Releases: gjanders/SplunkAdmins
2.6.6
2.6.5
New reports:
IndexerLevel - RemoteSearches Indexes Stats Wilcard - example wildcard match for remote_searches.log
SearchHeadLevel - Index list by cluster report - for a list of indexes by indexer cluster
Updated reports:
IndexerLevel - RemoteSearches Indexes Stats - added additional info around bucket cache usage, improved accuracy, provided mcollect example
IndexerLevel - Slow peer from remote searches - added more search types into the list
SearchHeadLevel - Search Queries summary exact match - improved accuracy for append/join/multisearch/set
SearchHeadLevel - Search Queries summary non-exact match - improved accuracy for append/join/multisearch/set
Updated alerts:
AllSplunkEnterpriseLevel - Splunk Servers with resource starvation - as per github issue #12, thanks RahimAbdulla
SearchHeadLevel - Detect MongoDB errors - fix the alert by re-adding the fillnull into the subsearch
Updated alerts/reports with new search macro for audit logs:
SearchHeadLevel - Users with auto-finalized searches
SearchHeadLevel - Search Queries By Type Audit Logs
SearchHeadLevel - Search Queries By Type Audit Logs macro version
SearchHeadLevel - Search Queries By Type Audit Logs macro version other
SearchHeadLevel - Detect Excessive Search Use - Dashboard - Automated
SearchHeadLevel - platform_stats.audit metrics searches
SearchHeadLevel - platform_stats.audit metrics users
SearchHeadLevel - Searches dispatched as owner by other users
Updated alerts/reports with (?s) as some logs are now multi-line in 8.2.x (updating just in case):
SearchHeadLevel - Scheduled searches not specifying an index
SearchHeadLevel - User - Dashboards searching all indexes
SearchHeadLevel - Realtime Search Queries in dashboards
SearchHeadLevel - Scheduled searches not specifying an index macro version
SearchHeadLevel - User - Dashboards searching all indexes macro version
SearchHeadLevel - Determine query scan density
SearchHeadLevel - Users with auto-finalized
SearchHeadLevel - Scheduled searches status
SearchHeadLevel - Dashboard refresh intervals
Updated macros:
splunkadmins_audit_logs_macro_sub_v8 - to work in more cases (more output but less chance of missing a macro)
Updated all dashboards to include the version="1.1" tag as required for new Splunk versions
2.6.4
Updated alerts:
AllSplunkLevel - Splunk forwarders that are not talking to the deployment server - contribution via email (Vincent)
AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - a few new additions
SearchHeadLevel - datamodel errors in splunkd - excluded kvstore shutdown
SearchHeadLevel - Search Messages admins only - new exclusions
Updated dashboard:
issues_per_sourcetype - the Invalid parsed time panel needed another regex - contribution via email (Vincent)
Updated reports:
SearchHeadLevel - Search Queries summary exact match - minor updates, added cache stats, improved accuracy
SearchHeadLevel - Search Queries summary non-exact match - minor updates, added cache stats, improved accuracy
Renamed/replaced reports:
SearchHeadLevel - Search Queries summary exact match 73 - new name is SearchHeadLevel - Search Queries summary exact match
SearchHeadLevel - Search Queries summary non-exact match 73 - new name is SearchHeadLevel - Search Queries summary non-exact match
SearchHeadLevel - Search Queries summary exact match 73 by user - new name is SearchHeadLevel - Search Queries summary exact match by user
SearchHeadLevel - Search Queries summary exact match 73 by index - new name is SearchHeadLevel - Search Queries summary exact match by index
Updates to:
streamfilter.py - correct utf-8 error python 3
streamfilterwildcard.py - correct utf-8 error python 3
2.6.3
New alert:
SearchHeadLevel - authorize.conf settings will prevent some users from appearing in the UI
Updated alerts:
AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - a few more errors
SearchHeadLevel - Search Messages user level - updated comment, added sid field
SearchHeadLevel - Search Messages admins only - added sid field
SearchHeadLevel - Detect MongoDB errors - added partial flag to remove false alarms (thanks afx)
IndexerLevel - Timestamp parsing issues combined alert - update to provide a list of hosts per sourcetype
Updated dashboards:
detect_excessive_search_use - removing ldap query section (as this is env specific)
issues_per_sourcetype - wording update on title
knowledge_objects_by_app - corrected drilldown link to point to the SplunkAdmins app (thanks Vincent!)
Updated Splunk python SDK to 1.6.15
2.6.2
2.6.1
2 navigation menu items fixed (incorrect alert names) by pull request from EsOsO
New alerts:
SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit - detect if any alert action exceeds the limit and receives limited results, currently a silent failure as per https://ideas.splunk.com/ideas/EID-I-781
Updated alerts:
AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - exclusion for config reload requiring restart
IndexerLevel - Search Failures - comment/description update only (replaced by search messages based alerts)
SearchHeadLevel - Detect MongoDB errors - added missing | symbol as per email update from afx
SearchHeadLevel - Search Messages user level - excluded messages from kvstore initialization and a few others, added macros
SearchHeadLevel - Search Messages admins only - added messages for kvstore unknown status and a few others, added macros
SearchHeadLevel - SHC Captain unable to establish common bundle - excluded indexer shutdown times
SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit - now ignores emails with no results inline (alert now joins with savedsearch info via map), added macro
2.6.0
Various README.md updates
New alerts:
AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only this generic alert is designed to capture a variety of splunkd log messages that warrant further investigation or show an issue exists that should be fixed. This alert is generic and captures many errors.
DeploymentServer - Error Found On Deployment Server this alert captures deployment server errors, this is more generic than the current alert and designed to catch more scenarios
SearchHeadLevel - Dashboards invalid character in splunkd this alert finds errors in splunkd related to invalid characters in a dashboard
SearchHeadLevel - savedsearches invalid character in splunkd this alert finds errors in splunkd related to invalid characters in a saved search
SearchHeadLevel - datamodel errors in splunkd this alert finds errors related to data models in the splunkd logs
SearchHeadLevel - Search Messages user level this alert is designed to be combined with an app like sendresults.
This searches the splunk search messages and looks for errors that should be actionable by a end user
This is designed to be a generic alert covering many failure scenarios
SearchHeadLevel - Search Messages admins only this alert searches the splunk search messages but is designed to find errors that cannot be fixed by end users, the user level version is for end user level errors
New lookup file:
splunkadmins_rmd5_to_savedsearchname.csv
New reports:
SearchHeadLevel - RMD5 to savedsearch_name lookupgen report new helper report for translating rmd5 names in the search id back to a report name.
SearchHeadLevel - Search Messages field extractor slow looks for messages about a slow field extractor in the splunk search messages
Updated macro:
search_type_from_sid to work with real-time searches
Updated alerts:
AllSplunkLevel - Application Installation Failures From Deployment Manager updated to handle download failures and use cluster command
AllSplunkEnterpriseLevel - Email Sending Failures updated to work on logging changes in 8.0.x
AllSplunkEnterpriseLevel - Splunk Servers throwing runScript errors updated to work on logging changes in 8.0.x
AllSplunkEnterpriseLevel - Splunk Servers with resource starvation now includes an additional error/warning message
AllSplunkEnterpriseLevel - Replication Failures now includes more types of knowledge bundle replication issues and uses cluster command
IndexerLevel - IndexConfig Warnings from Splunk indexers updated to include error level messages
IndexerLevel - Slow peer from remote searches updated to remove special double quote characters
IndexerLevel - Peer will not return results due to outdated generation to update description to refer to AllSplunkEnterpriseLevel - Losing Contact With Master Node
IndexerLevel - Data parsing error now includes csv and json line breaker errors, now uses stats instead of cluster
SearchHeadLevel - Script failures in the last day expanded to handle modular alerts and script errors in one alert. Also attempts to translate base64 or encoded report names back to human readable versions
SearchHeadLevel - Macro report updated crontab to all days of the week
SearchHeadLevel - Users with auto-finalized searches description update
SearchHeadLevel - Search Queries summary exact match 73 minor update to deal with real-time searches in regex
SearchHeadLevel - Search Queries summary non-exact match 73 minor update to deal with real-time searches in regex
SearchHeadLevel - SHC Captain unable to establish common bundle updated to include one more error/warning message
SearchHeadLevel - platform_stats access summary updated to deal with real-time searches in regex
SearchHeadLevel - Dashboards using special characters added ignore for trackme and network diagram viz as this was breaking the rex command, also removed an extra rex line
SearchHeadLevel - splunk_search_messages dispatch comment update only
SearchHeadLevel - dispatch metadata files may need removal update to use macro
SearchHeadLevel - Search Queries summary exact match 73 description/comment update
SearchHeadLevel - Search Queries summary non-exact match 73 description/comment update
Renamed alert:
IndexerLevel - Splunk Indexers Losing Contact With Master to AllSplunkEnterpriseLevel - Losing Contact With Master Node alert renamed and now includes search head to master node and indexers to master node in one alert
Removed alert:
IndexerLevel - Unable to replicate thawed directories in a cluster
2.5.14
2.5.13
Minor update to 2.5.12, added an extra lookup file to attempt to fix app inspect errors
New alerts:
SearchHeadLevel - splunk_search_messages dispatch
SearchHeadLevel - WLM aborted searches
SearchHeadLevel - dispatch metadata files may need removal
Minor changes to reports:
SearchHeadLevel - Search Queries summary exact match 73
SearchHeadLevel - Search Queries summary non-exact match 73
And macro:
splunkadmins_audit_logs_datamodel_sub
Updated alert:
SearchHeadLevel - Dashboards with all time searches set to look for earliest= in tokens and to ignore that case
Updated reports:
SearchHeadLevel - Indexer Peer Connection Failures
SearchHeadLevel - Detect searches hitting corrupt buckets
The above were updated to use splunk_search_messages sourcetype
IndexerLevel - Knowledge bundle upload stats updated to handle cascading bundle replication
2.5.12
New alerts:
SearchHeadLevel - splunk_search_messages dispatch
SearchHeadLevel - WLM aborted searches
SearchHeadLevel - dispatch metadata files may need removal
Minor changes to reports:
SearchHeadLevel - Search Queries summary exact match 73
SearchHeadLevel - Search Queries summary non-exact match 73
And macro:
splunkadmins_audit_logs_datamodel_sub
Updated alert:
SearchHeadLevel - Dashboards with all time searches set to look for earliest= in tokens and to ignore that case
Updated reports:
SearchHeadLevel - Indexer Peer Connection Failures
SearchHeadLevel - Detect searches hitting corrupt buckets
The above were updated to use splunk_search_messages sourcetype
IndexerLevel - Knowledge bundle upload stats updated to handle cascading bundle replication