Can you remember the last time you got to experience the wonderful world of Disney without the screaming shroud of thousands upon thousands of little humans ogling over a talking mouse or some variant of a princess? All this while thinking to yourself, “If anything were to embody the definition of controlled frustration, it would be this place.” My last memory of Disney consisted of repetitious rides along the grueling “It’s a Small World” river in California, dragging my poor helpless father along on each ride without any remorse whatsoever. Of course, my last memory of this place was far more than a just a couple of years ago, and to this day I still apologize to my father for putting him through such anguish, all at my expense and to earn himself some significant bonus points for fathering and keeping his eldest son ecstatic all day long.
However, my latest encounter with the Mouse proved to be quite the opposite of these typical experiences, and included much thought leadership and motivation as I got to experience my third Splunk .CONF annual user convention, held at the Walt Disney World Resort in Orlando. Each year, attendees are introduced to new and improved functionality of the big data platform that is Splunk, and learn firsthand from customers how they implement the solution to meet their specific needs, all while bouncing ideas back and forth between colleagues, inspiring innovation across thousands of people.
Splunk’s .CONF 2016 annual event was no stranger to the themes I have witnessed during my previous years attending the convention: introducing new product features and functions that enable the “Platform for Machine Data” to make said machine data accessible and usable for everyone. As with previous major releases of the software, Splunk has clearly listened to some of the community requests of the big data giant, and has quite slickly engrained some of these features and optimizations into their core platform for anyone to use. While the previous years seemed to focus on Splunk’s release of premium solutions (MINT, ITSI, etc.) to meet ever-expanding market verticals, this year focused more on the core Splunk platform, enabling far more use from the software even from those with little to no user or admin experience with it. And this, my friends, is a wonderful thing.
The release of Splunk 6.5 includes enhancements and features that fall under four separate advances in the platform, each of which was defined by Splunk in their always-anticipated keynote presentation:
- Data Preparation and Analysis
- Machine Learning
- Platform Extensions
- App Development
Data Prep and Analysis
Right off the bat, Splunk has introduced a new feature that enables all users, regardless of skill level with Splunk, to build the reports they need with simple point and click maneuvers. The new “Dataset Table” feature lets users create and analyze tabular data feeds without using the Splunk Processing Language (SPL). Combining this with the existing Splunk Pivot function, any user can create the reports they need in a very simple and rapid manner.
The process of core searching and the overall productivity of searching itself have been dramatically improved with the release of 6.5. Search syntax coloring has been introduced to help aid in the correct development of simple and complex searches before they are executed. Automatic inline formatting is included that allows users to visualize their searches in a top-down manner consistent with those we see in standard development. And finally, intelligent auto-complete gives suggestions for the user to complete their search commands with each function included within the search.
Machine Learning
Splunk 6.5 introduces major enhancements to its existing Machine Learning Toolkit that previous releases did not have including a mechanism to introduce statistical algorithms to the core Splunk engine and enable baseline machine learning throughout a Splunk ecosystem. The new version of this toolkit incredibly enhances the underlying learning algorithms, and allows users to apply them to any type of data or domain, and specify which algorithms may be used against the data. The new toolkit allows the organization to determine what is “normal” in their environments, both opening the eyes of what is to be expected on a daily basis within individual systems and architectures, and ultimately reducing alarm fatigue and enabling “truer” analytics on the data within Splunk.
Platform Extensions
A few significant extensions to the core Splunk platform itself were introduced that help optimize the core operations and simplify overall administration of a deployment. Hadoop data rolls have been introduced that organizations may take advantage of, reducing overall historical data storage by upwards of 80% without any loss in search performance. The well-known Splunk Distributed Management Console (DMC) has been improved with the introduction of the Splunk Health Check, which gives real time and historical views of various operations of interest happening across the infrastructure. Finally, and certainly noteworthy, is the introduction of Indexer Cluster Rebalancing, which allows Splunk to dynamically and automatically reallocate system resources and storage across the indexer cluster when new peers are added into the environment.
Application Development
Splunk app development and the simplification of the overall process of building apps and deploying them to the Splunkbase have been of great consideration in the development of Splunk 6.5. Various toolkits and certification processes have been introduced that simplify the creation of Splunk applications and streamline the developer’s process for actually publishing their apps to the public.
Final Thoughts
In my sincere opinion, I believe the introduction of Splunk 6.5 is Splunk’s greatest enhancement to the overall user experience with their core platform since the introduction of Splunk 6.2 a few years ago…and I may even argue all the way back to 6.0!
With all of the focus on introducing Splunk into the IT Operations Analytics (ITOA) market at last year’s user convention, it’s no shock that much of the focus was placed on the company’s Information Technology Service Intelligence (ITSI) platform, with product enhancements coming about in the form of performance versus user experience. This year absolutely seems to be focused on the usability of the core platform, truly allowing users, power users, and admins to use the core platform to its expected potential.
Does this mean that Splunk didn’t introduce improvements and new functionalities to their premium solutions like Enterprise Security and ITSI? Of course not. There were absolutely improvements to all solutions, and each will only continue to get better within their respective market verticals. But I will say this in relation to the premium solution—the real announcements and improvements are looming…quite soon…so stay tuned closely for those here in the very short term! But until then, we should definitely all breathe a deep sigh of happiness and joy that so much focus has been put into the core Splunk platform!
Taylor Williams is a Solutions Architect of the Big Data Practice at GTRI.
