Updated alerts:

- `AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192` - missing parenthesis, thanks Gregg Woodcock
- `IndexerLevel - replicationdatareceiverthread close to 100% utilisation` - incorrect macro
- `MonitoringConsole - Crash logs have appeared on the filesystem` - incorrect macro, github issue #22, thanks SANSd20

Added lookup file:
- `splunkadmins_indexlist_by_cluster.csv`

Author: gjanders

README.md

@@ -322,6 +322,15 @@ The following ideas relate to this issue:
 Feel free to open an issue on github or use the contact author on the SplunkBase link and I will try to get back to you when possible, thanks!
 
 ## Release Notes
+### 3.0.11
+Updated alerts:
+- `AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192` - missing parenthesis, thanks Gregg Woodcock
+- `IndexerLevel - replicationdatareceiverthread close to 100% utilisation` - incorrect macro
+- `MonitoringConsole - Crash logs have appeared on the filesystem` - incorrect macro, github issue #22, thanks SANSd20
+
+Added lookup file:
+- `splunkadmins_indexlist_by_cluster.csv`
+
 ### 3.0.10
 - `SearchHeadLevel - audit.log - lookup usage` - correcting issue #21 (thanks @barrettnet)
 

default/app.conf

@@ -12,7 +12,7 @@ label = SplunkAdmins
 [launcher]
 author = Gareth Anderson
 description = Alerts and dashboards as described in the Splunk 2017 conf presentation How did you get so big?
-version = 3.0.10
+version = 3.0.11
 
 [package]
 id = SplunkAdmins

default/savedsearches.conf

@@ -130,7 +130,7 @@ request.ui_dispatch_app = SplunkAdmins
 request.ui_dispatch_view = search
 search = `comment("Any Splunk enterprise servers running less than 64000 file descriptors can result in a crash, therefore we watch the ulimit numbers on startup")` \
 `comment("You could do | rest /services/server/sysinfo | table ulimit* or similar but that will not cover all Splunk enterprise servers that are in the _internal index...")`\
-index=_internal ("ulimit" "open files:") OR ("fd limit" "lower") ( `splunkenterprisehosts` sourcetype=splunkd (`splunkadmins_splunkd_source`) \
+index=_internal ("ulimit" "open files:") OR ("fd limit" "lower") ( `splunkenterprisehosts` sourcetype=splunkd (`splunkadmins_splunkd_source`) ) \
 | rex "(?P<nooffiles>\d+) files" \
 | where nooffiles<64000 OR searchmatch("fd limit")\
 | fields _time, _raw, host
@@ -7347,7 +7347,7 @@ request.ui_dispatch_app = SplunkAdmins
 request.ui_dispatch_view = search
 search = index=_internal source=*crash.log \
 | stats count by source, host, sourcetype \
-| eval indexer_cluster=`indexer_cluster(host)` \
+| eval indexer_cluster=`indexer_cluster_name(host)` \
 | eval search_head=host \
 | eval search_head_cluster=`search_head_cluster` \
 | eval env=if(indexer_cluster==host,search_head_cluster,indexer_cluster) \
@@ -7571,7 +7571,7 @@ search = index=_internal sourcetype=splunkd `splunkadmins_metrics_source` group=
 | eventstats count(eval(count>1)) AS continuous_count by host\
 | where continuous_count>3\
 | fields - count\
-| eval indexer_cluster=`indexer_cluster(host)`
+| eval indexer_cluster=`indexer_cluster_name(host)`
 disabled = 1
 
 [SearchHeadLevel - Accelerated DataModels Access Info]

lookups/splunkadmins_indexlist_by_cluster.csv

@@ -0,0 +1 @@
+indexer_cluster,index