4.0.1

New dashboard:
-heavy_forwarder_analysis - as found in the conf24 presentation PLA1509B

New reports:

• SearchHeadLevel - Job performance data per indexer handoff time
• SearchHeadLevel - KVStore collection size
• SearchHeadLevel - Savedsearches with schedules and no next_scheduled_time

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - search updates
• AllSplunkEnterpriseLevel - Email Sending Failures - added app context
• IndexerLevel - These Indexes Are Approaching The warmDBCount limit - added datatype=all argument
• IndexerLevel - Cold data location approaching size limits - added datatype=all argument
• IndexerLevel - Unclean Shutdown - Fsck - added datatype=all argument
• SearchHeadLevel - Peer timeouts or authentication issues - updates to use Splunkd source
• SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit - excluded summary indexing
• SearchHeadLevel - Scheduled Searches without a configured earliest and latest time - rewrote search for efficiency
• SearchHeadLevel - Search Messages user level - search updates
• SearchHeadLevel - Search Messages admins only - search updates

Updated dashboards:

• splunk_forwarder_output_tuning - updated comments, removed heartbeatFrequency

Updated macros:

• search_type_from_sid - minor tweaks to regex

Updated reports:

• SearchHeadLevel - indexes per savedsearch - corrected typo on multisearch, re-wrote parts of the query to include subsearches as well
• SearchHeadLevel - Indexes for savedsearch without subsearches - corrected typo on multisearch
• SearchHeadLevel - Search Queries summary non-exact match - added delim for index IN (a b c), corrected typo on multisearch, updated description to link to https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry
• SearchHeadLevel - Search Queries summary exact match - added delim for index IN (a b c), corrected typo on multisearch, updated description to link to https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry

Also updated the navigation menu.

4.0.0

• Merged pull request from sifters relating to replacing comment macro with the triple backtick option introduced in Splunk 8.1. This involved editing many searches to change the format of the comments.

New reports:

• SearchHeadLevel - configtracker index example2

The version number has moved to 4.0.0 as this change has the potential to introduce issues with the change of comment syntax. I've completed multiple reviews and I believe there should be no broken alerts but please report them via the contact the author if you find any

This version removes compatibility with Splunk versions below 8.1 due to the use of the newer comment syntax

3.0.14

New reports:

• SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection
• SearchHeadLevel - User created kvstore collections
• SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only
• SearchHeadLevel - Detect bundle pushes no longer occurring
• SearchHeadLevel - macros in use
• SearchHeadLevel - Search Messages user level

Updated reports:

• SearchHeadLevel - audit.log - lookup usage - added regex as the search field sometimes doesn't auto-extract correctly
• SearchHeadLevel - Detect lookups that have not being accessed for a period of time - added automatic lookups in
• SearchHeadLevel - platform_stats access summary - criteria update
• SearchHeadLevel - Lookup file owners - corrections to ensure that automatic lookups are not included
• SearchHeadLevel - Search Queries summary non-exact match - minor criteria update

3.0.13

New reports:

• IndexerLevel - events per second benchmark
• IndexerLevel - savedsearches by indexer execution time
• SearchHeadLevel - indexes per savedsearch
• SearchHeadLevel - macros in use
• SearchHeadLevel - Indexes for savedsearch without subsearches
• SearchHeadLevel - platform_stats.remote_searches metrics populating search 24 hour

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - updated criteria
• IndexerLevel - RemoteSearches find datamodel acceleration with wildcards - updated regex
• MonitoringConsole - one or more servers require configuration - changed criteria
• MonitoringConsole - one or more servers require configuration automated - rewrote the alert
• SearchHeadLevel - Indexer Peer Connection Failures - updated comments
• SearchHeadLevel - Detect searches hitting corrupt buckets - updated comments
• SearchHeadLevel - Users with auto-finalized searches - updated comments
• SearchHeadLevel - splunk_search_messages dispatch - updated comments
• SearchHeadLevel - Lookups within savedsearches - corrected URL
• SearchHeadLevel - Sourcetypes usage from search telemetry data - description update
• SearchHeadLevel - Jobs endpoint example - updated description
• SearchHeadLevel - SmartStore cache misses - dashboards - minor update to regex
• SearchHeadLevel - SmartStore cache misses - combined - minor update to regex
• SearchHeadLevel - Search Messages field extractor slow - updated comments
• SearchHeadLevel - Search Messages user level - updated comments
• SearchHeadLevel - Search Messages admins only - updated criteria and comments

Updated reports:

• IndexerLevel - RemoteSearches - lookup usage - typo fixed in description
• IndexerLevel - Report on bucket corruption - updated comments
• SearchHeadLevel - summary indexing searches not using durable search - corrected REST context
• SearchHeadLevel - Lookups within savedsearches - corrected REST context
• SearchHeadLevel - platform_stats.audit metrics users - added v2/v1 endpoints for search/jobs/export
• SearchHeadLevel - platform_stats.audit metrics api - added v2/v1 endpoints for search/jobs/export
• SearchHeadLevel - platform_stats.audit metrics users 24hour - added v2/v1 endpoints for search/jobs/export

Updated to use macro splunkadmins_clustermaster_host instead of splunk_server=local:

• ClusterMasterLevel - Primary bucket count per peer
• ClusterMasterLevel - excess buckets on master
• IndexerLevel - ClusterMaster Advising SearchOrRep Factor Not Met

Updated to use macro splunkadmins_restmacro instead of splunk_server=local:

• IndexerLevel - Indexer replication queue issues to some peers
• SearchHeadLevel - Alerts that have not fired an action in X days
• SearchHeadLevel - Accelerated DataModels Access Info
• SearchHeadLevel - Accelerated DataModels with wildcard or no index specified
• SearchHeadLevel - authorize.conf settings will prevent some users from appearing in the UI
• SearchHeadLevel - Data Model Acceleration Completion Status
• SearchHeadLevel - DataModel Fields
• SearchHeadLevel - Dashboard refresh intervals
• SearchHeadLevel - Dashboards using depends and running searches in the background
• SearchHeadLevel - Dashboards using special characters
• SearchHeadLevel - Dashboards with all time searches set
• SearchHeadLevel - Dashboards that may benefit from base or post-process searches
• SearchHeadLevel - DataModels report
• SearchHeadLevel - Disabled modular inputs are running
• SearchHeadLevel - Detect changes to knowledge objects non-directory
• SearchHeadLevel - EventTypes report
• SearchHeadLevel - Index access list by user
• SearchHeadLevel - IndexesPerUser Report
• SearchHeadLevel - Knowledge bundle status on indexers
• SearchHeadLevel - Lookup file owners
• SearchHeadLevel - Lookup CSV size
• SearchHeadLevel - Macro report
• SearchHeadLevel - platform_stats.users savedsearches
• SearchHeadLevel - platform_stats.users dashboards
• SearchHeadLevel - Saved Searches with privileged owners and excessive write perms
• SearchHeadLevel - Summary searches using realtime search scheduling
• SearchHeadLevel - SavedSearches using special characters
• SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit
• SearchHeadLevel - summary indexing searches not using durable search
• SearchHeadLevel - Tags report

Other macro updates:

• DeploymentServer - Count by application

3.0.12

New alerts:

• MonitoringConsole - one or more servers require configuration
• MonitoringConsole - one or more servers require configuration automated
• SearchHeadLevel - Peer timeouts or authentication issues

New macros:

• splunkadmins_macro_sub

New reports:

• SearchHeadLevel - Datamodel REST endpoint indexes in use
• SearchHeadLevel - Job performance data per indexer
• SearchHeadLevel - Jobs endpoint example
• SearchHeadLevel - configtracker index example

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more criteria
• SearchHeadLevel - Search Messages user level - more criteria
• SearchHeadLevel - Search Messages admins only - more criteria

Updated dashboards:

• splunk_forwarder_output_tuning - to reference NLB/load balanced version of asynchronous forwarding

Updated macros:

• whataccessdoihave - comments and added srchIndexesDisallowed

Updated reports:

• SearchHeadLevel - IndexesPerRole Remote Report - comment updates only
• SearchHeadLevel - Lookup file owners - comment updates only

Alerts added to future removal list:

• ClusterMasterLevel - Per index status

Updated to use splunkadmins_macro_sub macro:

• SearchHeadLevel - Dashboards with all time searches set
• SearchHeadLevel - Scheduled searches not specifying an index macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version other
• SearchHeadLevel - Search Queries summary exact match
• SearchHeadLevel - Search Queries summary non-exact match
• SearchHeadLevel - User - Dashboards searching all indexes macro version

Misc:

• Added supported themes settings in app.conf to allow the usage of dark theme (for 9.1 enterprise users and above)

3.0.11

Updated alerts:

• AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192 - missing parenthesis, thanks Gregg Woodcock
• IndexerLevel - replicationdatareceiverthread close to 100% utilisation - incorrect macro
• MonitoringConsole - Crash logs have appeared on the filesystem - incorrect macro, github issue #22, thanks SANSd20

Added lookup file:

• splunkadmins_indexlist_by_cluster.csv

3.0.10

Updates:

• SearchHeadLevel - audit.log - lookup usage - correcting issue #21 (thanks @barrettnet)

3.0.9

In version 3.0.8 the lookup file splunkadmins_hec_reply_code_lookup.csv was updated based on gettingsmarter (github repo), the updated lookup was created by @jgedeon and additionally includes some health endpoint return codes (as well as those returned by the standard HEC endpoint)

Updated alerts:

• SplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more criteria
• SearchHeadLevel - Scheduled Searches That Cannot Run - correcting issue #20 (thanks @barrettnet)

Updated reports:

• SearchHeadLevel - Search Queries summary exact match - added provenance
• SearchHeadLevel - Search Queries summary non-exact match - added provenance
• SearchHeadLevel - audit.log - lookup usage - updated to handle mlspl files as well (apply command)
• SearchHeadLevel - Lookup file owners - now includes an additional join that can be used if TA-webtools is installed (to improve accuracy/exclude default lookup definitions/files)

New reports:

• SearchHeadLevel - Detect lookups that have not being accessed for a period of time
• SearchHeadLevel - Lookup Editor lookup updates
• SearchHeadLevel - Lookups within dashboards
• SearchHeadLevel - Lookups within savedsearches
• SearchHeadLevel - REST API usage via audit.log

3.0.8

New alerts:

• SearchHeadLevel - summary indexing searches not using durable search

New macros:

• indexer_cluster_name without any parameters created as per issue #19 (barrettnet)

New reports:

• SearchHeadLevel - audit.log - lookup usage
• SearchHeadLevel - license usage per sourcetype per index
• SearchHeadLevel - Lookup file owners
• IndexerLevel - RemoteSearches - lookup usage

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more matching criteria
• SearchHeadLevel - Scheduled Searches That Cannot Run - as per issue #18 (AHCL1)
• SearchHeadLevel - SHC Captain unable to establish common bundle - additional exclusion for Splunk 9.0.x

Updated reports:

• IndexerLevel - platform_stats.indexers totalgb measurement - added * to the end of license_usage.log, updated indexer_cluster_name with parameter as per issue #19 (barrettnet)
• IndexerLevel - platform_stats.indexers totalgb_thruput measurement - updated indexer_cluster_name with parameter as per issue #19 (barrettnet)
• SearchHeadLevel - Search Queries summary exact match - removed newlines to improve accuracy
• SearchHeadLevel - Search Queries summary non-exact match - removed newlines to improve accuracy

Updated recommended links in nav menu

3.0.7

New macros:

• sysloghosts

New reports:

• SearchHeadLevel - Knowledge Bundle contents
• syslog-ng - cache statistics summary - as contributed by Marc Andersen, company: NIL815 ApS

Updated dashboards:

• splunk_forwarder_output_tuning - added fillnull for ingest_pipe

Updated alerts:

• AllSplunkLevel - No recent metrics.log data - updated to use prestats
• AllSplunkLevel - TCP Output Processor has paused the data flow - updated criteria
• AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192 - now 64,000 (could be renamed in future)
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - updated criteria
• ForwarderLevel - Splunk universal forwarders with ulimit issues - updated keywords
• SearchHeadLevel - Scheduled Searches That Cannot Run - excluded the require command
• SearchHeadLevel - Detect MongoDB errors - updated to use prestats, added _time field
• SearchHeadLevel - SHC Captain unable to establish common bundle - added new criteria
• SearchHeadLevel - Search Messages user level - updated criteria