Splunk .conf24: Key Updates & Highlights
Author: Carl Parker
Release Date: 10/07/2024
Somerford Associates were delighted to attend Splunk. conf24 in Las Vegas in June, soaking in the incredible atmosphere and scenery, enjoying the thumping dance music and, of course, listening to the latest product reveals from our world renowned data analytics partner.
After all, although a little bit of TLC is always appreciated, it’s the key Splunk updates that really draw in the listener and make the headlines at Splunk .conf24. Luckily, our certified technical expert, Ben Marrable attended virtually to take in the highlights and has recorded a short, on-demand webinar session covering the major announcements.
You Might Also Like:
The Total Cost of Downtime
Before we get into the major product announcements from Splunk .conf24, we firstly want to note the fascinating new report that Splunk has produced, and concurrently released, during the keynote speech, which thoroughly investigated the level of financial impact that modern businesses experience as a result of downtime. Specifically, the headline figure suggests that “bouts of downtime could easily amount to $200M+ annually for just one single company”.
The insights provided by this Splunk report reveal how the most resilient organisations avoid these downtime costs, and negate a loss of up to 9% in total revenue, by finding and fixing root causes, implementing smart technology investments, and banking on resilience leaders. We would definitely encourage you to check out this report if you haven’t already.
New Splunk AI Assistants
Onto the technical updates now, and there’s a fair few to get through from .conf24, so let’s get started with the words on everyone’s lips right now - AI. The full fat version of AI Assistant for SPL was released at .conf24, after a preview was announced at the previous .conf23.
AI Assistant for SPL is a Generative AI work partner, similar to others we have seen pop up in recent years, though of course this one is specifically written for SPL. Using existing data from within your instance and from Splunk’s own knowledge base, this AI Assistant can provide answers on certain product queries you may have. Another key feature provided by this AI tool is bi-directional translation between SPL and human language, improving efficiency at work.
This is not the only AI Assistant revealed by Splunk at .conf24 either, as it will be supported by AI support tools for Enterprise Security (ES) and Observability. For analysts who are unsure how to respond to certain issues with this dashboard, the ES Assistant can answer queries without extensive troubleshooting, therefore saving time and addressing threats rapidly. Meanwhile, the Observatory Cloud AI Assistant will perform a similar task for that area.
Splunk Ingest Processor
Following on from the Splunk Edge Processor announced last year, which provides flexible filtering, masking and routing capabilities to control what goes into Splunk, we now have Splunk Ingest Processor, unveiled at .conf24.
This feature works in the cloud specifically, providing summarised log entries which aggregate a higher number of error messages, thereby reducing data and making monitoring easier to process. Once this data has been collected, you have the option to route this metric data into a Metrics Index, to S3 in a parquet format, or into the Observability Cloud. Just as with the previously released Edge Processor, this tool comes at no additional cost for Splunk licences.
Splunk Enterprise Security 8.0
Hailed by our security expert, Ben Marrable, as the most significant update to Enterprise Security in years, version 8.0 will include improved case management over a single surface, bringing the recently introduced Mission Control and Threat Intelligence Management tools directly into Enterprise Security.
This single unified work surface now enables you to run searches, tag in events and set up automations in one place, plus it will be integrated with Cisco Talos, after their acquisition of Splunk in 2023. What’s more, a Splunk Security Orchestration, Automation and Response (SOAR) integration is also now included, as revealed at Splunk .conf24.
Furthermore, Splunk’s terms, previously labelled as ‘Correlation Rules’, are now referred to as ‘Findings’, which will be automatically aggregated into ‘Finding Groups’, in a similar way to Risk-Based Alerting (RBA) or Sequence Analysis in the past. You will also be able to identify the version history of each finding, allowing you to see the issues with analytic logic, not just events.
For more information on Splunk’s feature name changes, you can refer to Splunk’s own blog.
The new Federated Analytics, to accompany Federated Search, utilises real-time searches for external data sources such as Amazon Data Lake, incorporating native Splunk knowledge objects and data model support.
Integration Between AppD, Splunk Enterprise + O11y
Cisco has created a unified observability experience by integrating AppDynamics and Splunk and the initial integrations feature single sign-on (SSO) and contextual deep linking, enabling users to swiftly and intuitively transition between AppDynamics and Splunk during hybrid troubleshooting workflows. This significantly enhances operational productivity, speeds up mean time to detect (MTTD), and reduces time to remediation (MTTR). SSO ensures quick, easy, and secure navigation between AppDynamics and Splunk, while context-aware deep linking preserves the troubleshooting context for faster issue resolution. More to follow on this exciting news in the coming weeks with Somerford offering more details in our next blog post on this integration.
New Product Releases
Whilst still in early access right now, the new Asset & Risk Intelligence (ARI) product announced at Splunk .conf24 will scan your data to provide continuous asset discovery, telling you which assets you have, plus updating asset inventories and enriching asset records with software and vulnerabilities.
Finally, Agent Management has also been announced, providing you with a single place to review your entire fleet, allowing you to update Universal Forwarders to see if data is flowing correctly and rollback in case of failure.
There is more to come and we look forward to looking at some of the other .conf24 recordings released, but this outlines a few of the key takeaways for .conf in 2024. If you would like to discuss any of these new items with Ben or any of the Somerford team, let us know!