Overview

Details

Search your knowledge objects and track their changes with colourful diffs, all in Splunk!

Search your knowledge objects

This app allows you to search your knowledge objects (searches, props, dashboards, etc) much faster and in much more powerful ways than the "settings" menu in splunk.

Ever wondered where a specific macro is used, be it in searches, dashboards, panels, other macros...?
Ever wondered what is populating this lookup and/or what is using it?
Ever wondered how many searches (or correlation searches) are using datamodel XYZ?
Ever wished that you'd remember which dashboard does that super cool complicated thing you want to do again now so that you can use it as inspiration / copy-and-paste?
Ever getting confused about the search-time configuration sequence and wished you could see all field extractions, aliases, calculations etc applied to a specific sourcetype or by a specific app in the right order?
Ever wanted to use grep in your etc folder?
Frustrated you can't see the eval code for calculated fields in a data model when not an admin?

And so on.

Note that you'll get the most out of this if you know how to write regular expressions.

Change tracking / versioning of all knowledge objects

On top of the above, this app allows you to track all changes to all your knowledge objects. You can see the changes to any knowledge object between any arbitrary dates in colourful diffs.

The changes are for the actual knowledge object as seen by the search head, not for the underlying .conf configuration files. This means for instance that changing the permission of a dashboard from private to shared doesn't look like the private dashboard vanished and an entirely new unrelated one appeared.

Change information is kept in the KV store. Nothing is indexed by splunk, so no consumption of your license.

No need for any third party software (such as git), and no need for access to the backend. This means this works just as well in Splunk Cloud as in Splunk Enterprise.

Is this too good to be true?

Yes and no. No in that this app is incredible value for the effort needed to set it up. That said, a proper implementation should really be done by splunk themselves (https://ideas.splunk.com/ideas/E-I-7) so our hacky approach has limitations.

Proper source control would show who made the change and ideally how (upgrade, GUI, REST, manually, etc), and potentially even allow for a peer review to happen before the change actually takes place in production. We are not aware of a way to do any of that, so this is just tracking changes after they happen.

The changes are polled every 15 minutes, so you might have to wait up to that much to see the latest changes.

Documentation

Please check out the documentation page on my blog.

Release Notes

Version 1.5.0

Nov. 27, 2024

Now searches and track search commands (use Setup dashboard and enable tracking saved search)
New experimental "snapshot" feature allowing to compare selected configuration between independent search heads
New "dashboard use" dashboard showing who is using which dashboard
Diffs are now doing SPL or XML syntax highlighting as appropriate
New XML highlight tool to highlight XML code for copy-pasting in emails, wiki pages, etc, same as the SPL tool.
New macro explorer tool: expand macros in SPL in a granular way

Version 1.4.3

Nov. 20, 2023

ConfManager 1.4.3

New health dashboard to explore the content of KV Stores (to facilitate managing their size)
Historical Command Search dashboard's drilldown now opens searches in the correct app context.
Stop missioncontrol from generating a lot of pointless KV Store collection change events.

Version 1.4.2

Aug. 17, 2023

Version 1.4.2:
Fixed a bug where CM_collections_changes was growing fast with useless entries. Check the health dashboard and if your CM_collections_changes is really big, run this search (time picker can be anything):

| inputlookup CM_collections_changes
| search change=*
| outputlookup CM_collections_changes

Version 1.4.1

Aug. 17, 2023

Version 1.4.1

Fixed the menu, that wasn't including the new dashboards introduced in 1.4.0

Version 1.4.0

July 3, 2023

New tool to diff search results
New tool to diff two versions of any arbirary text
New tool to highlight any arbitrary SPL code
Added "Quick Refresh" dashboard to be able to see very recent changes without delay
Added dashboard to search internal logs for searches that were run by users, including ad-hoc searches
Universal KO Search dashboard now also searches internal logs for ad-hoc searches
Universal KO Search now easier to navigate
New Health dashboard to assess the app's configuration and performance and storage impact
Setup checks if GV-Utils is installed
Added 10 minutes timeout for rest commands
Other bug fixes and minor improvements

Version 1.3.1

May 16, 2023

Fixed bug with the updated field

1,148

Downloads

Share Subscribe

Version

Built by

Gabriel Vasseur

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate