Announcing the Query Splunk App 2.4: What’s New and Improved
Our partner Query AI has just released Query Splunk App 2.4, now available on Splunkbase, and it comes with several exciting updates designed to enhance usability and performance for security data operations. This latest version improves upon the app’s already powerful capabilities, making it easier to conduct federated searches and integrate data from a variety of sources into Splunk without driving up ingestion or compute costs.
Here’s a breakdown of the key updates and features that make this release noteworthy.
Expanding Data Access without the Costs
The Query Splunk App enables organizations to pull data from any connected source—data lakes, warehouses, object storage, or any other platform—without the need to ingest or store this data in Splunk. This federated search functionality is vital for security teams looking to access dispersed data without blowing up their Splunk licenses. Whether it’s security-relevant or observability data, you can now seamlessly extend your Splunk environment’s reach and leverage all your data from various sources.
What’s New in Version 2.4?
The Query Splunk App 2.4 brings several enhancements that focus on usability and performance:
- Embedded Help and Intuitive Searching: To make the app more accessible to new users, the interface now includes embedded help directly in the Splunk console, with drill-down options that guide users through their searches.
- Advanced Federated Search Filters: The new version allows users to fine-tune their searches with expanded filtering capabilities. Users can include or exclude specific event classes in their queries. For instance, filtering by events=”system_activity, detection_activity” or excluding events like exclude_events=”file_activity” can drastically improve search results and relevance.
- Improved Error Detection: Handling search errors has been made more efficient. The app will now alert users if they mistype commands or apply conditions to mismatched data types. This prevents wasted time and effort by catching mistakes early(
- Example Searches and Schema Updates: Query 2.4 also introduces example searches to help users get up to speed quickly. Additionally, the app has been updated to align with the latest Open Cybersecurity Schema Framework (OCSF 1.3), ensuring data normalization across multiple platforms for better interoperability.
Performance and Scalability
One of the most significant improvements in this release is the enhanced performance. Users experiencing search timeouts or performance lags in earlier versions will find version 2.4 noticeably faster and more responsive. It’s also designed to handle larger datasets, making it ideal for enterprises with vast amounts of distributed data.
Meta-Data Availability at Your Fingertips
Query 2.4 also aims to improve transparency and control by making search metadata more accessible. Users can now quickly see which connectors are configured, what entities (like IP addresses or file hashes) are available for searching, and what events and objects are part of the queryable dataset. This can all be done directly from the Splunk console.
Why Upgrade?
If you’re already using a previous version of the Query Splunk App, upgrading to 2.4 is a no-brainer. The new version not only resolves performance bottlenecks but also provides more control, better error handling, and enhanced support for a broader range of security use cases. Whether you are dealing with complex security investigations or optimizing your threat-hunting workflows, the Query Splunk App 2.4 will undoubtedly streamline your operations.
The new Query Splunk App 2.4 is available now on Splunkbase. To find out more or to start using it today, please contact .