4.0.6

New macros:

• indexes_extraction(1) - to extract indexes from search logs

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunkd Crash Logs Have Appeared in Production - updated based on email feedback to use sourcetype (as source matching needed wildcards)
• IndexerLevel - Slow peer from remote searches - corrected comment in search only
• SearchHeadLevel - Search Queries summary exact match
• SearchHeadLevel - Search Queries summary non-exact match
• SearchHeadLevel - SmartStore cache misses - dashboards
• SearchHeadLevel - SmartStore cache misses - savedsearches
• SearchHeadLevel - SmartStore cache misses - combined
• SearchHeadLevel - Datamodel REST endpoint indexes in use
• SearchHeadLevel - indexes per savedsearch
• SearchHeadLevel - Indexes for savedsearch without subsearches
• SearchHeadLevel - indexes per dashboard

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunk Scheduler excessive delays in executing search
• AllSplunkEnterpriseLevel - sendmodalert errors
• `SearchHeadLevel - Alerts that have not fired an action in X days
• SearchHeadLevel - Scheduled Search Efficiency

To extract savedsearch_name (as I found you can have savedsearches with double quotes in the title).

4.0.5

New alerts:

• AllSplunkEnterpriseLevel - Splunk servers with resource starvation v2

New reports:

• SearchHeadLevel - indexes per dashboard

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunk Servers with resource starvation - reference to new version
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - additional criteria
• IndexerLevel - Slow peer from remote searches - updated regex for Splunk 9.4 and above
• IndexerLevel - RemoteSearches Indexes Stats Wilcard - updated regex for Splunk 9.4 and above
• IndexerLevel - RemoteSearches Indexes Stats - updated regex for Splunk 9.4 and above
• SearchHeadLevel - Excessive REST API usage - added semantic jobs endpoints
• SearchHeadLevel - platform_stats.remote_searches metrics populating search
• SearchHeadLevel - platform_stats access summary - added semantic jobs endpoints
• SearchHeadLevel - SHC Captain unable to establish common bundle - additional criteria
• SearchHeadLevel - Search Messages admins only - additional criteria

4.0.4

Updated alert:

• AllSplunkEnterpriseLevel - Email Sending Failures - to exclude a 9.3.3 warning

Updated macro:

• search_type_from_sid - for subsearches

Updated reports:

• SearchHeadLevel - Lookup file owners - description/comment update
• SearchHeadLevel - Detect lookups that have not being accessed for a period of time - description/comment update

4.0.3

New reports:

• SearchHeadLevel - Datamodel access summary

Updated alerts:

• AllSplunkEnterpriseLevel - File integrity check failure - removed wildcard, feedback from Gregg Woodcock
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - removed extra "AND", feedback from Gregg Woodcock

Updated reports:

• SearchHeadLevel - Accelerated DataModels Access Info - updated description
• SearchHeadLevel - Datamodel REST endpoint indexes in use - correct indexin multivalued extraction
• SearchHeadLevel - indexes per savedsearch - correct indexin multivalued extraction
• SearchHeadLevel - Indexes for savedsearch without subsearches - correct indexin multivalued extraction
• SearchHeadLevel - Lookups within savedsearches - included the action.lookup.filename
• SearchHeadLevel - Search Queries summary exact match - correct indexin multivalued extraction
• SearchHeadLevel - Search Queries summary non-exact match - correct indexin multivalued extraction
• SearchHeadLevel - SmartStore cache misses - dashboards - correct indexin multivalued extraction
• SearchHeadLevel - SmartStore cache misses - savedsearches - correct indexin multivalued extraction
• SearchHeadLevel - SmartStore cache misses - combined - correct indexin multivalued extraction

4.0.2

Updated alerts:

• MonitoringConsole - one or more servers require configuration automated - added missing , issue #25 (thanks to barrettnet)
• SearchHeadLevel - Detect MongoDB errors - included warning level entries

Updated dashboards:

• indexer_max_data_queue_sizes_by_name - improved replication panel
• indexer_max_data_queue_sizes_by_name_v8 - improved replication panel

Updated reports:

• SearchHeadLevel - indexes per savedsearch - updated regex for union/set/multisearch
• SearchHeadLevel - Search Queries summary exact match - updated regex for union/set/multisearch
• SearchHeadLevel - Search Queries summary non-exact match - updated regex for union/set/multisearch
• SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs - updated rexgex, rewrote search to find map, join, appendcols and other commands

4.0.1

New dashboard:
-heavy_forwarder_analysis - as found in the conf24 presentation PLA1509B

New reports:

• SearchHeadLevel - Job performance data per indexer handoff time
• SearchHeadLevel - KVStore collection size
• SearchHeadLevel - Savedsearches with schedules and no next_scheduled_time

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - search updates
• AllSplunkEnterpriseLevel - Email Sending Failures - added app context
• IndexerLevel - These Indexes Are Approaching The warmDBCount limit - added datatype=all argument
• IndexerLevel - Cold data location approaching size limits - added datatype=all argument
• IndexerLevel - Unclean Shutdown - Fsck - added datatype=all argument
• SearchHeadLevel - Peer timeouts or authentication issues - updates to use Splunkd source
• SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit - excluded summary indexing
• SearchHeadLevel - Scheduled Searches without a configured earliest and latest time - rewrote search for efficiency
• SearchHeadLevel - Search Messages user level - search updates
• SearchHeadLevel - Search Messages admins only - search updates

Updated dashboards:

• splunk_forwarder_output_tuning - updated comments, removed heartbeatFrequency

Updated macros:

• search_type_from_sid - minor tweaks to regex

Updated reports:

• SearchHeadLevel - indexes per savedsearch - corrected typo on multisearch, re-wrote parts of the query to include subsearches as well
• SearchHeadLevel - Indexes for savedsearch without subsearches - corrected typo on multisearch
• SearchHeadLevel - Search Queries summary non-exact match - added delim for index IN (a b c), corrected typo on multisearch, updated description to link to https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry
• SearchHeadLevel - Search Queries summary exact match - added delim for index IN (a b c), corrected typo on multisearch, updated description to link to https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry

Also updated the navigation menu.

4.0.0

• Merged pull request from sifters relating to replacing comment macro with the triple backtick option introduced in Splunk 8.1. This involved editing many searches to change the format of the comments.

New reports:

• SearchHeadLevel - configtracker index example2

The version number has moved to 4.0.0 as this change has the potential to introduce issues with the change of comment syntax. I've completed multiple reviews and I believe there should be no broken alerts but please report them via the contact the author if you find any

This version removes compatibility with Splunk versions below 8.1 due to the use of the newer comment syntax

3.0.14

New reports:

• SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection
• SearchHeadLevel - User created kvstore collections
• SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only
• SearchHeadLevel - Detect bundle pushes no longer occurring
• SearchHeadLevel - macros in use
• SearchHeadLevel - Search Messages user level

Updated reports:

• SearchHeadLevel - audit.log - lookup usage - added regex as the search field sometimes doesn't auto-extract correctly
• SearchHeadLevel - Detect lookups that have not being accessed for a period of time - added automatic lookups in
• SearchHeadLevel - platform_stats access summary - criteria update
• SearchHeadLevel - Lookup file owners - corrections to ensure that automatic lookups are not included
• SearchHeadLevel - Search Queries summary non-exact match - minor criteria update

3.0.13

New reports:

• IndexerLevel - events per second benchmark
• IndexerLevel - savedsearches by indexer execution time
• SearchHeadLevel - indexes per savedsearch
• SearchHeadLevel - macros in use
• SearchHeadLevel - Indexes for savedsearch without subsearches
• SearchHeadLevel - platform_stats.remote_searches metrics populating search 24 hour

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - updated criteria
• IndexerLevel - RemoteSearches find datamodel acceleration with wildcards - updated regex
• MonitoringConsole - one or more servers require configuration - changed criteria
• MonitoringConsole - one or more servers require configuration automated - rewrote the alert
• SearchHeadLevel - Indexer Peer Connection Failures - updated comments
• SearchHeadLevel - Detect searches hitting corrupt buckets - updated comments
• SearchHeadLevel - Users with auto-finalized searches - updated comments
• SearchHeadLevel - splunk_search_messages dispatch - updated comments
• SearchHeadLevel - Lookups within savedsearches - corrected URL
• SearchHeadLevel - Sourcetypes usage from search telemetry data - description update
• SearchHeadLevel - Jobs endpoint example - updated description
• SearchHeadLevel - SmartStore cache misses - dashboards - minor update to regex
• SearchHeadLevel - SmartStore cache misses - combined - minor update to regex
• SearchHeadLevel - Search Messages field extractor slow - updated comments
• SearchHeadLevel - Search Messages user level - updated comments
• SearchHeadLevel - Search Messages admins only - updated criteria and comments

Updated reports:

• IndexerLevel - RemoteSearches - lookup usage - typo fixed in description
• IndexerLevel - Report on bucket corruption - updated comments
• SearchHeadLevel - summary indexing searches not using durable search - corrected REST context
• SearchHeadLevel - Lookups within savedsearches - corrected REST context
• SearchHeadLevel - platform_stats.audit metrics users - added v2/v1 endpoints for search/jobs/export
• SearchHeadLevel - platform_stats.audit metrics api - added v2/v1 endpoints for search/jobs/export
• SearchHeadLevel - platform_stats.audit metrics users 24hour - added v2/v1 endpoints for search/jobs/export

Updated to use macro splunkadmins_clustermaster_host instead of splunk_server=local:

• ClusterMasterLevel - Primary bucket count per peer
• ClusterMasterLevel - excess buckets on master
• IndexerLevel - ClusterMaster Advising SearchOrRep Factor Not Met

Updated to use macro splunkadmins_restmacro instead of splunk_server=local:

• IndexerLevel - Indexer replication queue issues to some peers
• SearchHeadLevel - Alerts that have not fired an action in X days
• SearchHeadLevel - Accelerated DataModels Access Info
• SearchHeadLevel - Accelerated DataModels with wildcard or no index specified
• SearchHeadLevel - authorize.conf settings will prevent some users from appearing in the UI
• SearchHeadLevel - Data Model Acceleration Completion Status
• SearchHeadLevel - DataModel Fields
• SearchHeadLevel - Dashboard refresh intervals
• SearchHeadLevel - Dashboards using depends and running searches in the background
• SearchHeadLevel - Dashboards using special characters
• SearchHeadLevel - Dashboards with all time searches set
• SearchHeadLevel - Dashboards that may benefit from base or post-process searches
• SearchHeadLevel - DataModels report
• SearchHeadLevel - Disabled modular inputs are running
• SearchHeadLevel - Detect changes to knowledge objects non-directory
• SearchHeadLevel - EventTypes report
• SearchHeadLevel - Index access list by user
• SearchHeadLevel - IndexesPerUser Report
• SearchHeadLevel - Knowledge bundle status on indexers
• SearchHeadLevel - Lookup file owners
• SearchHeadLevel - Lookup CSV size
• SearchHeadLevel - Macro report
• SearchHeadLevel - platform_stats.users savedsearches
• SearchHeadLevel - platform_stats.users dashboards
• SearchHeadLevel - Saved Searches with privileged owners and excessive write perms
• SearchHeadLevel - Summary searches using realtime search scheduling
• SearchHeadLevel - SavedSearches using special characters
• SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit
• SearchHeadLevel - summary indexing searches not using durable search
• SearchHeadLevel - Tags report

Other macro updates:

• DeploymentServer - Count by application

3.0.12

New alerts:

• MonitoringConsole - one or more servers require configuration
• MonitoringConsole - one or more servers require configuration automated
• SearchHeadLevel - Peer timeouts or authentication issues

New macros:

• splunkadmins_macro_sub

New reports:

• SearchHeadLevel - Datamodel REST endpoint indexes in use
• SearchHeadLevel - Job performance data per indexer
• SearchHeadLevel - Jobs endpoint example
• SearchHeadLevel - configtracker index example

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more criteria
• SearchHeadLevel - Search Messages user level - more criteria
• SearchHeadLevel - Search Messages admins only - more criteria

Updated dashboards:

• splunk_forwarder_output_tuning - to reference NLB/load balanced version of asynchronous forwarding

Updated macros:

• whataccessdoihave - comments and added srchIndexesDisallowed

Updated reports:

• SearchHeadLevel - IndexesPerRole Remote Report - comment updates only
• SearchHeadLevel - Lookup file owners - comment updates only

Alerts added to future removal list:

• ClusterMasterLevel - Per index status

Updated to use splunkadmins_macro_sub macro:

• SearchHeadLevel - Dashboards with all time searches set
• SearchHeadLevel - Scheduled searches not specifying an index macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version other
• SearchHeadLevel - Search Queries summary exact match
• SearchHeadLevel - Search Queries summary non-exact match
• SearchHeadLevel - User - Dashboards searching all indexes macro version

Misc:

• Added supported themes settings in app.conf to allow the usage of dark theme (for 9.1 enterprise users and above)