What's new

Learn about what's new in this release of Splunk Cloud Platform.

This page summarizes the new features and enhancements in each release of Splunk Cloud Platform. Use the Version drop-down list to see information for other versions of Splunk Cloud Platform.

The product features deployed in your environment might vary depending on your topology, deployment type, and configuration settings.

Also discover what's new in the following features of Splunk Cloud Platform:

Version 10.4.2604

Learn about what's new in this release of Splunk Cloud Platform.

New feature, enhancement, or change Description

Dashboards resource management

 Running auto-refresh searches when viewing dashboards now requires the new auto_refresh_dashboards capability, which Splunk admins can choose to grant to user roles. Admins can also deactivate dashboards as needed. See Manage dashboard resource consumption.
Note: This is a change in default behavior. In earlier Splunk versions, all users could run auto-refresh searches. After upgrade to 10.4, only the admin and sc_admin roles have the auto_refresh_dashboards capability by default. Users with the admin and sc_admin roles will need to assign the capability to other user roles.

New Dashboard Studio custom visualizations framework

 Dashboard Studio supports custom visualizations built using the new custom dashboard extension framework for Dashboard Studio, which offers increased flexibility, simplicity, and performance. With the new framework, you can leverage modern libraries compared to the old custom visualizations framework for simple XML dashboards. See Custom visualizations for Dashboard Studio.

Additional new Dashboard Studio features

 This release adds various new features for Dashboard Studio, including the following:

AI Canvas in Splunk (Beta)

AI Canvas is a next-generation, AI-powered workspace embedded in the Splunk Platform. It unifies data collection, visualization, and collaboration into a single intuitive surface, enabling analysts and operations teams to accelerate investigations, reduce time to resolution, and boost productivity. AI Canvas empowers all users, regardless of SPL expertise, to explore data, correlate signals, and act on insights faster.

The AI Canvas in Splunk app is deployed to all instances. By default, the app is not accessible since AI Canvas in Splunk is a beta feature. Customers participating in the beta program must complete onboarding requirements to access AI Canvas in Splunk.

Cisco One Look & Feel - Modern Navigation Adoption (GA)

Modern Navigation shifts the traditional top navigation bar to a sleek, side navigation panel complemented by an updated header. Designed to deliver a consistent, accessible experience, Modern Navigation is a part of our overall vision of a cohesive look and feel across Splunk and Cisco products. See Modern navigation UI changes.
Dynamic Data Self Storage (DDSS) on Azure

You can configure Azure Blob Storage as a destination for Dynamic Data Self-Storage (DDSS). Using DDSS on Azure, admins can automatically move expired data from Splunk Cloud Platform indexes to their own managed Azure containers. This helps organizations meet long-term data retention and compliance requirements while maintaining ownership and control of their data lifecycle.

See Configure self-storage in Azure in the Splunk Cloud Platform Admin Manual.

SHA-1 Certificate Support Removed

As of Splunk platform 10, SHA-1 certificates are no longer supported. Customers will need to apply new certificates not using this standard. The Splunk Cloud Monitoring Console and Splunk Enterprise Monitoring Console have previously been updated to report on SHA-1 related warnings and errors raised by the Splunk platform, and customers can continue to use these tools to navigate the change.
Unified dataset administration for Federated Search over Amazon S3, Azure, and more If you run federated searches over datasets in customer-managed data lakes such as Amazon S3, Azure Blob Storage, and Azure Data Lake Storage, you can now take advantage of a simplified setup experience in the Data Management app that enables consistent setup and reuse for data routing to and federated search of remote datasets. Multiple options are provided for schema configuration with automatic inference, manual schema input, and external catalog connection.

See Overview of Federated Search for Amazon S3 .
Federated Search for Amazon S3 in the Data Management app Federated Search for Amazon S3 has moved to the Data Management app, providing a next-generation federation experience that will empower your organization to centralize, standardize, and analyze stored data at scale while harnessing the cost and operational advantages of Amazon S3's cloud data lake. Just as with the previous version of Federated Search for Amazon S3, you can run threat detections, investigations, dashboards, and ad hoc searches on both Splunk and external data, without data movement or costly ingestion.

In addition, Federated Search for Amazon S3 users can now run their searches with the full benefit and utility of the SPL2 query language.

See Overview of Federated Search for Amazon S3 .
Federated Search for Microsoft Azure and Federated Search for Azure Databricks (Controlled Availability) In this release we're expanding the footprint of our federated search support to Azure. With Federated Search for Microsoft Azure, you can run federated searches directly over data that you store in Azure Blob Storage or Azure Data Lake Storage containers. With Federated Search for Azure Databricks, you can run federated searches over data in Azure Databricks Delta tables that you store remotely in Unity Catalog. Go to the Data Management app to set up both of these federated search offerings.

See About Federated Search for Microsoft Azure and About Federated Search for Azure Databricks.

App context for Federated Search for Splunk in standard mode

The new update for the app context for Federated Search for Splunk in standard mode introduces a more flexible approach to managing application contexts that gives users a more intuitive experience and simplifies how search contexts are handled. This update allows the federated provider to align with the application context of the search performed on the local federated search head; by default, Splunk platform on standard mode federated providers reflects the context of the user's local search environment.

This update includes a new useAppContextFromSearch parameter for the Splunk REST API {{data/federated/provider/{federated_provider_name}}} endpoint. For more information about this new parameter, see Federated search endpoint descriptions in the REST API Reference.

Provider-based Search Targeting with Role-Based Access Control (RBAC) for Federated Search for Splunk

Enhanced Provider Control for Federated Search for Splunk

The new enhancements for Federated Search for Splunk in transparent mode provide administrators and end users with unprecedented control over how data is searched across distributed Splunk environments. These updates ensure that your search operations are more efficient, secure, and tailored to your specific organizational needs.

Federated Search for Splunk allows you to run searches across multiple remote Splunk deployments as if the data were local. In transparent mode, the federated search head acts as a seamless proxy and simplifies the user experience by abstracting the complexity of the underlying remote infrastructure.

1. Targeted provider routing

You can now direct federated searches to specific providers with greater precision:

  • User-directed targeting: End users can now explicitly define which federated or remote providers they want to include in their searches, which means that resources are only utilized as necessary.
  • Default provider lists: Administrators can configure a default list of providers. If a user does not specify a provider in their search string, the system automatically routes the search to these pre-defined, relevant providers, which maintains a streamlined workflow.

2. Role-Based Access Control (RBAC) for providers

Control over security and governance is now more granular. With the introduction of a new UI-based configuration, administrators can define access controls for individual providers. Now you can specify a default list of providers in the new Providers tab on a role to restrict which roles have the authority to search specific providers, so sensitive data remains accessible only to authorized users.

Benefits

  • Optimized performance: By allowing users to target specific providers or defaulting to a curated list, you eliminate unnecessary broadcast traffic. This reduces system overhead and significantly improves search response times across your federated environment.
  • Enhanced security and compliance: With new RBAC capabilities, you can enforce strict data governance. By limiting provider access based on user roles, you minimize the risk of unauthorized data exposure and ensure compliance with internal security policies.
  • Improved user experience: These features simplify the search process by reducing complexity for end users, while providing administrators with the tools needed to manage a large-scale, multi-deployment environment effectively.

For more information, see:

Role-based Access for Federated Search for Splunk REST APIs

Enhanced security controls are now available for Federated Search for Splunk REST API endpoints, introducing granular, role-based access control (RBAC). Previously, authenticated users could view all federated providers, indexes, and settings. This update shifts access logic to the handler level, ensuring that users only see the resources they are explicitly authorized to access.

Administrators can now enforce precise permissions for individual users, preventing unauthorized information disclosure and ensuring that sensitive infrastructure details remain protected. New specific capabilities have been introduced to manage these permissions effectively, replacing the need for broad, global access. These changes strengthen your security posture and support stricter internal governance, providing a more secure and compliant environment for your Federated Search operations.

The following new capabilities for Federated Search for Splunk are now available in this release:

  • edit_federated_indexes
  • edit_federated_providers
  • list_federated_providers

For more information, see the Table of Splunk Enterprise capabilities in Securing the Splunk Platform.

Federated Search for Splunk Transparent Mode Support for IPv6 in Search Head Clusters

Federated Search for Splunk in transparent mode now supports bundle replication to any remote peer within a search head cluster, eliminating the need for direct network access to the remote search head captain. This enhancement enables support for IPv6 environments, such as Microsoft Azure, and configurations where a load balancer serves as the remote gateway.

New setting for disabling Splunk Web's Custom REST Endpoints and Custom Mako Templates.

A two new settings have been added to the [feature:appserver_security] stanza of web-features.conf that admins can use to disable the following Splunk Web features:

  1. Custom REST Endpoints on the Splunk Web (not Splunk Core) platform can be disabled by setting disable_custom_cherrypy_controllers to true (default: false).
  2. Custom Mako Templates shipped by apps (not default templates shipped with Splunk Web) can be disabled by setting disable_custom_mako_templates to true(default: false).

While the behavior does not change in Splunk platform 10.4, this setting has been added to support a future deprecation effort for both of the above features.

Modernize Field administration pages

Splunk field administration pages will update to the latest UI components and libraries, providing a modernized and consistent look and feel with the Splunk platform.

Independent client-side TLS certificate configuration for KV Store

In response to public CA policy changes that drop the Client Authentication EKU from default TLS certificates, Splunk now supports independent KV Store client-side TLS configuration through a new [kvstoreSslClientConfig] stanza, allowing separate client and server certificates for KV Store mutual TLS.

Available in Splunk Enterprise 10.4 and applicable for Splunk Enterprise 9.4.10, 10.0.5, and 10.2.2, and Splunk Cloud 10.2.2510.8 and 10.0.2503.13

In 10.4 only: [kvstore] SSL settings are now evaluated per field; partial configurations previously ignored may now apply and should be reviewed before upgrade.

Deprecating TLS 1.0 and TLS 1.1 and removing default support

The Splunk platform is now disabling support by default for TLS 1.0 and TLS 1.1. These protocols remain available should customers require them for migration purposes, but will be completely removed in a future release. TLS 1.2 support remains unchanged and enabled by default alongside the newly-introduced TLS 1.3 support.

Upgrade Splunk Python version from 3.9 to 3.13

Python 3.13 will become the default Python interpreter, with Py3.9 as fallback.

Identity enablement in support of AI Canvas Beta

In order to onboard customers to participate in the AI Canvas Beta, missing customer data will be collected.   After that is done, the AI Canvas experience will be supported through secure identity integration and Splunk RBAC enforcement.

Upgrading the backend database for KV Store and KV Service to MongoDB 8.0

Splunk 10.4 release will not include old unsupported MongoDB versions from 4 to 6. If you’re running Splunk 9.x and below, please upgrade to Splunk 10.0 or Splunk 10.2 first as a direct update from MongoDB 4.x / Mongo 6.x to Mongo 8 is unsupported. If you’re on Splunk 10.x, no action is needed as the upgrade to MongoDB 8 will happen automatically with the Splunk upgrade.

Unified entrypoint to Data Management experiences

Splunk Cloud now provides a Data Management app that serves as a hub to various data management experiences with a common navigation menu for easier access and a consistent look and feel. You can now configure configure inputs, monitor ingestion health, or manage federated connections and datasets from one location.

On eligible stacks the landing page provides quick access to Edge Processor and Ingest Processor through a “Data Management processing” button that replaces the “Data Management experience” button previously available in the Settings drop-down.

Config API Foundations

Phase 1 delivers a stable, API-first foundation for configuration management, providing OpenAPI-defined CRUD endpoints for configuration stanzas and keys. This enables programmatic access, automation, and tooling integration, laying the groundwork for future validation, governance, and policy capabilities.

Support for post-quantum cryptographic algorithms.

Splunk is releasing support for a set of algorithms based on Kyber, Dilithium, and SPHINCS+ to meet the requirements laid out in FIPS 203, 204, and 205 and protect customers from these future quantum threats to cryptography.

TLS 1.3 support

The Splunk platform now supports TLS 1.3 (alongside TLS 1.2) for all public-facing connections, enhancing security with stronger encryption, eliminating outdated cipher suites, and delivering better performance and efficiency. TLS 1.3 will be enabled by default alongside TLS 1.2.