Updated to savedsearches, dashboards and macros due to change to comment syntax

Author: gjanders

README.md

@@ -360,7 +360,10 @@ Feel free to open an issue on github or use the contact author on the SplunkBase
 
 ## Release Notes
 ### 3.0.15
-- Merged pull request from sifters relating to replacing comment macro with the triple backtick option introduced in Splunk 8.1
+- Merged pull request from sifters relating to replacing comment macro with the triple backtick option introduced in Splunk 8.1. This involved editing many searches to change the format of the comments.
+
+New reports:
+- SearchHeadLevel - configtracker index example2
 
 ### 3.0.14
 New reports:

default/data/ui/nav/default.xml

@@ -321,6 +321,7 @@
 			<saved name="SearchHeadLevel - Job performance data per indexer" />
 			<saved name="SearchHeadLevel - Jobs endpoint example" />
 			<saved name="SearchHeadLevel - configtracker index example" />
+			<saved name="SearchHeadLevel - configtracker index example2" />
                         <saved name="IndexerLevel - RemoteSearches Indexes Stats" />
                         <saved name="IndexerLevel - RemoteSearches Indexes Stats Wilcard" />			
 			<saved name="IndexerLevel - RemoteSearches - lookup usage" />

default/macros.conf

@@ -572,14 +572,14 @@ iseval = 0
 #Substitute `<macro name>` within the audit.log files with the audit definition based on a lookup file
 #note this version only substitutes the first macro seen...the Splunk 8 version can handle multiple macros at once
 [splunkadmins_audit_logs_macro_sub]
-definition = search ```Set all values to null() in case this macro is called again within the same search. Subsitute a macro used inside a search with the definition found in the lookup file```\
+definition = ```Set all values to null() in case this macro is called again within the same search. Subsitute a macro used inside a search with the definition found in the lookup file```\
 | eval definition=null(), commas=null(), commas2=null(), argCount2=null(), argCount=null(), match=null()\
 | rex field=search max_match=1 "\`(?!\")(?!')(?P<macro>[^\`]+)\`" \
-| search ```You can have multiple macro definitions with either 0 or more arguments so we have to count them...``` \
+```You can have multiple macro definitions with either 0 or more arguments so we have to count them...``` \
 | rex max_match=10 field=macro "([^\"]+\")|([^']+')\s*(?P<commas>,)" \
 | rex max_match=10 field=macro "(?P<commas2>,)" \
 | rex max_match=1 field=macro "(?P<match>[^\(]+\()" \
-| search ```Two count methods are used as if we have macro(arg1) that has no commas, but macro(arg1,arg2) will work as expected...``` \
+```Two count methods are used as if we have macro(arg1) that has no commas, but macro(arg1,arg2) will work as expected...``` \
 | eval argCount2=if(match(macro,"([^\"]+\")|([^']+')") AND isnull(commas),-1,if(isnotnull(commas2),mvcount(commas2),null())) \
 | eval argCount=if(isnull(argCount2),0,argCount2+1) \
 | eval argCount=if(argCount==0,if(isnotnull(match),1,0),argCount) \
@@ -595,54 +595,54 @@ iseval = 0
 #Substitute `<macro name>` within the audit.log files with the audit definition based on a lookup file
 #note this version only works on Splunk 8 due to the use of mvmap
 [splunkadmins_audit_logs_macro_sub_v8]
-definition = search ```Set all values to null() in case this macro is called again within the same search. Subsitute a macro used inside a search with the definition found in the lookup file``` \
-| eval definition=null(), definition2=null(), definition3=null(), commas=null(), commas2=null(), argCount2=null(), argCount=null(), match=null() \
+definition = ```Set all values to null() in case this macro is called again within the same search. Subsitute a macro used inside a search with the definition found in the lookup file``` \
+eval definition=null(), definition2=null(), definition3=null(), commas=null(), commas2=null(), argCount2=null(), argCount=null(), match=null() \
 | rex field=search "\\`(?!\")(?!')(?P<macro>[^\\`]+)\\`" max_match=20 \
-| search ```remove any commas inside double quotes or single quotes inside a macro, they are probably not arguments to the macro itself``` \
+  ```remove any commas inside double quotes or single quotes inside a macro, they are probably not arguments to the macro itself``` \
 | eval remove_commas_inside_macros=mvmap(macro,replace(macro,"(\"[^\"]+\"|'[^']+')","")) \
-| search ```Originally a regex, the replace+len works in mvmap and determines number of commas so we can find a macro name``` \
+  ```Originally a regex, the replace+len works in mvmap and determines number of commas so we can find a macro name``` \
 | eval commas2=mvmap(remove_commas_inside_macros,if(match(remove_commas_inside_macros,"^[^\(]+$"),"-1",len(replace(remove_commas_inside_macros,"[^,]+",""))+1)) \
 | rex field=macro "(?P<macro_name>^[^\( ]+)" max_match=20 \
 | eval macro_commas=mvzip(macro_name,commas2,"!!!!!!!") \
-| search ```A macro with zero arguments is -1 from the previous mvmap, if it has non-zero arguments the definition changes to macro(number)...``` \
+  ```A macro with zero arguments is -1 from the previous mvmap, if it has non-zero arguments the definition changes to macro(number)...``` \
 | eval macroName=mvmap(macro_commas,if(mvindex(split(macro_commas,"!!!!!!!"),1)=="-1",mvindex(split(macro_commas,"!!!!!!!"),0),mvindex(split(macro_commas,"!!!!!!!"),0) . "(" . mvindex(split(macro_commas,"!!!!!!!"),1) . ")")) \
 | lookup splunkadmins_macros title AS macroName, app AS app_name, splunk_server \
 | eval app_name2="global" \
-| search ```The original version just did an OUTPUTNEW definition, however this has the limitation that if 1 of the 5 macros found resolves, output stops. And this can result in missing macros. So this version over-matches but that appears to be the tradeoff...without making this even more complicated``` \
+  ```The original version just did an OUTPUTNEW definition, however this has the limitation that if 1 of the 5 macros found resolves, output stops. And this can result in missing macros. So this version over-matches but that appears to be the tradeoff...without making this even more complicated``` \
 | lookup splunkadmins_macros title AS macroName, app AS app_name2, splunk_server OUTPUT definition AS definition2 \
 | lookup splunkadmins_macros title AS macroName, splunk_server OUTPUT definition AS definition3 \
 | eval definition=mvdedup(mvappend(definition,definition2,definition3)) \
 | fillnull definition value="macronotfound" \
 | nomv definition \
 | eval definition=" " . definition . " " \
-| search ```While an mvmap could replace per-macro that results in a multivalue output. Also replace doesn't handle a multivalued replacement argument so just replace the first macro if it exists with the definitions of all the macros, close enough for what we want``` \
+  ```While an mvmap could replace per-macro that results in a multivalue output. Also replace doesn't handle a multivalued replacement argument so just replace the first macro if it exists with the definitions of all the macros, close enough for what we want``` \
 | eval search=if(isnotnull(macro_name),replace(search,mvindex(macro_name,0),definition),search)
 iseval = 0
 
 #Substitute `<macro name>` within the any file
 [splunkadmins_macro_sub(1)]
 args = fieldname
-definition = search ```Set all values to null() in case this macro is called again within the same search. Subsitute a macro used inside a search with the definition found in the lookup file``` \
-| eval definition=null(), definition2=null(), definition3=null(), commas=null(), commas2=null(), argCount2=null(), argCount=null(), match=null() \
+definition = ```Set all values to null() in case this macro is called again within the same search. Subsitute a macro used inside a search with the definition found in the lookup file``` \
+eval definition=null(), definition2=null(), definition3=null(), commas=null(), commas2=null(), argCount2=null(), argCount=null(), match=null() \
 | rex field=$fieldname$ "\\`(?!\")(?!')(?P<macro>[^\\`]+)\\`" max_match=20 \
-| search ```remove any commas inside double quotes or single quotes inside a macro, they are probably not arguments to the macro itself``` \
+  ```remove any commas inside double quotes or single quotes inside a macro, they are probably not arguments to the macro itself``` \
 | eval remove_commas_inside_macros=mvmap(macro,replace(macro,"(\"[^\"]+\"|'[^']+')","")) \
-| search ```Originally a regex, the replace+len works in mvmap and determines number of commas so we can find a macro name``` \
+  ```Originally a regex, the replace+len works in mvmap and determines number of commas so we can find a macro name``` \
 | eval commas2=mvmap(remove_commas_inside_macros,if(match(remove_commas_inside_macros,"^[^\(]+$"),"-1",len(replace(remove_commas_inside_macros,"[^,]+",""))+1)) \
 | rex field=macro "(?P<macro_name>^[^\( ]+)" max_match=20 \
 | eval macro_commas=mvzip(macro_name,commas2,"!!!!!!!") \
-| search ```A macro with zero arguments is -1 from the previous mvmap, if it has non-zero arguments the definition changes to macro(number)...``` \
+  ```A macro with zero arguments is -1 from the previous mvmap, if it has non-zero arguments the definition changes to macro(number)...``` \
 | eval macroName=mvmap(macro_commas,if(mvindex(split(macro_commas,"!!!!!!!"),1)=="-1",mvindex(split(macro_commas,"!!!!!!!"),0),mvindex(split(macro_commas,"!!!!!!!"),0) . "(" . mvindex(split(macro_commas,"!!!!!!!"),1) . ")")) \
 | lookup splunkadmins_macros title AS macroName, app AS app_name, splunk_server \
 | eval app_name2="global" \
-| search ```The original version just did an OUTPUTNEW definition, however this has the limitation that if 1 of the 5 macros found resolves, output stops. And this can result in missing macros. So this version over-matches but that appears to be the tradeoff...without making this even more complicated``` \
+  ```The original version just did an OUTPUTNEW definition, however this has the limitation that if 1 of the 5 macros found resolves, output stops. And this can result in missing macros. So this version over-matches but that appears to be the tradeoff...without making this even more complicated``` \
 | lookup splunkadmins_macros title AS macroName, app AS app_name2, splunk_server OUTPUT definition AS definition2 \
 | lookup splunkadmins_macros title AS macroName, splunk_server OUTPUT definition AS definition3 \
 | eval definition=mvdedup(mvappend(definition,definition2,definition3)) \
 | fillnull definition value="macronotfound" \
 | nomv definition \
 | eval definition=" " . definition . " " \
-| search ```While an mvmap could replace per-macro that results in a multivalue output. Also replace doesn't handle a multivalued replacement argument so just replace the first macro if it exists with the definitions of all the macros, close enough for what we want``` \
+  ```While an mvmap could replace per-macro that results in a multivalue output. Also replace doesn't handle a multivalued replacement argument so just replace the first macro if it exists with the definitions of all the macros, close enough for what we want``` \
 | eval search=if(isnotnull(macro_name),replace($fieldname$,mvindex(macro_name,0),definition),$fieldname$)
 iseval = 0
 
@@ -709,27 +709,27 @@ args = search_id
 definition = eval from=null(), username=null(), searchname2=null(), searchname=null()\
 | rex field=$search_id$ "(_rt)?(_?subsearch)*_?(?P<from>[^_]+)((_(?P<base64username>[^_]+))|(__(?P<username>[^_]+)))((__(?P<app>[^_]+)__(?P<searchname2>[^_]+))|(_(?P<base64appname>[^_]+)__(?P<searchname>[^_]+)))"\
 | rex field=$search_id$ "^_?(?P<from>SummaryDirector)"\
-| search ```Pattern appears to vary but remote_<hostname>_ is consistent along with the optional _subsearch, the _from can be <username>__ownername__appname__RMD for dashboards as one pattern, it can also be unixepoch (ad-hoc), or scheduler__username__appname (scheduled search), or  username__owner__(something)__dashboardview, among others. RMD values can be translated via audit.log, scheduler.log or remote_searches.log (if savedsearch_name is there)!```\
+  ```Pattern appears to vary but remote_<hostname>_ is consistent along with the optional _subsearch, the _from can be <username>__ownername__appname__RMD for dashboards as one pattern, it can also be unixepoch (ad-hoc), or scheduler__username__appname (scheduled search), or  username__owner__(something)__dashboardview, among others. RMD values can be translated via audit.log, scheduler.log or remote_searches.log (if savedsearch_name is there)!```\
 | fillnull from value="adhoc"\
 | eval searchname=coalesce(searchname,searchname2)\
 | eval type=case(from=="scheduler","scheduled",from=="SummaryDirector","acceleration",match(search_id,"^'?alertsmanager_"),"scheduled",isnotnull(searchname),"dashboard",1=1,"ad-hoc")
 iseval = 0
 
 [base64decode(1)]
 args = afield
-definition = eval $afield$=null() | search ```As per https://docs.splunk.com/Documentation/Splunk/latest/Report/Createandeditreports usernames/apps can be base64 encrypted, remove the eval when ready to use this...decrypt2 (splunkbase) can be used to decrypt with (remove the backslashes): eval $afield$=$afield$ . \"===\" | decrypt field=$afield$ atob emit('$afield$')```
+definition = eval $afield$=null() ```As per https://docs.splunk.com/Documentation/Splunk/latest/Report/Createandeditreports usernames/apps can be base64 encrypted, remove the eval when ready to use this...decrypt2 (splunkbase) can be used to decrypt with (remove the backslashes): eval $afield$=$afield$ . "===" | decrypt field=$afield$ atob emit('$afield$')```
 iseval = 0
 
 [dashboard_depends_filter1]
 definition = ""
 iseval = 0
 
 [dashboard_depends_filter2]
-definition = search ```potentially a where clause to only filter when a certain number of tokens exist...```
+definition = ```potentially a where clause to only filter when a certain number of tokens exist...``` ""
 iseval = 0
 
 [dashboard_depends_filter3]
-definition = search ```potentially a where clause to only filter when a certain number of tokens were matched or similar...```
+definition = ```potentially a where clause to only filter when a certain number of tokens were matched or similar...``` ""
 iseval = 0
 
 [splunkadmins_wineventlog_index]
@@ -800,7 +800,7 @@ definition = eval definition=null(), datamodel3=null(), datamodel1=null(), datam
 | lookup splunkadmins_datamodels datamodel AS datamodel_res, splunk_server OUTPUTNEW definition\
 | nomv definition \
 | eval definition=" " . definition . " "\
-| search ```While an mvmap could replace per-datamodel that results in a multivalue output. Also replace doesn't handle a multivalued replacement argument so just replace the first macro if it exists with the definitions of all the datamodels``` \
+  ```While an mvmap could replace per-datamodel that results in a multivalue output. Also replace doesn't handle a multivalued replacement argument so just replace the first macro if it exists with the definitions of all the datamodels``` \
 | eval search=if(isnotnull(datamodel_res),replace(search,mvindex(datamodel_res,0),definition),search)
 iseval = 0