3.0.12

New alerts:

• MonitoringConsole - one or more servers require configuration
• MonitoringConsole - one or more servers require configuration automated
• SearchHeadLevel - Peer timeouts or authentication issues

New macros:

• splunkadmins_macro_sub

New reports:

• SearchHeadLevel - Datamodel REST endpoint indexes in use
• SearchHeadLevel - Job performance data per indexer
• SearchHeadLevel - Jobs endpoint example
• SearchHeadLevel - configtracker index example

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more criteria
• SearchHeadLevel - Search Messages user level - more criteria
• SearchHeadLevel - Search Messages admins only - more criteria

Updated dashboards:

• splunk_forwarder_output_tuning - to reference NLB/load balanced version of asynchronous forwarding

Updated macros:

• whataccessdoihave - comments and added srchIndexesDisallowed

Updated reports:

• SearchHeadLevel - IndexesPerRole Remote Report - comment updates only
• SearchHeadLevel - Lookup file owners - comment updates only

Alerts added to future removal list:

• ClusterMasterLevel - Per index status

Updated to use splunkadmins_macro_sub macro:

• SearchHeadLevel - Dashboards with all time searches set
• SearchHeadLevel - Scheduled searches not specifying an index macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version other
• SearchHeadLevel - Search Queries summary exact match
• SearchHeadLevel - Search Queries summary non-exact match
• SearchHeadLevel - User - Dashboards searching all indexes macro version

Misc:

• Added supported themes settings in app.conf to allow the usage of dark theme (for 9.1 enterprise users and above)

3.0.11

Updated alerts:

• AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192 - missing parenthesis, thanks Gregg Woodcock
• IndexerLevel - replicationdatareceiverthread close to 100% utilisation - incorrect macro
• MonitoringConsole - Crash logs have appeared on the filesystem - incorrect macro, github issue #22, thanks SANSd20

Added lookup file:

• splunkadmins_indexlist_by_cluster.csv

3.0.10

Updates:

• SearchHeadLevel - audit.log - lookup usage - correcting issue #21 (thanks @barrettnet)

3.0.9

In version 3.0.8 the lookup file splunkadmins_hec_reply_code_lookup.csv was updated based on gettingsmarter (github repo), the updated lookup was created by @jgedeon and additionally includes some health endpoint return codes (as well as those returned by the standard HEC endpoint)

Updated alerts:

• SplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more criteria
• SearchHeadLevel - Scheduled Searches That Cannot Run - correcting issue #20 (thanks @barrettnet)

Updated reports:

• SearchHeadLevel - Search Queries summary exact match - added provenance
• SearchHeadLevel - Search Queries summary non-exact match - added provenance
• SearchHeadLevel - audit.log - lookup usage - updated to handle mlspl files as well (apply command)
• SearchHeadLevel - Lookup file owners - now includes an additional join that can be used if TA-webtools is installed (to improve accuracy/exclude default lookup definitions/files)

New reports:

• SearchHeadLevel - Detect lookups that have not being accessed for a period of time
• SearchHeadLevel - Lookup Editor lookup updates
• SearchHeadLevel - Lookups within dashboards
• SearchHeadLevel - Lookups within savedsearches
• SearchHeadLevel - REST API usage via audit.log

3.0.8

New alerts:

• SearchHeadLevel - summary indexing searches not using durable search

New macros:

• indexer_cluster_name without any parameters created as per issue #19 (barrettnet)

New reports:

• SearchHeadLevel - audit.log - lookup usage
• SearchHeadLevel - license usage per sourcetype per index
• SearchHeadLevel - Lookup file owners
• IndexerLevel - RemoteSearches - lookup usage

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more matching criteria
• SearchHeadLevel - Scheduled Searches That Cannot Run - as per issue #18 (AHCL1)
• SearchHeadLevel - SHC Captain unable to establish common bundle - additional exclusion for Splunk 9.0.x

Updated reports:

• IndexerLevel - platform_stats.indexers totalgb measurement - added * to the end of license_usage.log, updated indexer_cluster_name with parameter as per issue #19 (barrettnet)
• IndexerLevel - platform_stats.indexers totalgb_thruput measurement - updated indexer_cluster_name with parameter as per issue #19 (barrettnet)
• SearchHeadLevel - Search Queries summary exact match - removed newlines to improve accuracy
• SearchHeadLevel - Search Queries summary non-exact match - removed newlines to improve accuracy

Updated recommended links in nav menu

3.0.7

New macros:

• sysloghosts

New reports:

• SearchHeadLevel - Knowledge Bundle contents
• syslog-ng - cache statistics summary - as contributed by Marc Andersen, company: NIL815 ApS

Updated dashboards:

• splunk_forwarder_output_tuning - added fillnull for ingest_pipe

Updated alerts:

• AllSplunkLevel - No recent metrics.log data - updated to use prestats
• AllSplunkLevel - TCP Output Processor has paused the data flow - updated criteria
• AllSplunkEnterpriseLevel - ulimit on Splunk enterprise servers is below 8192 - now 64,000 (could be renamed in future)
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - updated criteria
• ForwarderLevel - Splunk universal forwarders with ulimit issues - updated keywords
• SearchHeadLevel - Scheduled Searches That Cannot Run - excluded the require command
• SearchHeadLevel - Detect MongoDB errors - updated to use prestats, added _time field
• SearchHeadLevel - SHC Captain unable to establish common bundle - added new criteria
• SearchHeadLevel - Search Messages user level - updated criteria

3.0.6

Updated dashboards:

• Splunk forwarder output tuning - added fillnull ingest_pipe

Updated reports/alerts:

• SearchHeadLevel - Dashboards using special characters - updated to use spath command instead of rex
• SearchHeadLevel - Search Messages user level - excluded require command
• IndexerLevel - RemoteSearches find all time searches - removed keyword

On reports/alerts:

• IndexerLevel - RemoteSearches Indexes Stats
• IndexerLevel - RemoteSearches Indexes Stats Wilcard
• IndexerLevel - Slow peer from remote searches
• IndexerLevel - SmartStore cache misses - remote_searches
• SearchHeadLevel - platform_stats.remote_searches metrics populating search

Updated keywords to terminated: or closed: (previously terminated)

On reports/alerts:

• SearchHeadLevel - Detect Excessive Search Use - Dashboard - Automated
• SearchHeadLevel - platform_stats.audit metrics searches
• SearchHeadLevel - platform_stats.audit metrics users
• SearchHeadLevel - platform_stats.audit metrics users 24hour
• SearchHeadLevel - Search Queries By Type Audit Logs
• SearchHeadLevel - Search Queries By Type Audit Logs macro version
• SearchHeadLevel - Search Queries By Type Audit Logs macro version other
• SearchHeadLevel - Searches dispatched as owner by other users
• SearchHeadLevel - SmartStore cache misses - dashboards
• SearchHeadLevel - SmartStore cache misses - savedsearches
• SearchHeadLevel - SmartStore cache misses - combined
• SearchHeadLevel - Users with auto-finalized searches

Removed regex:
| rex "(?s)^(?:[^'\n]*'){4},\s+\w+='(?P<search>[\s\S]+)'\]($|\[[^\]]+\]$)"

As it is causing issues with max_matches, newer Splunk versions appear to accurately match the search field without this regex

3.0.5

New alerts:

• IndexerLevel - Connection errors to SmartStore

New reports:

• SearchHeadLevel - Sourcetypes usage from search telemetry data

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - more matching criteria
• ForwarderLevel - Data dropping duration - comment update
• SearchHeadLevel - Search Queries summary exact match - regex updates and 1 regex removal
• SearchHeadLevel - Search Queries summary non-exact match - regex updates and 1 regex removal

Updated macro:

• splunkadmins_metrics_source - corrected to include source=

Removed app.manifest file

3.0.4

Removed the app.manifest file, release notes from 3.0.3:
New alerts:

• IndexerLevel - Buckets have being frozen due to index sizing SmartStore

Updated alerts:

• AllSplunkEnterpriseLevel - Replication Failures - comment update
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - additional criteria and removed SHC restart times
• IndexerLevel - Buckets have being frozen due to index sizing - comment update only
• IndexerLevel - IndexConfig Warnings from Splunk indexers - additional criteria
• SearchHeadLevel - Script failures in the last day
• SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring
• SearchHeadLevel - SavedSearches using special characters
• SearchHeadLevel - Search Messages user level - removed some messages from the alert

3.0.3

New alerts:

• IndexerLevel - Buckets have being frozen due to index sizing SmartStore

Updated alerts:

• AllSplunkEnterpriseLevel - Replication Failures - comment update
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - additional criteria and removed SHC restart times
• IndexerLevel - Buckets have being frozen due to index sizing - comment update only
• IndexerLevel - IndexConfig Warnings from Splunk indexers - additional criteria
• SearchHeadLevel - Script failures in the last day
• SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring
• SearchHeadLevel - SavedSearches using special characters
• SearchHeadLevel - Search Messages user level - removed some messages from the alert