Update savedsearches.conf

gjanders · web-flow · commit 5ca6fbc1cf16 · 2024-11-13T18:52:57.000+11:00
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -4623,7 +4623,7 @@ search = | rest /services/authorization/roles splunk_server="local" \
 [SearchHeadLevel - Search Queries summary exact match]
 action.email.useNSSubject = 1
 alert.track = 0
-description = Report only? Yes. This report is an attempt to use the Splunk audit logs to generate summary statistics on what indexes were accessed and the period of time they were accessed over. There is a lot of complexity here as the audit logs make this task very challenging. This version relates to entries where index=<indexname> where used without wildcards, an additional report "SearchHeadLevel - Search Queries summary non-exact match" also exists to perform this same function without an index specified or when wildcards are used. This report requires "SearchHeadLevel - Index access list by user" and "SearchHeadLevel - Macro report". Also note that you need to remove the comment around the lookup command within the search...this report works in Splunk 8.0 or newer (or 7.3 with some changes). Requires the splunkadmins_macros lookup file to exist, the datamodels, eventtypes and tags lookup files should also exit for this to be accurate. Finally, you may wish to try the report "IndexerLevel - RemoteSearches Indexes Stats" this uses the remote_searches.log and doesn't need to work with macros or similar as it runs on the indexing tier...Note pre Splunk 8.0 you will need to replace splunkadmins_audit_logs_macro_sub_v8 with splunkadmins_audit_logs_macro_sub. If you would prefer an alternative without extremely complex Splunk seraches refer to Sideview UI / https://apps.splunk.com/app/6449/ which has custom commands to do this work. Or use the remote seraches in this app which provide most of this data (although you cannot determine username so less context in remote searches)
+description = Report only? Yes. This report is an attempt to use the Splunk audit logs to generate summary statistics on what indexes were accessed and the period of time they were accessed over. There is a lot of complexity here as the audit logs make this task very challenging. This version relates to entries where index=<indexname> where used without wildcards, an additional report "SearchHeadLevel - Search Queries summary non-exact match" also exists to perform this same function without an index specified or when wildcards are used. This report requires "SearchHeadLevel - Index access list by user" and "SearchHeadLevel - Macro report". Also note that you need to remove the comment around the lookup command within the search...this report works in Splunk 8.0 or newer (or 7.3 with some changes). Requires the splunkadmins_macros lookup file to exist, the datamodels, eventtypes and tags lookup files should also exit for this to be accurate. Finally, you may wish to try the report "IndexerLevel - RemoteSearches Indexes Stats" this uses the remote_searches.log and doesn't need to work with macros or similar as it runs on the indexing tier...Note pre Splunk 8.0 you will need to replace splunkadmins_audit_logs_macro_sub_v8 with splunkadmins_audit_logs_macro_sub. If you would prefer an alternative without extremely complex Splunk seraches refer to Sideview UI / https://apps.splunk.com/app/6449/ which has custom commands to do this work. Or use the remote seraches in this app which provide most of this data (although you cannot determine username so less context in remote searches). Finally, you may wish to take a look at https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry for a summary of options.
 dispatch.earliest_time = -1h
 dispatch.latest_time = now
 display.events.fields = ["index","sourcetype","host","source"]
@@ -4733,7 +4733,7 @@ search = | multisearch \
 [SearchHeadLevel - Search Queries summary non-exact match]
 action.email.useNSSubject = 1
 alert.track = 0
-description = Report only? Yes. This report is an attempt to use the Splunk audit logs to generate summary statistics on what indexes were accessed and the period of time they were accessed over. There is a lot of complexity here as the audit logs make this task very challenging. This version relates to entries where either index names are specified with wildcards or no index is specified, an additional report "SearchHeadLevel - Search Queries summary exact match" also exists to perform this same function where an index=<indexname> is specified. This report requires "SearchHeadLevel - Index access list by user" and "SearchHeadLevel - Macro report". Also note that you need to remove the comment around the lookup within the search...this report works on Splunk 8.0 or newer or 7.3 with some modification. Requires the splunkadmins_macros and splunkadmins_indexes_per_role lookup files to exist. Note pre Splunk 8.0 you will need to replace splunkadmins_audit_logs_macro_sub_v8 with splunkadmins_audit_logs_macro_sub. Note that this search utilises the streamfilterwildcard custom search command included in the TA-Alerts for SplunkAdmins application on SplunkBase (or github). The Sideview UI / https://apps.splunk.com/app/6449/ app offers an alternative way to read the audit log files with custom commands instead. The RemoteSearches examples logs also have the majority of this data but lack context such as the username available in the audit.log files
+description = Report only? Yes. This report is an attempt to use the Splunk audit logs to generate summary statistics on what indexes were accessed and the period of time they were accessed over. There is a lot of complexity here as the audit logs make this task very challenging. This version relates to entries where either index names are specified with wildcards or no index is specified, an additional report "SearchHeadLevel - Search Queries summary exact match" also exists to perform this same function where an index=<indexname> is specified. This report requires "SearchHeadLevel - Index access list by user" and "SearchHeadLevel - Macro report". Also note that you need to remove the comment around the lookup within the search...this report works on Splunk 8.0 or newer or 7.3 with some modification. Requires the splunkadmins_macros and splunkadmins_indexes_per_role lookup files to exist. Note pre Splunk 8.0 you will need to replace splunkadmins_audit_logs_macro_sub_v8 with splunkadmins_audit_logs_macro_sub. Note that this search utilises the streamfilterwildcard custom search command included in the TA-Alerts for SplunkAdmins application on SplunkBase (or github). The Sideview UI / https://apps.splunk.com/app/6449/ app offers an alternative way to read the audit log files with custom commands instead. The RemoteSearches examples logs also have the majority of this data but lack context such as the username available in the audit.log files. Finally, you may wish to take a look at https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry for a summary of options.
 dispatch.earliest_time = -1h
 dispatch.latest_time = now
 display.events.fields = ["index","sourcetype","host","source","indextime","count"]
