New reports:

- `SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection`
- `SearchHeadLevel - User created kvstore collections`
- `SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs`

Updated alerts:
- `AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only`
- `SearchHeadLevel - Detect bundle pushes no longer occurring`
- `SearchHeadLevel - macros in use`
- `SearchHeadLevel - Search Messages user level`

Updated reports:
- `SearchHeadLevel - audit.log - lookup usage` - added regex as the search field sometimes doesn't auto-extract correctly
- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time` - added automatic lookups in
- `SearchHeadLevel - platform_stats access summary` - criteria update
- `SearchHeadLevel - Lookup file owners` - corrections to ensure that automatic lookups are not included
- `SearchHeadLevel - Search Queries summary non-exact match` - minor criteria update

Author: gjanders

.github/workflows/action.yml

@@ -0,0 +1,17 @@
+# This is a basic workflow to generate build
+name: "Generate build, run app inspect and update splunklib"
+
+on: push
+
+jobs:
+  pre-release:
+    name: "Run on push - Add Utilities & App Inspect"
+    runs-on: "ubuntu-latest"
+
+    steps:
+      - uses: VatsalJagani/splunk-app-action@v4
+        with:
+          my_github_token: ${{ secrets.MY_GITHUB_TOKEN }}
+          splunkbase_username: ${{ secrets.SPLUNKBASE_USERNAME }}
+          splunkbase_password: ${{ secrets.SPLUNKBASE_PASSWORD }}
+          to_make_permission_changes: true

README.md

@@ -324,10 +324,60 @@ The following ideas relate to this issue:
 - `SearchHeadLevel - Search Queries summary non-exact match`
 - `SearchHeadLevel - Dashboards using depends and running searches in the background`
 
+## Other notes
+### search_id's
+The macro search_type_from_sid attempts to determine the search "type" based on id and this worked quite well in older versions.
+There are many variations which the macro doesn't show as they are effectively ad-hoc searches in my understanding, these include:
+- md_ for metadata searches
+- ta_ for typeahead searches
+- sd_ (appears to be another kind of ad-hoc search)
+-  rt_ for realtime search
+
+In 9.1.3 the search_id pattern appears to have changed, or at least I didn't notice this change in 9.1.3, now there are search id's that start with:
+- deep-dive-
+- degraded-entities
+- episode-review-
+- event_management_query
+- health-score-tile-search
+- health-score-tree-base
+- kpi-health-score-sparklines
+- notable-events-search
+- service-health-score
+- side-kpi-table
+- single-thresholding-preview
+- common-fields-search
+- event-management-detail
+- get-block-listed-fields
+- impact-services-search
+- time-variant-preview
+- trending-ad-analysis
+- trending-ad-mad-analysis
+
+These are appear to be from premium apps but it does imply that there is a mechanism to customize the search_id's...
+
 ## Feedback?
 Feel free to open an issue on github or use the contact author on the SplunkBase link and I will try to get back to you when possible, thanks!
 
 ## Release Notes
+### 3.0.14
+New reports:
+- `SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection`
+- `SearchHeadLevel - User created kvstore collections`
+- `SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs`
+  
+Updated alerts:
+- `AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only`
+- `SearchHeadLevel - Detect bundle pushes no longer occurring`
+- `SearchHeadLevel - macros in use`
+- `SearchHeadLevel - Search Messages user level`
+
+Updated reports:
+- `SearchHeadLevel - audit.log - lookup usage` - added regex as the search field sometimes doesn't auto-extract correctly
+- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time` - added automatic lookups in
+- `SearchHeadLevel - platform_stats access summary` - criteria update
+- `SearchHeadLevel - Lookup file owners` - corrections to ensure that automatic lookups are not included  
+- `SearchHeadLevel - Search Queries summary non-exact match` - minor criteria update
+
 ### 3.0.13
 New reports:
 - `IndexerLevel - events per second benchmark`
@@ -355,7 +405,6 @@ Updated alerts:
 - `SearchHeadLevel - Search Messages user level` - updated comments
 - `SearchHeadLevel - Search Messages admins only` - updated criteria and comments
 
-
 Updated reports:
 - `IndexerLevel - RemoteSearches - lookup usage` - typo fixed in description
 - `IndexerLevel - Report on bucket corruption` - updated comments

default/app.conf

@@ -14,7 +14,7 @@ supported_themes = light,dark
 [launcher]
 author = Gareth Anderson
 description = Alerts and dashboards as described in the Splunk 2017 conf presentation How did you get so big?
-version = 3.0.13
+version = 3.0.14
 
 [package]
 id = SplunkAdmins

default/data/ui/nav/default.xml

@@ -309,6 +309,7 @@
                         <saved name="SearchHeadLevel - Search Queries summary exact match" />
                         <saved name="SearchHeadLevel - Search Queries summary exact match by user" />
                         <saved name="SearchHeadLevel - Search Queries summary exact match by index" />
+			<saved name="SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs" />
 			<saved name="SearchHeadLevel - Sourcetypes usage from search telemetry data" />
 			<saved name="SearchHeadLevel - Searches by search type" />			
                         <saved name="SearchHeadLevel - IndexesPerUser Report" />
@@ -419,6 +420,8 @@
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Splunk%20login%20attempts%20from%20users%20that%20do%20not%20have%20any%20LDAP%20roles">Splunk login attempts from users that do not have any LDAP roles</a>
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20authorize.conf%20settings%20will%20prevent%20some%20users%20from%20appearing%20in%20the%20UI">SearchHeadLevel - authorize.conf settings will prevent some users from appearing in the UI</a>
 			<saved name="SearchHeadLevel - Knowledge Bundle contents" />
+			<saved name="SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection" />
+			<saved name="SearchHeadLevel - User created kvstore collections" />			
 		        <a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20summary%20indexing%20searches%20not%20using%20durable%20search">SearchHeadLevel - summary indexing searches not using durable search</a>			
 		</collection>	
 		<collection label="Quotas">			
@@ -449,6 +452,7 @@
                         <saved name="SearchHeadLevel - Detect changes to knowledge objects directory" />
                         <saved name="SearchHeadLevel - Detect changes to knowledge objects non-directory" />
 			<saved name="SearchHeadLevel - Lookup updates within SHC" />
+			<saved name="SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection" />
 			<saved name="SearchHeadLevel - indexes per savedsearch" />
 			<saved name="SearchHeadLevel - macros in use" />
                         <saved name="SearchHeadLevel - SHC conf log summary" />
@@ -459,6 +463,7 @@
 			<saved name="SearchHeadLevel - Detect lookups that have not being accessed for a period of time" />
 			<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
 			<saved name="SearchHeadLevel - REST API usage via audit.log" />
+			<saved name="SearchHeadLevel - User created kvstore collections" />
                         <saved name="IndexerLevel - RemoteSearches find all time searches" />
 			<saved name="IndexerLevel - RemoteSearches find datamodel acceleration with wildcards" />
 			<saved name="IndexerLevel - RemoteSearches - lookup usage" />