Welcome to Splunk Enterprise 10.0

Splunk Enterprise 10.0 was released on July 28, 2025.

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 10.0

New feature, enhancement, or change Description
Edge Processor service The Edge Processor solution is a service hosted within your Splunk Enterprise deployment designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information, see About the Edge Processor solution.
Updated support for Federal Information Processing Standards (FIPS) Splunk Enterprise now has updated support for the FIPS Publication #140-2 module and new support for Publication #140-3 module. These modules let you run Splunk Enterprise in FIPS mode to comply with these guidelines.

The updated FIPS 140-2 module that comes with Splunk Enterprise 10.0 is valid until March of 2026. This gives you time to move over to the new FIPS 140-3 module after you upgrade both Splunk Enterprise components and your forwarding tier infrastructure to version 10.

For more information about Splunk Enterprise and FIPS, see Secure Splunk Enterprise with FIPS. For information about upgrading FIPS in Splunk Enterprise, see Best practice for maintaining compliance with FIPS and Common Criteria in your Splunk Enterprise environment.

Support for encryption with mutual transport layer security (mTLS) Splunk Enterprise now supports the configuration of mTLS for encryption of network connections between Splunk Enterprise instances and services.
OpenSSL version 3.0 support Splunk Enterprise version 10.0 brings support for OpenSSL version 3.0, which replaces the deprecated OpenSSL version 1.0.2. Additionally, the software is bound to version 3.9 of the Python runtime environment for secure connections to services and APIs.
Fine-grained access to search knowledge objects Splunk admins now have improved options for assigning permissions to roles for access to knowledge objects. Three new capabilities grant admins increased flexibility in assigning access to the objects and replace the admin_all_objects capability, which was the only option available previously.

For more information on configuring fine-grained access for search knowledge objects, see Configure roles for fine-grained management of saved search objects, owners, and properties.

Sidecars

Sidecars are processes that run alongside the splunkd process to fulfill specific functions. They support introducing new features to the Splunk platform. For example, several sidecars support enhanced data management in the on-premises environment.

Sidecars affect your Splunk Enterprise environment by introducing multiple sidecar processes. Process names of sidecars don't include a splunk prefix.

To learn more about sidecars, see About Splunk sidecars.

Dashboards Trusted Domains List Admins can add and remove domains using the Dashboards Trusted Domains List page.

To navigate to this page, in the Splunk bar, select Settings > Server settings > Dashboards Trusted Domains List.

To learn more, see Configure Dashboards Trusted Domains List.

Dashboards in the Audit Trail appUsing the Audit Trail app, you can quickly gain insights on security, compliance, and the operation of a Splunk platform instance. The dashboards help you monitor user activities and changes of knowledge objects in real time, based on data from the audit index, index=_audit.

If you notice any issues to troubleshoot or activities to investigate, you can get more details by searching the audit log.

It is a good practice to begin an audit of Splunk platform activity by reviewing the Audit Trail dashboards.

To learn more about the Audit Trail dashboards, see Auditing activities in a Splunk platform instance.

Support for the savedsearch command in standard mode federated searchesYou can now use the savedsearch command to run federated searches over remote saved search datasets located on standard mode federated providers. In addition, you can use the savedsearch command's string substitution replacement syntax to replace certain strings in the remote saved search with strings of your design, if the remote saved search string contains replacement placeholder terms such as $replace_me$.

Note: This feature will be a breaking change for users of the savedsearch command, if they use savedsearch to reference local searches with names that begin with the string federated:. With this release, the savedsearch command will treat any search referencing a saved search name that begins with federated: as a federated search.

See the following topics for more information:

Expanded SPL support for standard mode searches in Federated Search for SplunkSupport has been added for the following commands in standard mode federated searches for Federated Search for Splunk:
  • mcollect
  • sendalert
  • sendemail

These commands can now run locally on the federated search head. See SPL commands that run on the federated search head in standard mode.

Email domains enhancement A new enhancement for the Email Domains setting under Server settings in Splunk Web lets administrators specify whether to allow or deny all email domains, or use email domains in a comma-separated list. The Email Domains setting restricts the email domains to which alert emails can be sent and prevents users from sending email alerts with search results to any domain, which is a security risk.

If you don't want to use Splunk Web to manage email domains, you can configure the allowedDomainList setting in the [email] stanza in the alert_actions.conf file instead.

OAuth 2.0 support for email server authentication

Splunk Enterprise now supports OAuth 2.0 for SMTP server authentication. This release adds support for Microsoft Exchange Server. For Gmail SMTP server, you can use a Google app password instead of an account password with simple authentication (username/password).

See Configure email notification for Splunk Enterprise

Splunk Enterprise Python 3.9 Python version 3.7 has been removed from Splunk Enterprise 10.0 and higher. Python 3.9 is the only interpreter available in this release. Confirm that all apps and add-ons are on the latest version and compatible with Python 3.9, otherwise those applications might break or not function properly with Splunk Enterprise.
Dashboard Studio enhancements See What's new in Dashboard Studio.
Preview feature: Field filters now support the typeahead and walklex commands In previous releases of field filters, the typeahead and walklex commands were restricted commands that the Splunk platform turned off by default on indexes with field filters. As of this release, these commands are no longer restricted. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters.

READ THIS FIRST: Should you deploy field filters in your organization? Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but they might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, and tstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on any indexes if field filters are in use in the Securing Splunk platform manual.

Preview feature: Field filters are now first in the sequence of search-time operations, which has implications for downstream operations Field filters have moved to first in the sequence of search-time operations, and are no longer processed fourth in the sequence as in previous releases. Because field filters are processed before all other operations in the sequence, downstream operations that depend on certain field values might break when expected field values are filtered by field filters. See The sequence of search-time operations in the Splunk Platform Knowledge Manager Manual.

If your organization uses the Splunk Common Information Model (CIM), and field filters on the Splunk platform to protect sensitive fields, you should also understand the downstream impact of field filters on data model acceleration (DMA). For more information about the impact of field filters on DMA, see Plan for field filters in your organization in the Securing Splunk Platform in the Securing Splunk platform manual.

Dynamic limit for scheduled searches

Splunk Enterprise 10.0 introduces the dynamic_max_searches_perc setting. This setting allows the search scheduler to automatically adjust the scheduled search concurrency limit (max_searches_perc) based on the ad hoc and scheduled search workload. This feature can reduce search latency, minimize skipped searches, and help you use search capacity more efficiently between ad hoc and scheduled searches.

See Dynamically manage scheduled search concurrency limits.

Effective configuration This feature lets you view the actual configuration installed on your forwarders without logging into the machines or running btool. This means you no longer need to rely on other teams to access configuration details.

With this feature, you can see the real, active settings applied on forwarders, including all parameter changes in .conf files. It gives you a complete picture of the configuration currently in use. You can download the effective configuration files and open them in a text editor for further analysis.

Bulk Data Move Bulk Data Move allows Splunk Enterprise users to efficiently reorganize indexes and move data between them using specific search criteria. Easily reclaim storage and manage sensitive information with precision, avoiding the friction of full index removal. Available for Standalone (single instance) deployments only. See Split indexed data in the Manage Indexes and Indexer Clusters manual.
OpenTelemetry Collectors This feature allows you to view information about OTel Collectors you manage, helping you monitor status of your agents in one place.

You'll see a list of registered OTel Collectors in a table view. You can view more details along with key attributes by selecting an individual agent. This view-only functionality supports better visibility into how your data collection components are operating.

Observability metrics in Dashboard Studio You can create charts in Dashboard Studio that are based on observability metrics or import an existing Splunk Observability Cloud chart into Dashboard Studio. You can also filter observability-based metrics charts by dimension to look at something more granularly.

See Splunk Observability Cloud metrics in Splunk Cloud Platform.

Preview observability data in the Search app In a new Related Content panel, you can see previews of Splunk Observability Cloud data and context that are related to an event you are investigating in the Search & Reporting application.

See Preview observability data in the Related Content panel.

View an observability service map in Dashboard Studio dashboards You can add a service map for services monitored in Splunk Observability Cloud into Dashboard Studio. A service map allows you to see dependencies and connections among your instrumented and inferred services in APM at a glance on the dashboard of your choice in Splunk Cloud Platform. You can then identify performance bottlenecks and error propagation side-by-side with your other charts and graphs.

See Add a Splunk Observability Cloud service map to Dashboard Studio dashboards.

SPL2 module permissions When you create a module you are automatically given execute, read, and write permissions on that module. Previously, only users with the admin and power roles were granted these permissions on modules. Permissions for the module owner can't be revoked. You can grant or revoke permissions on the modules that you create. Module permissions are set using the REST API endpoints.

See Modify permissions for modules in the Splunk Enterprise Admin Manual.

Deprecated version 1.0 endpoints for the Search API are now deactivated by default Select version 1.0 endpoints for the Search API have been deprecated and deactivated, and will be removed in a future release. Customers and app developers should upgrade usage of these deactivated endpoints to the new API version, Search API version 2.0. These new Semantic Versioned Rest API endpoints for search improve platform contracts and resiliency to platform updates.

If your organization has business-critical apps that still need to use the deactivated endpoints, you can turn them on for a limited time as a temporary fix. See Semantic API versioning in the REST API Reference Manual.

Sunsetting of the Upgrade Readiness App Splunk is ending its support of the Upgrade Readiness App. It will no longer be updated and has been removed from this version of Splunk Enterprise. For more information, see Sunsetting of the Upgrade Readiness App.
Updated alerts page

The alerts page is updated for usability and accessibility.

Note: If you configure a custom alert action with HTML, ensure the HTML doesn't include unsupported or malformed elements. Update your HTML to match the supported custom elements for Splunk Web. For more information, see Create the configuration UI for a custom alert action.
Favorite knowledge objectsUsers can now add and remove reports from favorites. Favorites make insights discovery and accessing knowledge objects, such as reports, easier and faster.