We already covered various aspects of Splunk 6.3 in the previous chapters in detail. We saw the implementation of various analytics and visualization along with the features of Splunk 6.3. Splunk recently launched an updated version: Splunk 6.4. In this chapter, we will glimpse at all the new features that have been added in Splunk 6.4 to enable better analytics and visualization. Along with the features, we will also see what all changes have been made in Splunk to make it more scalable, functional, and useful to the users. Splunk 6.4, the latest version of Splunk Enterprise comes packed with new features and customizations. The following are the key features that have been added/improved in Splunk 6.4:
- Storage optimization
- Machine learning
- Management and admin
- Indexer and search head enhancement
- Visualizations
- Multi-search management
- Enhanced alert actions
Splunk 6.4 introduced the new tsidx Retention Policy feature, which allows users to reduce the storage requirements of data available in the cold bucket. The tsidx files are stored under indexers and are responsible for efficient searching in Splunk. Basically, the space taken by historical data available in the cold bucket can be reduced by approximately 50 percent by removing the tsidx indexing information. This can help in saving a lot of money every year that is spent on the storage of old/historical data. This policy can be modified by navigating in the Splunk web interface to Settings | Indexes in Splunk 6.4.