New macros:

gjanders · gjanders · commit 37d395413cdf · 2023-06-29T12:42:06.000+10:00
- `sysloghosts`

New reports:
- `SearchHeadLevel - Knowledge Bundle contents`
- `syslog-ng - cache statistics summary` - as contributed by Marc Andersen, company: NIL815 ApS

Updated dashboards:
- `splunk_forwarder_output_tuning` - added fillnull for `ingest_pipe`

Updated alerts:
- `AllSplunkLevel - No recent metrics.log data` - updated to use prestats
- `AllSplunkLevel - TCP Output Processor has paused the data flow` - updated criteria
- `AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192` - now 64,000 (could be renamed in future)
- `AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - updated criteria
- `ForwarderLevel - Splunk universal forwarders with ulimit issues` - updated keywords
- `SearchHeadLevel - Scheduled Searches That Cannot Run` - excluded the require command
- `SearchHeadLevel - Detect MongoDB errors` - updated to use prestats, added `_time` field
- `SearchHeadLevel - SHC Captain unable to establish common bundle` - added new criteria
- `SearchHeadLevel - Search Messages user level` - updated criteria
diff --git a/README.md b/README.md
@@ -256,6 +256,7 @@ The below list of alerts and reports are actively used since version 8.0.x and i
 - `SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit`
 - `SearchHeadLevel - Splunk Scheduler logs have not appeared in the last`
 - `SearchHeadLevel - Users exceeding the disk quota`
+- `syslog-ng - cache statistics summary`
 
 ## KVStore Usage
 Some CSV lookups are now replaced with kvstore entries due to the ability to sync the kvstore across multiple search head or search head cluster(s) via apps like [KV Store Tools Redux](https://splunkbase.splunk.com/app/5328/)
@@ -308,9 +309,31 @@ The following ideas relate to this issue:
 Feel free to open an issue on github or use the contact author on the SplunkBase link and I will try to get back to you when possible, thanks!
 
 ## Release Notes
+### 3.0.7
+New macros:
+- `sysloghosts`
+
+New reports:
+- `SearchHeadLevel - Knowledge Bundle contents`
+- `syslog-ng - cache statistics summary` - as contributed by Marc Andersen, company: NIL815 ApS
+
+Updated dashboards:
+- `splunk_forwarder_output_tuning` - added fillnull for `ingest_pipe`
+
+Updated alerts:
+- `AllSplunkLevel - No recent metrics.log data` - updated to use prestats
+- `AllSplunkLevel - TCP Output Processor has paused the data flow` - updated criteria
+- `AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192` - now 64,000 (could be renamed in future)
+- `AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - updated criteria
+- `ForwarderLevel - Splunk universal forwarders with ulimit issues` - updated keywords
+- `SearchHeadLevel - Scheduled Searches That Cannot Run` - excluded the require command
+- `SearchHeadLevel - Detect MongoDB errors` - updated to use prestats, added `_time` field
+- `SearchHeadLevel - SHC Captain unable to establish common bundle` - added new criteria
+- `SearchHeadLevel - Search Messages user level` - updated criteria
+
 ### 3.0.6
 Updated dashboards:
-- `Splunk forwarder output tuning` - added fillnull ingest_pipe
+- `Splunk forwarder output tuning` - added fillnull `ingest_pipe`
 
 Updated reports/alerts:
 - `SearchHeadLevel - Dashboards using special characters` - updated to use spath command instead of rex
diff --git a/default/app.conf b/default/app.conf
@@ -12,7 +12,7 @@ label = SplunkAdmins
 [launcher]
 author = Gareth Anderson
 description = Alerts and dashboards as described in the Splunk 2017 conf presentation How did you get so big?
-version = 3.0.6
+version = 3.0.7
 
 [package]
 id = SplunkAdmins
diff --git a/default/data/ui/nav/default.xml b/default/data/ui/nav/default.xml
@@ -143,6 +143,9 @@
 		    <view name="splunk_introspection_io_stats" />
 		    <a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FForwarderLevel%20-%20Channel%20churn%20issues">Channel churn issues</a>
 		</collection>
+                <collection label="syslog-ng">
+			<saved name="syslog-ng - cache statistics summary" />
+		</collection>
 	</collection>
 	<collection label="IndexerLevel">
 		<collection label="Bucket Related">
@@ -329,6 +332,7 @@
 	                        <a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Search%20Messages%20user%20level">Search Messages user level</a>
 	                        <a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Search%20Messages%20admins%20only">Search Messages admins only</a>
 	                </collection>
+			<saved name="SearchHeadLevel - Knowledge Bundle contents" />
 		</collection>	
 		<collection label="Non best-practice">
 			<collection label="Realtime searches">
@@ -363,6 +367,7 @@
 	                        <saved name="SearchHeadLevel - audit logs showing all time searches" />
 	                        <saved name="IndexerLevel - RemoteSearches find all time searches" />
 				<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Excessive%20REST%20API%20usage">SearchHeadLevel - Excessive REST API usage</a>			
+				<saved name="SearchHeadLevel - Knowledge Bundle contents" />
 			</collection>
 		</collection>
 		<collection label="Performance Issues">
@@ -378,14 +383,15 @@
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FIndexerLevel%20-%20Slow%20peer%20from%20remote%20searches">Slow peer from remote searches</a>
                         <saved name="SearchHeadLevel - Search Messages field extractor slow" />
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Excessive%20REST%20API%20usage">SearchHeadLevel - Excessive REST API usage</a>			
-			<saved name="SearchHeadLevel - Knowledge bundle replication times metrics.log" />			
+			<saved name="SearchHeadLevel - Knowledge bundle replication times metrics.log" />
 		</collection>		
 		<collection label="Proactive">			
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20LDAP%20users%20have%20been%20disabled%20or%20left%20the%20company%20cleanup%20required">LDAP users have been disabled or left the company cleanup required</a>		
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Saved%20Searches%20with%20privileged%20owners%20and%20excessive%20write%20perms">Saved Searches with privileged owners and excessive write perms</a>						
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Scheduled%20Searches%20Configured%20with%20incorrect%20sharing">Scheduled Searches Configured with incorrect sharing</a>
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Splunk%20login%20attempts%20from%20users%20that%20do%20not%20have%20any%20LDAP%20roles">Splunk login attempts from users that do not have any LDAP roles</a>
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20authorize.conf%20settings%20will%20prevent%20some%20users%20from%20appearing%20in%20the%20UI">SearchHeadLevel - authorize.conf settings will prevent some users from appearing in the UI</a>
+			<saved name="SearchHeadLevel - Knowledge Bundle contents" />
 		</collection>	
 		<collection label="Quotas">			
 			<a href="/app/SplunkAdmins/alert?s=%2FservicesNS%2Fnobody%2FSplunkAdmins%2Fsaved%2Fsearches%2FSearchHeadLevel%20-%20Splunk%20Max%20Historic%20Search%20Limits%20Reached">Splunk Max Historic Search Limits Reached</a>
@@ -432,6 +438,8 @@
 			<view name="lookup_audit" />
 			<saved name="SearchHeadLevel - Knowledge bundle status on indexers" />
 			<saved name="SearchHeadLevel - Knowledge bundle replication times metrics.log" />		
+			<saved name="SearchHeadLevel - Knowledge Bundle contents" />
+			<saved name="syslog-ng - cache statistics summary" />
 		</collection>	
 		<collection label="Summary_Reports">
         		<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />
diff --git a/default/macros.conf b/default/macros.conf
@@ -38,6 +38,10 @@ iseval = 0
 definition = host=*
 iseval = 0
 
+[sysloghosts]
+definition = host=*
+iseval = 0
+
 [searchheadsplunkservers]
 definition = splunk_server=*
 iseval = 0
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
