4.0.10

Updated alerts:

• SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring - corrected typo in macroname, thanks to #26

Updated reports:

• SearchHeadLevel - macros in use - added app context

4.0.9

New reports:

• SearchHeadLevel - KV Store collections replicated size

Updated macros:

• splunkadmins_audit_logs_macro_sub - this is now the v8 version renamed, added a mvfilter to avoid invalid macro name matching
• splunkadmins_audit_logs_datamodel_sub - so that it will not substitute if it doesn't have a definition

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - additional criteria
• SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring - correct to use searchheadhosts macro
• SearchHeadLevel - platform_stats access summary - rewritten to include audit.log entries to catch all savedsearch calls`
• SearchHeadLevel - macros in use - added splunkd_access logs for indirect macro usage (not via search directly)

Removed macros:

• splunkadmins_audit_logs_macro_sub_v8

All searches:

• Links to answers.splunk.com updated with community.splunk.com links
• Links to docs.splunk.com replaced with links to help.splunk.com
• Descriptions updated for most reports and alerts

Deprecated reports/alerts:

• ForwarderLevel - SSL Errors In Logs (Potential Universal Forwarder and License Issue)
• IndexerLevel - Buckets rolling more frequently than expected
• IndexerLevel - S2SFileReceiver Error
• SearchHeadLevel - SHCluster Artifact Replication Issues

4.0.8

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Email Sending Failures - excluded pkg_resources as mentioned on community slack
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - additional criteria
• SearchHeadLevel - KVStore Or Conf Replication Issues Are Occurring - updated criteria and included HF into the search scope
• SearchHeadLevel - macros in use - updated comment

4.0.7

Updated reports:

• SearchHeadLevel - SmartStore cache misses - combined - added a missing \ (thanks to @barrettnet)

4.0.6

New macros:

• indexes_extraction(1) - to extract indexes from search logs

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunkd Crash Logs Have Appeared in Production - updated based on email feedback to use sourcetype (as source matching needed wildcards)
• IndexerLevel - Slow peer from remote searches - corrected comment in search only
• SearchHeadLevel - Search Queries summary exact match
• SearchHeadLevel - Search Queries summary non-exact match
• SearchHeadLevel - SmartStore cache misses - dashboards
• SearchHeadLevel - SmartStore cache misses - savedsearches
• SearchHeadLevel - SmartStore cache misses - combined
• SearchHeadLevel - Datamodel REST endpoint indexes in use
• SearchHeadLevel - indexes per savedsearch
• SearchHeadLevel - Indexes for savedsearch without subsearches
• SearchHeadLevel - indexes per dashboard

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunk Scheduler excessive delays in executing search
• AllSplunkEnterpriseLevel - sendmodalert errors
• `SearchHeadLevel - Alerts that have not fired an action in X days
• SearchHeadLevel - Scheduled Search Efficiency

To extract savedsearch_name (as I found you can have savedsearches with double quotes in the title).

4.0.5

New alerts:

• AllSplunkEnterpriseLevel - Splunk servers with resource starvation v2

New reports:

• SearchHeadLevel - indexes per dashboard

Updated reports/alerts:

• AllSplunkEnterpriseLevel - Splunk Servers with resource starvation - reference to new version
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - additional criteria
• IndexerLevel - Slow peer from remote searches - updated regex for Splunk 9.4 and above
• IndexerLevel - RemoteSearches Indexes Stats Wilcard - updated regex for Splunk 9.4 and above
• IndexerLevel - RemoteSearches Indexes Stats - updated regex for Splunk 9.4 and above
• SearchHeadLevel - Excessive REST API usage - added semantic jobs endpoints
• SearchHeadLevel - platform_stats.remote_searches metrics populating search
• SearchHeadLevel - platform_stats access summary - added semantic jobs endpoints
• SearchHeadLevel - SHC Captain unable to establish common bundle - additional criteria
• SearchHeadLevel - Search Messages admins only - additional criteria

4.0.4

Updated alert:

• AllSplunkEnterpriseLevel - Email Sending Failures - to exclude a 9.3.3 warning

Updated macro:

• search_type_from_sid - for subsearches

Updated reports:

• SearchHeadLevel - Lookup file owners - description/comment update
• SearchHeadLevel - Detect lookups that have not being accessed for a period of time - description/comment update

4.0.3

New reports:

• SearchHeadLevel - Datamodel access summary

Updated alerts:

• AllSplunkEnterpriseLevel - File integrity check failure - removed wildcard, feedback from Gregg Woodcock
• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - removed extra "AND", feedback from Gregg Woodcock

Updated reports:

• SearchHeadLevel - Accelerated DataModels Access Info - updated description
• SearchHeadLevel - Datamodel REST endpoint indexes in use - correct indexin multivalued extraction
• SearchHeadLevel - indexes per savedsearch - correct indexin multivalued extraction
• SearchHeadLevel - Indexes for savedsearch without subsearches - correct indexin multivalued extraction
• SearchHeadLevel - Lookups within savedsearches - included the action.lookup.filename
• SearchHeadLevel - Search Queries summary exact match - correct indexin multivalued extraction
• SearchHeadLevel - Search Queries summary non-exact match - correct indexin multivalued extraction
• SearchHeadLevel - SmartStore cache misses - dashboards - correct indexin multivalued extraction
• SearchHeadLevel - SmartStore cache misses - savedsearches - correct indexin multivalued extraction
• SearchHeadLevel - SmartStore cache misses - combined - correct indexin multivalued extraction

4.0.2

Updated alerts:

• MonitoringConsole - one or more servers require configuration automated - added missing , issue #25 (thanks to barrettnet)
• SearchHeadLevel - Detect MongoDB errors - included warning level entries

Updated dashboards:

• indexer_max_data_queue_sizes_by_name - improved replication panel
• indexer_max_data_queue_sizes_by_name_v8 - improved replication panel

Updated reports:

• SearchHeadLevel - indexes per savedsearch - updated regex for union/set/multisearch
• SearchHeadLevel - Search Queries summary exact match - updated regex for union/set/multisearch
• SearchHeadLevel - Search Queries summary non-exact match - updated regex for union/set/multisearch
• SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs - updated rexgex, rewrote search to find map, join, appendcols and other commands

4.0.1

New dashboard:
-heavy_forwarder_analysis - as found in the conf24 presentation PLA1509B

New reports:

• SearchHeadLevel - Job performance data per indexer handoff time
• SearchHeadLevel - KVStore collection size
• SearchHeadLevel - Savedsearches with schedules and no next_scheduled_time

Updated alerts:

• AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only - search updates
• AllSplunkEnterpriseLevel - Email Sending Failures - added app context
• IndexerLevel - These Indexes Are Approaching The warmDBCount limit - added datatype=all argument
• IndexerLevel - Cold data location approaching size limits - added datatype=all argument
• IndexerLevel - Unclean Shutdown - Fsck - added datatype=all argument
• SearchHeadLevel - Peer timeouts or authentication issues - updates to use Splunkd source
• SearchHeadLevel - Splunk alert actions exceeding the max_action_results limit - excluded summary indexing
• SearchHeadLevel - Scheduled Searches without a configured earliest and latest time - rewrote search for efficiency
• SearchHeadLevel - Search Messages user level - search updates
• SearchHeadLevel - Search Messages admins only - search updates

Updated dashboards:

• splunk_forwarder_output_tuning - updated comments, removed heartbeatFrequency

Updated macros:

• search_type_from_sid - minor tweaks to regex

Updated reports:

• SearchHeadLevel - indexes per savedsearch - corrected typo on multisearch, re-wrote parts of the query to include subsearches as well
• SearchHeadLevel - Indexes for savedsearch without subsearches - corrected typo on multisearch
• SearchHeadLevel - Search Queries summary non-exact match - added delim for index IN (a b c), corrected typo on multisearch, updated description to link to https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry
• SearchHeadLevel - Search Queries summary exact match - added delim for index IN (a b c), corrected typo on multisearch, updated description to link to https://github.com/TheWoodRanger/presentation-conf_24_audittrail_native_telemetry

Also updated the navigation menu.