alert actionopen_in_new.

  • Favorite knowledge objects: Users can now add and remove reports from favorites. Favorites make insights discovery and accessing knowledge objects, such as reports, easier and faster.

  • Agent management can upgrade universal forwarders (Splunk idea EID-I-70open_in_new): With this feature, you can upgrade universal forwarders by installing the Remote Upgrader with elevated privileges just once. After this one-time setup, performed either manually or with automation tools, all future upgrades of universal forwarders can be managed centrally through the agent management (in versions 10.0 and higher of Splunk Enterprise) or deployment server (in versions 9.x of Splunk Enterprise), eliminating the need for repeated manual intervention. To learn more about the Remote Upgrader tool, see About the Splunk Remote Upgrader for Linux Universal Forwarders.

  • Ingest Actions Live Capture on search heads: The new Live Capture capability on search heads improves the accuracy of event previews in Ingest Actions. A Live Capture tab in the ruleset editor retrieves real-time sample events from up to 10 connected indexers or heavyweight forwarders at once, using sampling logic similar to Deployment Server and Deployment Client. This feature ensures that event previews reflect actual ingest time data, which addresses issues caused by post ingest changes such as source type renaming. It also improves rule accuracy, user confidence, and support efficiency. Live Capture is available in both Splunk Cloud and Splunk Enterprise deployments and does not support data capture from non-clustered indexers. Live Capture is not recommended for sensitive data, as it does not enforce Role Based Access Control (RBAC) on indexes. Regardless of RBAC restrictions, anyone using Ingest Actions and Live Capture can view events going into an index that match a certain source type.

  Original source Report a problem

  Show more
• Jul 17, 2025

  • Date parsed from source:
    Jul 17, 2025
  • First seen by Releasebot:
    Oct 3, 2025
  

  Splunk Enterprise Security by Splunk

  Splunk Enterprise Security 8.1.1

  Splunk Enterprise Security 8.1.x adds detection version comparisons, UI improvements, SOAR pairing, and a revamped detections editor plus API and threat intel enhancements. It also covers upgrade notices, compatibility, deprecated features, add-ons, and bundled libraries.

  What's new in 8.x

  What's new in 8.1.1

  Splunk Enterprise Security 8.1.1 was released on July 17, 2025. It resolves the issues described in Fixed issues.

  What's new in 8.1.0

  Splunk Enterprise Security version 8.1.0 was released on June 10, 2025 and includes the following new enhancements:

  • New feature: Comparison between versions of detections
    Description: Ability to compare the differences between detection versions to determine if an outdated version is turned on or to troubleshoot a detection that is generating false positive alerts. For more information, see Reviewing differences between detection versions.

  • New feature: UI improvements to the Intermediate findings timeline visualization
    Description: Enhanced ability to interact with the visualization to analyze the relationship between intermediate findings and their associated risk scores. The Intermediate findings timeline visualization was previously referred to as the Risk timeline visualization in Splunk Enterprise Security versions 8.0.x. For more information on this visualization, see Reviewing findings using the intermediate findings timeline in Splunk Enterprise Security Access the intermediate findings timeline to review findings in Splunk Enterprise Security.

  • New feature: Pairing with Splunk SOAR (On-premises)
    Description: You can now pair Splunk SOAR (On-premises), in addition to pairing with Splunk SOAR (Cloud) to run actions, run playbooks, and review automation history in Splunk Enterprise Security. For more information, see Pair Splunk Enterprise Security with Splunk SOAR. For compatibility information, see Splunk SOAR compatibility in the Splunk Enterprise Security Compatibility matrix article.

  • New feature: Enhancements to the detection editor
    Description: Following improvements have been included for the detection editor in this release:

    • Use only event-based detections to create finding groups
    • Select security annotations from various cyber-security frameworks using the drop-down menu in the detection editor
    • Multiple drill-down searches associated with a detection can no longer have the same name
    • Ability to delete a drill-down search with the same name if it is not the first drill down search
    • Ability to view, delete, add, or modify the pre-populated suppressed fields in the finding-based detection editor
    • Improve search experience by automatically expanding the tokens in the titles and descriptions of findings and detections prior to storing the findings and finding groups in the notable index.
    • Preview the search and test the search results for the finding-based detection in the detection editor to ensure that the detection fits your use case.
    • PCI governance controls added as annotation to monitor PCI DSS 4.0 requirements
      For more information on improvements to the user interface for creating detections, see Create finding groups in Splunk Enterprise Security, Add annotations to detections in Splunk Enterprise Security, Modify drill-down searches to use uniquely identifiable keys, Troubleshoot drill-down searches in Splunk Enterprise Security, Suppress and modify specific fields within finding-based detections, Expand tokens in findings and detections to improve the search experience, Create finding-based detections in Splunk Enterprise Security.

  • New feature: Reduced alert noise on the analyst queue since event-based detections can generate both findings and intermediate findings
    Description: Event-based detections can be configured to generate both findings and intermediate findings with assigned risk scores that can be modified to reflect accurate risk levels. For more information, see Event-based detections, Assign risk using risk modifiers in Splunk Enterprise Security.

  • New feature: Support for Splunk API
    Description: The Splunk Enterprise Security API allows you to use and modify findings, investigations, risk scores, assets, and identities in Splunk Enterprise Security. Additionally, Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search and build integration applications for use with Splunk Enterprise Security. For more information, see Splunk Enterprise Security API reference.

  • New feature: Intelligence summary for findings in the analyst queue
    Description: Review threat intelligence attributes associated with a finding in the side panel of the analyst queue. Use threat intelligence attributes to help you determine whether you need to start an investigation based on that finding. Threat intelligence attributes include threat actors, MITRE tactics, CVEs, and malware associated with one or more observables present in the finding. For more information, see Review threat intelligence attributes for a finding in Splunk Enterprise Security, Fields containing observables in Splunk Enterprise Security.

  • New feature: New default views in a collapsible side panel for filtering the analyst queue
    Description: Filter the analyst queue by new default views such as Owned by me or Risk score. In a new collapsible side panel, you can select from different saved views to make the triage process easier. For more information, see Filter by a default view in the analyst queue, Manage saved views.

  Upgrade notice for 8.x

  Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

  • When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
  • If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
  • See Upgrade Splunk Enterprise Security.
  • Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.

  Other important notes for upgrading include the following:

  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

  Share threat data in Splunk Enterprise Security
  Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

  Compatibility and support

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

  Deprecated or removed features

  The following features have been deprecated from Splunk Enterprise Security 8.x:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

  Add-ons

  • Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
  • Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
  • Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
  • To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.
    • DA-ESS-AccessProtection
    • DA-ESS-EndpointProtection
    • DA-ESS-IdentityManagement
    • DA-ESS-NetworkProtection
    • DA-ESS-ThreatIntelligence
    • SA-AccessProtection
    • SA-AuditAndDataProtection
    • SA-EndpointProtection
    • SA-IdentityManagement
    • SA-NetworkProtection
    • SA-ThreatIntelligence
    • Splunk_SA_CIM
    • Splunk_SA_Scientific_Python_linux_x86_64
    • SplunkEnterpriseSecuritySuite
    • Splunk_ML_Toolkit

  Deprecated or removed add-ons

  Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
  The following technology add-ons are removed from the installer, but still supported:

  • Splunk Add-on for Blue Coat ProxySG
  • Splunk Add-on for McAfee
  • Splunk Add-on for Juniper
  • Splunk Add-on for Microsoft Windows
  • Splunk Add-on for Oracle Database
  • Splunk Add-on for OSSEC
  • Splunk Add-on for RSA SecurID
  • Splunk Add-on for Sophos
  • Splunk Add-on for FireSIGHT
  • Splunk Add-on for Symantec Endpoint Protection
  • Splunk Add-on for Unix and Linux
  • Splunk Add-on for Websense Content Gateway
    The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

  Updated add-ons

  • The Common Information Model Add-on is updated to version 6.1.0.

  Libraries

  The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0

  Original source Report a problem

  Show more
• Jun 5, 2025

  • Date parsed from source:
    Jun 5, 2025
  • First seen by Releasebot:
    Sep 17, 2025
  

  Splunk Enterprise by Splunk

  What's new in 9.4.3

  Splunk Enterprise 9.4.3 is out, dated June 5, 2025. The release shifts KV store server to version 7.0 for all 9.4+ deployments, delivering security improvements and better performance. The upgrade happens automatically during the Splunk Enterprise 9.4 upgrade, and users are guided to plan the KV store upgrade per the Splunk Support Policy and Admin manual. This release emphasizes security, policy,

  Splunk Enterprise 9.4.3 was released on June 5, 2025. It resolves the issues described in Fixed issues.

  • Splunk Enterprise versions 9.4 and higher no longer support KV store server version 4.2.
  • Upgrade to KV store server version 7.0 for continued support and security, and to comply with Splunk Support Policy open_in_new. For more details, see Splunk Support Policy open_in_new. Your deployment automatically upgrades your KV store during your upgrade to Splunk Enterprise 9.4. This new server version includes security enhancements and improves the performance of your KV store. See Upgrade the KV store server version open_in_new in the Admin manual to plan your upgrade.

  Original source Report a problem

  Show more