Welcome to Splunk Enterprise 10.2

Splunk Enterprise 10.2 was released on January 15, 2026.

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 10.2

New features for Splunk Enterprise 10.2.

New feature, enhancement, or change Description
Preview Update 2 feature: Field filters are now available by default, and now protect sensitive fields in searches that use the tstats command

To protect your personal identifiable information (PII) and protected health information (PHI) data, and meet data privacy requirements such as General Data Protection Regulation (GDPR) or other privacy regulations, you can use field filters in the Splunk Platform to limit access to your sensitive data. Field filters let you limit access to confidential information by redacting or obfuscating fields in events within searches, with optional role-based exemptions. For more information about field filters, see Protect PII, PHI, and other sensitive data with field filters and Plan for field filters in your organization.

With the Preview Update 2 release:
  • Field filters are now visible for customer use by default, which eliminates the requirement for administrators to turn on the feature by configuring the limits.conf and web-features.conf files.
  • Field filters now provide native support for the tstats command and the tstats command can now be used without restrictions on indexes protected by field filters.

READ THIS FIRST: Should you deploy field filters in your organization? Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone.

If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters.

If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Parquet format for data sent to Amazon S3 from Edge ProcessorWhen sending data from an Edge Processor to Amazon S3, you can now choose to store the data as parquet files.

See Send data from Edge Processors to Amazon S3 for more information.

Edge Processor on Splunk Enterprise operating system version supportDue to updates in Splunk Enterprise 10.2 that address CVEs, breaking changes have been made to Edge Processor on Splunk Enterprise-supported operating systems

  • Amazon Linux 2 is no longer supported.

  • Centos 7 is no longer supported.

  • Debian 10 and 11 are no longer supported. Debian 12 and higher are now supported.

  • Red Hat Enterprise Linux (RHEL) 8.0 is no longer supported. RHEL 9.0 and higher is now supported.

  • RockyLinux 9 and higher is now supported.

  • SUSE Linux Enterprise 15.0 is no longer supported. SUSE Linux Enterprise 15.0 SP6 and higher is now supported.

  • Ubuntu 20.04 LTS is no longer supported. Ubuntu 24.04 LTS is now supported.

Users running their data management control plane and edge processors on any non-supported operating systems must upgrade to a supported version of that operating system before upgrading their data management control plane to Splunk Enterprise 10.2 to avoid any data loss from their edge processors. Other Splunk Enterprise deployment components outside of your data management control plane are not impacted by this change. See Installation requirements in the Use Edge Processors for Splunk Enterprise manual for a list of supported operating systems.
Edge Processor on Splunk Enterprise support for JSON array format as input

Edge Processor on Splunk Enterprise now supports JSON array format as input. This enhancement allows input to contain square brackets and objects to be separated by commas.

For more information, see Get data into an Edge Processor using HTTP Event Collector.

Edge Processor on Splunk Enterprise monitoring dashboards

The Edge Processor on Splunk Enterprise solution now includes an updated user-interface that allows you to quickly visualize the metrics and health of your Edge Processors. View the inbound and outbound data volume of each pipeline, and the logs of your Edge Processors, for different lengths of time.

Use Edge Processor monitoring dashboards to understand the health of your Edge Processors. Visualize the flow of data into destination queues and check pipeline connections.

Support for OAuth2.0 for 3rd party and external applicationsCustomers can easily and securely authenticate their 3rd party applications using the standardized processes and workflows offered through version 2 of the Open Authorization (OAuth 2.0) protocol. Administrators can now configure OAuth 2.0 for use with products like Data Analytics and User Behavior Analysis (UBA) tools to connect to Splunk platform through REST APIs, so end users can get data and insights, make decisions faster, and turn data into doing. See Configure an external Open Authorization 2.0 authorization server.
Improvements to O11y Metrics & Charts in Splunk Dashboard StudioUsers can leverage observability application service map views in both published and exported dashboards, and incremental improvements and bug fixing to feature Splunk Observability Cloud metrics and charts in Splunk Dashboard Studio. See Add a Splunk Observability Cloud service map to Dashboard Studio dashboards.
Splunk AI Assistant for SPL in the Search app is now available in Splunk Enterprise

Splunk AI Assistant for SPL is now available in the Search app for hybrid on-premises Splunk platform deployments. The Splunk AI Assistant helps users generate, explain, and translate SPL using natural language. This generative AI-powered experience is designed to support both new and advanced users by providing query suggestions, detailed explanations, and direct access to Splunk platform documentation. The AI assistant enables faster onboarding, improved productivity, and more effective investigations.

The Splunk AI Assistant for SPL app version 1.3.2 or higher must be installed before you can use the AI Assistant in searches in Splunk Web.

To learn more, see Use Splunk AI Assistant for SPL in the Search app.

Remove Node.JSSplunk previously announced deprecation of Node.js and is now removing it. Customers using apps dependent on Node.js will need to update their apps to bundle their own version of Node.js. Failure to do so may result in App/TA functionality degradation and unexpected behavior.
SPL2

SPL2 extends the existing SPL language by incorporating several powerful features. These features simplify data access and analysis while also providing support for complex investigations and data management workflows. With SPL2, you can write searches using either SPL or SQL syntax. This simplifies learning and using the language, and adds consistency to the language.

SPL2 is a unified search and streaming language, offering a single syntax for searching data in Splunk indexes, accessing federated data stores, and preparing data in-stream across various Splunk products. SPL2 is fully compatible, and can operate in parallel, with SPL.

For information about what's new, known issues, and fixed issues, see SPL2 release notes in the SPL2 Overview manual.

Federated provider names are now case-insensitive

As of this release, federated provider names are case-insensitive for Federated Search for Splunk.

For example, say you have a provider named MyProvider and you try to create a new provider with a Provider name of myprovider. In this instance, Splunk software prevents you from creating the new provider until you choose a Provider name that is unique, regardless of alphabetical character case.

Note: If you are upgrading from a previous version of the Splunk platform, this might be a breaking change. If you have two or more federated providers in your Splunk platform deployment with names that differ only by case (such as one named MyProvider and another named myprovider), you must change the duplicate provider names to unique strings.

There are two ways to accomplish this:

  • You can delete and recreate the federated providers with duplicate names.

  • If you have access to the .conf files for your Splunk platform deployment, you can edit the duplicate federated provider names directly in federated.conf. You cannot edit federated provider names in Splunk Web.

If you choose to not delete or replace duplicate provider names, Splunk software uses the first name that appears in federated.conf. For example, if the MyProvider stanza appears before the myprovider stanza in federated.conf, Splunk software references only the MyProvider stanza when it receives any version of the string "myprovider".

SPL2 support for Dashboard StudioIn Dashboard Studio, you can use SPL2 data sources in dashboards by doing one of the following:

  • Create an SPL2 query from within a dashboard

  • Reference an existing view from an SPL2 module

See Create search-based visualizations with SPL2.

Other Dashboard Studio enhancementsSee What's new in Dashboard Studio.
Ingest-Tier ScalingIngest-Tier Scaling delivers high-throughput, scalable data ingestion for self-managed Splunk deployments, enabling customers to handle larger data volumes with improved resilience, operational efficiency, and clearer separation of ingest and indexing tiers. See Ingest-Tier Scaling.
Bulk Data Movement between Indexes: ClusteringBulk Data Move allows Splunk Enterprise users to efficiently reorganize indexes and move data between them using specific search criteria. Reclaim storage and manage sensitive information without requiring full index removal. Available only non-SmartStore clustered environments. See Bulk Data Move for indexer clusters.
Effective configuration of OTel Collectors

We have enhanced the visibility and management of OpenTelemetry (OTel) Collector agent configurations within the Splunk platform. Now you can view the complete, active configuration for each OTel Collector agent that communicates using OpAMP (Open Agent Management Protocol).

For more information, see Effective configuration of OTel Collectors.

Agents lookup

To improve performance when managing a large number of agents, we have introduced the agents lookup feature for the agent management user interface. When enabled, this feature significantly reduces UI load times by retrieving agent data from a cached CSV lookup file generated by a saved search, instead of querying the index directly for every interaction.

For more information, see Agents lookup.

Agent management UI/UX enhancementsTo improve the admin experience, we have enhanced the agent management user interface and user experience. Forwarders and OpenTelemetry management are now unified into a single-stop console, and an automated wizard has been introduced for simplified server class creation.
Destination configuration on agent management

You can now configure S3 and file system destinations directly from agent management, and these changes will automatically be propagated to your connected agents. To maintain consistency, always configure destinations from agent management. This feature requires agent management version 10.2 or higher, while there is no version restriction for compatible agents. You can enable or disable this feature using the enableS3ConfigOnDs flag in the limits.conf file.

For more information, see Create an S3 destination.

Queued ad hoc search quotasThis feature introduces configurable limits on the number of ad hoc searches that Splunk software can queue at both the system level and the role level. These limits are designed to prevent unbounded queuing of ad hoc searches, which can negatively impact system performance and resource utilization. For more information, see Create and manage roles in Splunk Enterprise using authorize.conf.

TLS verification for inter-sidecar communication

To enhance security, each sidecar uses a server data plane certificate when communicating with other sidecars through the direct port of the destination sidecar. Over a Transport Layer Security (TLS) connection on the direct port, the connecting sidecar verifies the certificate of the destination sidecar to ensure a trusted connection.

For more information, see Inter-sidecar communication.

Using Nascent to ensure correct configuration on search head clusters

The Nascent sidecar ensures that the etcd service runs with the correct configuration on each search head in the cluster. By managing the etcd cluster, it provides consistent configuration and service discovery throughout the cluster. This sidecar is necessary for the proper functioning of the Storage sidecar due to its dependency on etcd.

For more information, see About the Nascent sidecar.

Audit Trail Log v2: structured audit log format

The structured format of audit trail logs, also known as Audit Trail Log v2, complies with the Common Information Model (CIM). It uses JSON, which makes logs easier to parse and interpret. Audit Trail Log v2 includes comprehensive metadata, making it suitable for compliance purposes. This is the first phase in delivering Splunk Idea E-I-49.

To learn about this format, see About structured audit trail logs.

Python 3.13 is available on an opt-in basis

You can opt in to use Python 3.13 instead of Python 3.9. Splunk platform still uses Python 3.9 by default, but Splunk Web uses Python 3.13 only.

To learn how to switch between Python versions, see Python compatibility in Splunk apps.

KV store server version 8.0 is available

Upgrade to KV store server version 8.0. Splunk Enterprise 10.2 still supports KV store server version 7.0, but this server version will be removed in future versions of Splunk Enterprise.

To learn how to upgrade your KV store server version, see Upgrade the KV store server version.

Run Splunk Enterprise without the root option

Splunk Enterprise no longer runs as root by default. To start, stop, or restart Splunk Enterprise as root, append --run-as-root to the command.

Monitoring Console Overview Dashboard (beta) redesign The Overview (beta) dashboard has been updated for improved user experience and efficiency. The dashboard provides a summary of your deployment's most important metrics:
  • View a summary of your deployment's license entitlements and understand your resource usage with status indicators for each license entitlement metric.
  • Personalize your dashboard and choose the metrics that are most important to your users.
  • Access action items such as Refresh and Open in search in each metric's ellipses menu.
  • Provide feedback to the Splunk MC team using the Feedback button.
  • Monitor forwarders and get alerts when forwarders are missing.

To learn more about the Overview (beta) dashboard, see Overview Dashboard.