Skip to content

Commit 9b0740d

Browse files
committed
In version 3.0.8 the lookup file splunkadmins_hec_reply_code_lookup.csv was updated based on [gettingsmarter (github repo)](https://github.com/redvelociraptor/gettingsmarter/), the updated lookup was created by @jgedeon and additionally includes some health endpoint return codes (as well as those returned by the standard HEC endpoint)
Updated alerts: - `SplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - more criteria - `SearchHeadLevel - Scheduled Searches That Cannot Run` - correcting issue #20 (thanks @barrettnet) Updated reports: - `SearchHeadLevel - Search Queries summary exact match` - added provenance - `SearchHeadLevel - Search Queries summary non-exact match` - added provenance - `SearchHeadLevel - audit.log - lookup usage` - updated to handle mlspl files as well (apply command) - `SearchHeadLevel - Lookup file owners` - now includes an additional join that can be used if TA-webtools is installed (to improve accuracy/exclude default lookup definitions/files) New reports: - `SearchHeadLevel - Detect lookups that have not being accessed for a period of time` - `SearchHeadLevel - Lookup Editor lookup updates` - `SearchHeadLevel - Lookups within dashboards` - `SearchHeadLevel - Lookups within savedsearches` - `SearchHeadLevel - REST API usage via audit.log`
1 parent 5011aca commit 9b0740d

File tree

6 files changed

+257
-20
lines changed

6 files changed

+257
-20
lines changed

README.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,7 @@ There are many Splunk conf talks available on this subject in various conference
164164
- `SearchHeadLevel - Users with auto-finalized searches`
165165
- `SearchHeadLevel - User - Dashboards searching all indexes`
166166
- `SearchHeadLevel - Detect Excessive Search Use - Dashboard - Automated`
167+
- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
167168
- `SearchHeadLevel - WLM aborted searches`
168169
- `SearchHeadLevel - Dashboards with all time searches set`
169170
- `SearchHeadLevel - SavedSearches using special characters`
@@ -232,13 +233,18 @@ The below list of alerts and reports are actively used since version 8.0.x and i
232233
- `SearchHeadLevel - datamodel errors in splunkd`
233234
- `SearchHeadLevel - Detect bundle pushes no longer occurring`
234235
- `SearchHeadLevel - Detect Excessive Search Use - Dashboard - Automated`
236+
- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
235237
- `SearchHeadLevel - Detect MongoDB errors`
236238
- `SearchHeadLevel - Detect searches hitting corrupt buckets`
237239
- `SearchHeadLevel - dispatch metadata files may need removal`
238240
- `SearchHeadLevel - Excessive REST API usage`
239241
- `SearchHeadLevel - Knowledge Bundle contents`
240242
- `SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring`
241243
- `SearchHeadLevel - license usage per sourcetype per index`
244+
- `SearchHeadLevel - Lookup Editor lookup updates`
245+
- `SearchHeadLevel - Lookup file owners`
246+
- `SearchHeadLevel - Lookups within dashboards`
247+
- `SearchHeadLevel - Lookups within savedsearches`
242248
- `SearchHeadLevel - platform_stats access summary`
243249
- `SearchHeadLevel - platform_stats.audit metrics api`
244250
- `SearchHeadLevel - platform_stats.audit metrics searches`
@@ -249,6 +255,7 @@ The below list of alerts and reports are actively used since version 8.0.x and i
249255
- `SearchHeadLevel - platform_stats.users dashboards`
250256
- `SearchHeadLevel - platform_stats.users savedsearches`
251257
- `SearchHeadLevel - RMD5 to savedsearch_name lookupgen report`
258+
- `SearchHeadLevel - REST API usage via audit.log`
252259
- `SearchHeadLevel - savedsearches invalid character in splunkd`
253260
- `SearchHeadLevel - SavedSearches using special characters`
254261
- `SearchHeadLevel - Scheduled Searches That Cannot Run`
@@ -315,6 +322,26 @@ The following ideas relate to this issue:
315322
Feel free to open an issue on github or use the contact author on the SplunkBase link and I will try to get back to you when possible, thanks!
316323

317324
## Release Notes
325+
### 3.0.9
326+
In version 3.0.8 the lookup file `splunkadmins_hec_reply_code_lookup.csv` was updated based on [gettingsmarter (github repo)](https://github.com/redvelociraptor/gettingsmarter/), the updated lookup was created by @jgedeon and additionally includes some health endpoint return codes (as well as those returned by the standard HEC endpoint)
327+
328+
Updated alerts:
329+
- `SplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - more criteria
330+
- `SearchHeadLevel - Scheduled Searches That Cannot Run` - correcting issue #20 (thanks @barrettnet)
331+
332+
Updated reports:
333+
- `SearchHeadLevel - Search Queries summary exact match` - added provenance
334+
- `SearchHeadLevel - Search Queries summary non-exact match` - added provenance
335+
- `SearchHeadLevel - audit.log - lookup usage` - updated to handle mlspl files as well (apply command)
336+
- `SearchHeadLevel - Lookup file owners` - now includes an additional join that can be used if TA-webtools is installed (to improve accuracy/exclude default lookup definitions/files)
337+
338+
New reports:
339+
- `SearchHeadLevel - Detect lookups that have not being accessed for a period of time`
340+
- `SearchHeadLevel - Lookup Editor lookup updates`
341+
- `SearchHeadLevel - Lookups within dashboards`
342+
- `SearchHeadLevel - Lookups within savedsearches`
343+
- `SearchHeadLevel - REST API usage via audit.log`
344+
318345
### 3.0.8
319346
New alerts:
320347
- `SearchHeadLevel - summary indexing searches not using durable search`

default/app.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ label = SplunkAdmins
1212
[launcher]
1313
author = Gareth Anderson
1414
description = Alerts and dashboards as described in the Splunk 2017 conf presentation How did you get so big?
15-
version = 3.0.8
15+
version = 3.0.9
1616

1717
[package]
1818
id = SplunkAdmins

default/data/ui/nav/default.xml

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -271,6 +271,7 @@
271271
<saved name="SearchHeadLevel - platform_stats access summary" />
272272
<saved name="SearchHeadLevel - platform_stats.remote_searches metrics populating search" />
273273
<saved name="SearchHeadLevel - audit.log - lookup usage" />
274+
<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
274275
<saved name="IndexerLevel - platform_stats.counters hosts" />
275276
<saved name="IndexerLevel - platform_stats.counters hosts 24hour" />
276277
<saved name="IndexerLevel - platform_stats.indexers totalgb measurement" />
@@ -291,6 +292,8 @@
291292
<collection label="SearchHeadLevel">
292293
<collection label="Analytics">
293294
<saved name="SearchHeadLevel - audit.log - lookup usage" />
295+
<saved name="SearchHeadLevel - Detect lookups that have not being accessed for a period of time" />
296+
<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
294297
<saved name="SearchHeadLevel - Search Queries Per Day Audit Logs" />
295298
<saved name="SearchHeadLevel - Search Queries By Type Audit Logs" />
296299
<saved name="SearchHeadLevel - Search Queries By Type Audit Logs macro version" />
@@ -305,6 +308,9 @@
305308
<saved name="SearchHeadLevel - IndexesPerUser Report" />
306309
<saved name="SearchHeadLevel - license usage per sourcetype per index" />
307310
<saved name="SearchHeadLevel - Lookup file owners" />
311+
<saved name="SearchHeadLevel - REST API usage via audit.log" />
312+
<saved name="SearchHeadLevel - Lookups within a dashboard" />
313+
<saved name="SearchHeadLevel - Lookups within savedsearches" />
308314
<saved name="IndexerLevel - RemoteSearches Indexes Stats" />
309315
<saved name="IndexerLevel - RemoteSearches Indexes Stats Wilcard" />
310316
<saved name="IndexerLevel - RemoteSearches - lookup usage" />
@@ -436,6 +442,9 @@
436442
<saved name="SearchHeadLevel - Lookup CSV size" />
437443
<saved name="SearchHeadLevel - audit logs showing all time searches" />
438444
<saved name="SearchHeadLevel - audit.log - lookup usage" />
445+
<saved name="SearchHeadLevel - Detect lookups that have not being accessed for a period of time" />
446+
<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
447+
<saved name="SearchHeadLevel - REST API usage via audit.log" />
439448
<saved name="IndexerLevel - RemoteSearches find all time searches" />
440449
<saved name="IndexerLevel - RemoteSearches find datamodel acceleration with wildcards" />
441450
<saved name="IndexerLevel - RemoteSearches - lookup usage" />
@@ -449,6 +458,8 @@
449458
<view name="lookups_in_use_finder" />
450459
<view name="lookup_audit" />
451460
<saved name="SearchHeadLevel - Lookup file owners" />
461+
<saved name="SearchHeadLevel - Lookups within a dashboard" />
462+
<saved name="SearchHeadLevel - Lookups within savedsearches" />
452463
<saved name="SearchHeadLevel - Knowledge bundle status on indexers" />
453464
<saved name="SearchHeadLevel - Knowledge bundle replication times metrics.log" />
454465
<saved name="SearchHeadLevel - Knowledge Bundle contents" />
@@ -457,6 +468,7 @@
457468
</collection>
458469
<collection label="Summary_Reports">
459470
<saved name="SearchHeadLevel - audit.log - lookup usage" />
471+
<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
460472
<saved name="SearchHeadLevel - license usage per sourcetype per index" />
461473
<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />
462474
<saved name="SearchHeadLevel - platform_stats.audit metrics users" />
@@ -506,7 +518,8 @@
506518
</collection>
507519
</collection>
508520
<collection label="Summary_Reports">
509-
<saved name="SearchHeadLevel - audit.log - lookup usage" />
521+
<saved name="SearchHeadLevel - audit.log - lookup usage" />
522+
<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
510523
<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />
511524
<saved name="SearchHeadLevel - platform_stats.audit metrics users" />
512525
<saved name="SearchHeadLevel - platform_stats.audit metrics api" />

0 commit comments

Comments
 (0)