In version 3.0.8 the lookup file splunkadmins_hec_reply_code_lookup.csv was updated based on [gettingsmarter (github repo)](https://github.com/redvelociraptor/gettingsmarter/), the updated lookup was created by @jgedeon and additionally includes some health endpoint return codes (as well as those returned by the standard HEC endpoint)

Updated alerts:
- `SplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - more criteria
- `SearchHeadLevel - Scheduled Searches That Cannot Run` - correcting issue #20 (thanks @barrettnet)

Updated reports:
- `SearchHeadLevel - Search Queries summary exact match` - added provenance
- `SearchHeadLevel - Search Queries summary non-exact match` - added provenance
- `SearchHeadLevel - audit.log - lookup usage` - updated to handle mlspl files as well (apply command)
- `SearchHeadLevel - Lookup file owners` - now includes an additional join that can be used if TA-webtools is installed (to improve accuracy/exclude default lookup definitions/files)

New reports:
- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
- `SearchHeadLevel - Lookup Editor lookup updates`
- `SearchHeadLevel - Lookups within dashboards`
- `SearchHeadLevel - Lookups within savedsearches`
- `SearchHeadLevel - REST API usage via audit.log`

Author: gjanders

README.md

@@ -164,6 +164,7 @@ There are many Splunk conf talks available on this subject in various conference
 - `SearchHeadLevel - Users with auto-finalized searches`
 - `SearchHeadLevel - User - Dashboards searching all indexes`
 - `SearchHeadLevel - Detect Excessive Search Use - Dashboard - Automated`
+- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
 - `SearchHeadLevel - WLM aborted searches`
 - `SearchHeadLevel - Dashboards with all time searches set`
 - `SearchHeadLevel - SavedSearches using special characters`
@@ -232,13 +233,18 @@ The below list of alerts and reports are actively used since version 8.0.x and i
 - `SearchHeadLevel - datamodel errors in splunkd`
 - `SearchHeadLevel - Detect bundle pushes no longer occurring`
 - `SearchHeadLevel - Detect Excessive Search Use - Dashboard - Automated`
+- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
 - `SearchHeadLevel - Detect MongoDB errors`
 - `SearchHeadLevel - Detect searches hitting corrupt buckets`
 - `SearchHeadLevel - dispatch metadata files may need removal`
 - `SearchHeadLevel - Excessive REST API usage`
 - `SearchHeadLevel - Knowledge Bundle contents`
 - `SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring`
 - `SearchHeadLevel - license usage per sourcetype per index`
+- `SearchHeadLevel - Lookup Editor lookup updates`
+- `SearchHeadLevel - Lookup file owners`
+- `SearchHeadLevel - Lookups within dashboards`
+- `SearchHeadLevel - Lookups within savedsearches`
 - `SearchHeadLevel - platform_stats access summary`
 - `SearchHeadLevel - platform_stats.audit metrics api`
 - `SearchHeadLevel - platform_stats.audit metrics searches`
@@ -249,6 +255,7 @@ The below list of alerts and reports are actively used since version 8.0.x and i
 - `SearchHeadLevel - platform_stats.users dashboards`
 - `SearchHeadLevel - platform_stats.users savedsearches`
 - `SearchHeadLevel - RMD5 to savedsearch_name lookupgen report`
+- `SearchHeadLevel - REST API usage via audit.log`
 - `SearchHeadLevel - savedsearches invalid character in splunkd`
 - `SearchHeadLevel - SavedSearches using special characters`
 - `SearchHeadLevel - Scheduled Searches That Cannot Run`
@@ -315,6 +322,26 @@ The following ideas relate to this issue:
 Feel free to open an issue on github or use the contact author on the SplunkBase link and I will try to get back to you when possible, thanks!
 
 ## Release Notes
+### 3.0.9
+In version 3.0.8 the lookup file `splunkadmins_hec_reply_code_lookup.csv` was updated based on [gettingsmarter (github repo)](https://github.com/redvelociraptor/gettingsmarter/), the updated lookup was created by @jgedeon and additionally includes some health endpoint return codes (as well as those returned by the standard HEC endpoint)
+
+Updated alerts:
+- `SplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - more criteria
+- `SearchHeadLevel - Scheduled Searches That Cannot Run` - correcting issue #20 (thanks @barrettnet)
+
+Updated reports:
+- `SearchHeadLevel - Search Queries summary exact match` - added provenance
+- `SearchHeadLevel - Search Queries summary non-exact match` - added provenance
+- `SearchHeadLevel - audit.log - lookup usage` - updated to handle mlspl files as well (apply command)
+- `SearchHeadLevel - Lookup file owners` - now includes an additional join that can be used if TA-webtools is installed (to improve accuracy/exclude default lookup definitions/files) 
+
+New reports:
+- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
+- `SearchHeadLevel - Lookup Editor lookup updates`
+- `SearchHeadLevel - Lookups within dashboards`
+- `SearchHeadLevel - Lookups within savedsearches`
+- `SearchHeadLevel - REST API usage via audit.log`
+
 ### 3.0.8
 New alerts:
 - `SearchHeadLevel - summary indexing searches not using durable search`

default/app.conf

@@ -12,7 +12,7 @@ label = SplunkAdmins
 [launcher]
 author = Gareth Anderson
 description = Alerts and dashboards as described in the Splunk 2017 conf presentation How did you get so big?
-version = 3.0.8
+version = 3.0.9
 
 [package]
 id = SplunkAdmins

default/data/ui/nav/default.xml

@@ -271,6 +271,7 @@
                     <saved name="SearchHeadLevel - platform_stats access summary" />
 		    <saved name="SearchHeadLevel - platform_stats.remote_searches metrics populating search" />
 		    <saved name="SearchHeadLevel - audit.log - lookup usage" />
+		    <saved name="SearchHeadLevel - Lookup Editor lookup updates" />
                     <saved name="IndexerLevel - platform_stats.counters hosts" />
                     <saved name="IndexerLevel - platform_stats.counters hosts 24hour" />
                     <saved name="IndexerLevel - platform_stats.indexers totalgb measurement" />
@@ -291,6 +292,8 @@
 	<collection label="SearchHeadLevel">
 		<collection label="Analytics">				
 			<saved name="SearchHeadLevel - audit.log - lookup usage" />
+			<saved name="SearchHeadLevel - Detect lookups that have not being accessed for a period of time" />
+			<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
 			<saved name="SearchHeadLevel - Search Queries Per Day Audit Logs" />
                         <saved name="SearchHeadLevel - Search Queries By Type Audit Logs" />         
                         <saved name="SearchHeadLevel - Search Queries By Type Audit Logs macro version" />                   
@@ -305,6 +308,9 @@
                         <saved name="SearchHeadLevel - IndexesPerUser Report" />
 			<saved name="SearchHeadLevel - license usage per sourcetype per index" />
 			<saved name="SearchHeadLevel - Lookup file owners" />
+			<saved name="SearchHeadLevel - REST API usage via audit.log" />
+			<saved name="SearchHeadLevel - Lookups within a dashboard" />
+			<saved name="SearchHeadLevel - Lookups within savedsearches" />
                         <saved name="IndexerLevel - RemoteSearches Indexes Stats" />
                         <saved name="IndexerLevel - RemoteSearches Indexes Stats Wilcard" />			
 			<saved name="IndexerLevel - RemoteSearches - lookup usage" />
@@ -436,6 +442,9 @@
 			<saved name="SearchHeadLevel - Lookup CSV size" />
 			<saved name="SearchHeadLevel - audit logs showing all time searches" />
 			<saved name="SearchHeadLevel - audit.log - lookup usage" />
+			<saved name="SearchHeadLevel - Detect lookups that have not being accessed for a period of time" />
+			<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
+			<saved name="SearchHeadLevel - REST API usage via audit.log" />
                         <saved name="IndexerLevel - RemoteSearches find all time searches" />
 			<saved name="IndexerLevel - RemoteSearches find datamodel acceleration with wildcards" />
 			<saved name="IndexerLevel - RemoteSearches - lookup usage" />			
@@ -449,6 +458,8 @@
 			<view name="lookups_in_use_finder" />
 			<view name="lookup_audit" />
 			<saved name="SearchHeadLevel - Lookup file owners" />
+			<saved name="SearchHeadLevel - Lookups within a dashboard" />
+			<saved name="SearchHeadLevel - Lookups within savedsearches" />
 			<saved name="SearchHeadLevel - Knowledge bundle status on indexers" />
 			<saved name="SearchHeadLevel - Knowledge bundle replication times metrics.log" />		
 			<saved name="SearchHeadLevel - Knowledge Bundle contents" />
@@ -457,6 +468,7 @@
 		</collection>	
 		<collection label="Summary_Reports">
 			<saved name="SearchHeadLevel - audit.log - lookup usage" />
+			<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
 			<saved name="SearchHeadLevel - license usage per sourcetype per index" />
         		<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />
 	                <saved name="SearchHeadLevel - platform_stats.audit metrics users" />
@@ -506,7 +518,8 @@
 		</collection>
 	</collection>	
         <collection label="Summary_Reports">
-		<saved name="SearchHeadLevel - audit.log - lookup usage" />		
+		<saved name="SearchHeadLevel - audit.log - lookup usage" />
+		<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
 		<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />
                 <saved name="SearchHeadLevel - platform_stats.audit metrics users" />
                 <saved name="SearchHeadLevel - platform_stats.audit metrics api" />