Splunk enhances analytics scalability, allows separate scaling of compute and storage and enables LOB users in new platform release

Splunk’s announcements at the outset of their Spunk .conf18 event include significant new updates of their Splunk Enterprise and Splunk Cloud platforms

The new Dark Mode in Splunk Enterprise 7.2

ORLANDO – Today, at the Splunk .conf18 here, Splunk has announced new versions of their on-prem Splunk Enterprise and cloud-based Splunk Cloud platforms. New capabilities include greater ability to scale analytics, as well as to make analytics more usable to people who don’t known SPL query language. Compute and storage tiers can now be scaled separately, while both Docker and Kubernetes, with which Splunk integrated previously, now have full support from Splunk services teams.

“Splunk Enterprise is at the core of everything you know and love about Splunk,” said Josh Klahr, VP Enterprise Product Management, in the event’s opening keynote. “We spent a lot of time listening to you, and we heard from you that you want performance, manageability and scale. You want it to be easier and faster to get any type of data into Splunk, so new users are able to access it to get information. And you continue to validate our investment in machine learning and AI. So I am thrilled to announce the latest release of Splunk Cloud and Splunk Enterprise 7.2.”

“Splunk’s domain has been on platforms, with our historic focus being rooted in the machine data domain, within the big data universe,” said Jerome Stewart, Senior Director, Product Marketing, Platform at Splunk. “This release of Splunk Enterprise 7.2, and our Splunk Cloud SaaS platform is for both of our platforms. There is substantial overlap between the two platforms – about an 87 per cent overlap between them.”

Stewart said that his release addresses three separate customer issues.

“The first is customers who say data analysis is now too complex, involving data at rest, data lakes, and data somewhere else – and having to provide security for it all,” he said. “This release focuses on enabling customers to analyze any data with Splunk Data Stream Processor.”

“Splunk Data Stream Processor lets you process data that is in motion, using a graphical editor,” said Tim Tully, Splunk’s SVP and Chief Technology Officer. “It lets you see the data before it goes into the index, so that you don’t have to hope and pray that it’s correct. It’s also in real time, directly off the stream in the UI. It sits alongside the Splunk environment to supercharge data before it hits the index.”

The second issue is scaling analytics, and for this, Tully announced beta availability of Splunk Data Fabric Search.

“Splunk Data Fabric Search has seamless federated search across massive sets of indexers,” he said. “It scale to billions and even trillions of events and processes queries that weren’t possible to complete before in Splunk.”

Splunk Data Fabric Search allows search at massive scale, analyzing trillions of events at millisecond speeds with federated search across multiple Splunk deployments.

“We are focused on delivering breakthrough performance here,” Stewart said. In a limited beta, customers were running trillions of events in a single query.

The third issue is providing greater analytical value to customers.

“Splunk has always used SPL query language, which is wonderful, but there is a large class of potential users who don’t use SPL,” Stewart said. “So we decided to release the requirement of SPL to use the platform, so its more GUI and natural language interface. We think this has limitless ability to broaden our audience. We are not pulling away from SPL, which will continue to be used by technical people, but we can now make Splunk usable by other technical users who do not work with SPL. It can also now be used by Line of Business users, including people from sales and marketing teams.”

Improvement of handling of metrics was a top priority in this release.

“In the last couple of releases we have made enhancements around metrics and data sets,” Stewart said. “We elevated metrics to a first-class data type that you can get to quickly. Now we are doubling down on metrics with a GUI approach to metrics analytics.

The innovation here is Metrics Workspace, which allows the monitoring and analysis of metrics data in an efficient, intuitive user interface.

“This complements Logs to Metrics, which configures and convert log events to metrics,” Stewart said. “Metrics Workspace allows analysis through a GUI without having to use SPL.”

Splunk SmartStore is a new feature which helps maximize data management flexibility by allowing compute CPU and storage to be independently scaled when appropriate.

“SmartStore decouples that classic Splunk architecture that features CPU and storage coupled together, and allows customers to scale them independently,” Stewart said. “It analyzes customer data usage patterns and helps determine what state the data should reside in, if it should move into lower-cost S3-compatable long-term storage. It’s an opportunity to dramatically reduce costs.” Splunk says that it can reduce TCO by up to 70 per cent.

Another new capability is Workload Management, which lets users prioritize the allocation of compute and memory resources used by the Splunk Platform on searches and alerts, to ensure users’ most critical analytics are completed first.

“This is something that Splunk users had requested,” Stewart said.

A wildly popular feature in the keynote was a new Dark Mode interface, which can be switched on or off with a click.

Another popular part of the keynote was Tully’s announcement of beta availability of Splunk Mobile, a product which makes alerts techs remotely if there are issues, and, more significantly, allows triage of problems remotely, just by pushing a button on their phone.

For Splunk Cloud, a new addition is Dynamic Data: Active Archive, the latest release in the Dynamic Data service series.

“Dynamic Data is a feature family, and Active Archive is for when they need the data actively searchable,” Stewart said. “It provides customers with more flexibility to transform the data.”

Splunk Cloud has also had a significant upgrade on the compliance side, and is now certified on PCI DSS and HIPAA security standards.

“This is something that we have delivered in the past on request,” Stewart said. “We are introducing a new SKU which builds it in, and makes it easy.”

Multiple new integration-related capabilities are part of the platform updates.  Splunk Community for Machine Learning Toolkit [MLTK] Algorithms on GitHub amplifies MLTK customers’ creations and algorithms by allowing them to share, shape and build on GitHub community contributions. Splunk MLTK Container for TensorFlow, and Splunk MLTK Connector for Apache Spark were also announced. Expanded support in 7.2 was also announced for Docker and Kubernetes.

“We supported them before through integration capability, but the new element here is that our customer service teams now officially support both,” Stewart indicated.