I was looking for a way to track changes to the Splunk environment for several key configurations with an eye toward reporting to management/accountability groups, environments where more than one person has the ability to make changes, and general change tracking. While setting up a configuration repository with check ins and outs is an ideal state I wonder how many installation have a baked process for the averaged sized Splunk license/deployment. Even if a process exists what about content created by users? I could see this app being installed with every Splunk deployment given the applicability and that the process used does not incur indexing license cost.
This app tracks elements of the following configs:
Apps (with a focus on permissions within Splunk) Eventtypes Indexes Macros Props Roles Saved Searches / Reports Serverclass (Deployment Server) Transforms Users
The app is innovative in that macros were used to hold lists of fields for each configuration type. This was then able to be used not only for the standard table and dedup commands but also split-by within stats. That ability especially was especially key in reusing the large macro used to identify changes. The user is also able to adjust the reporting period of the main change tracking dashboards and the macros used are able to dynamically adjust the change state. For example if the reporting period is 1 week and a user creates a saved search in the first week and makes a change in the second the report will show "New" and "Updated" respectively. If the admin changes the report to a 30 day view that same object would show "New & Updated". The summary report will also show what component the change was in - for example the search, read/write permissions, enabled/disabled, version, whitelist, etc.
I believe this is an app that every Splunk deployment should have and potentially elements could be baked into the core product.