Several output optimizations have been introduced in Splunk Enterprise 9.1 and Splunk Cloud 9.0.2303. The changes affect only new destinations.

These behaviors are:

• Events are delimited with a new line.
• Index-time fields are output automatically.
• Compression type is set to "gzip".
• S3 batch size is set to 128 MB (131072 KB).

These settings are turned on by default but can be turned off in the UI.

In addition:

• A raw option is now available for JSON output. It gives you full flexibility to output events in whatever form you want.
• The ingest actions feature outputs a new default field "index". It only outputs the field if you explicitly set an index with the Set Index rule.