Release notes ############# Version 2.0.65 - build 1698103284 (24/10/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: e14d7b9e4e198cf79680c2ea6dd598ab3b2b58450077127bc3dbba4f4bedd728 **Fixed issues:** - trackme-limited/trackme-report-issues#324 - bug - Data Hosts tracking (splk-dhm) - regression on alias value definition at discovery #324 - trackme-limited/trackme-report-issues#325 - bug - Ack - wrong audit message #325 - trackme-limited/trackme-report-issues#326 - bug - Flex Objects library - error in default cron schedule for lastchanceindex use case #326 - trackme-limited/trackme-report-issues#327 - bug - Data Sources tracking (splk-dsm) - If adding host in the custom break by field, the hybrid tracker incorrectly defines entities #327 Version 2.0.64 - build 1698044829 (23/10/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 2a0981f700bf2d3c759bb37839578e35876dd5aa7947b17aaf0f15b30d3b816e **Fixed issues:** - trackme-limited/trackme-report-issues#317 - bug - Data Sources/Data Hosts tracking (splk-dsm/splk-dhm) - fix discrepency between banner delay and single form delay as well as the Tabulator delay (ensures last delay is refreshed against now) #317 - trackme-limited/trackme-report-issues#318 - bug - Data Hosts tracking (splk-dhm) - Issue in the offline abstract macro called by the health tracker (execution fails due to missing pipe when called) #318 - trackme-limited/trackme-report-issues#320 - bug - Data Hosts tracking (splk-dhm) - Alias is not correctly persisted when the entity goes out of the trackers range #320 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#319 - change - Data Sources/Hosts tracking (splk-dsm/splk-dhm) - decomission the delayed entities tracker which features are now better handled by the health tracker #319 - trackme-limited/trackme-report-issues#321 - enhancement - Data Sources/Hosts tracking (splk-dsm/splk-dhm) - maintain the generation of the delay metric (lag_event_sec) when entities are out of the range of trackers #321 - trackme-limited/trackme-report-issues#322 - enhancement - Data Sources / Data Hosts tracking (splk-dsm/splk-dhm) - Extend the auto-lagging screen to include both ingest latency and delay concepts #322 - trackme-limited/trackme-report-issues#323 - enhancement - Data Sources/Hosts tracking - show the delay metric (lag_event_sec) in the overview timechart #323 Version 2.0.63 - build 1697650503 (18/10/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 1c506fe8b6535228631f8e5c72a817bb00e0a6fac7da886912e30c9932fb2ce6 **Fixed issues:** - trackme-limited/trackme-report-issues#310 - bug - ML Outliers - Avoid generating an error message when attemping to load the period of exclusion if not a list (add safety) #310 - trackme-limited/trackme-report-issues#313 - bug - Workload (splk-wml) - TrackMe should not attempt to perform replacement for app stanza criterias any more if target is remote as these are now explicit in the creation process #313 - trackme-limited/trackme-report-issues#314 - bug - Ingest - Since the migration to INGEST_EVAL in 2.0.60, some expected key indexed fields in trackme:state and others are not indexed any longer #314 - trackme-limited/trackme-report-issues#315 - bug - SmartStatus - ingested alert actions are lacking the tenant_id and object_category fields, breaking the indexed key consistency scheme in TrackMe #315 - trackme-limited/trackme-report-issues#316 - bug - Fix splunkd WARN message "with request data but no Content-Type: header; not parsing POST arguments" #316 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#311 - feature - Allow defining the default sharing level (app or global) when TrackMe creates or manages Splunk Knowledge Objects #311 - trackme-limited/trackme-report-issues#312 - change - INGEST_EVAL - Add a safety fail back condition for ingest evals defining the index target #312 Version 2.0.62 - build 1697551318 (17/10/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: b2f8e6fb03716ce1d9950ca39be0d40c6ded740e7a64035fcf34ef2a3cc9ea24 **Fixed issues:** - trackme-limited/trackme-report-issues#303 - TrackMe bug report - Hybrid Tracker cron no applied in the report schedule #303 - trackme-limited/trackme-report-issues#307 - bug - ML Outliers - Auto Correct should not allow lowerBound and upperBound to be equals #307 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#306 - change - Dark theme compatibility - Enable dark theme compatibility in app.conf #306 - trackme-limited/trackme-report-issues#305 - change - ML Outliers - Disable by default the generation of the latency based model for Feeds which is not a great candidate in most of the use cases #305 - trackme-limited/trackme-report-issues#308 - enhancement - ML Outliers - inherit earliest and latest from the time range picker rather than explicitely for the ML rendering commands #308 - trackme-limited/trackme-report-issues#309 - feature - ML Outliers - Capability to add or delete a period of time for exclusions in the ML models training #309 Version 2.0.61 - build 1697150459 (12/10/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. note:: **Inheritance support for RBAC** - This release introduces support for roles inheritance for RBAC in TrackMe - Virtual Tenants are Splunk Remote Accounts can be accessed, managed and administrated by inheriting roles according to your configuration - SHA256: ad69875eba15dd7680add23d5fba72131916ea04ec862d04df3479fd9e56bf21 **Fixed issues:** - trackme-limited/trackme-report-issues#294 - bug - Workload / Flex Objects - When more than a single Outliers model is in anomaly, the status_message comes back null as the macro did not expect the multivalue nature of these fields #294 - trackme-limited/trackme-report-issues#300 - bug - SLIM Packing for Splunk Cloud Classic - spec files are not instructing the partitioning properly #300 - trackme-limited/trackme-report-issues#301 - bug - Data Sources tracking (splk-dsm) - UI token manipulation related issues leads to a null search eating the user disk quota under some circumstances #301 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#290 - enhancement - Flex Objects (splk-flx) - improvement of the use case splk_splunk_enterprise_cluster_peers_status (calculate buckets inbalance deviation and alert) #290 - trackme-limited/trackme-report-issues#291 - enhancement - Flex Objects (splk-flx) - improvement of the use case splk_splunk_enterprise_cluster_status #291 - trackme-limited/trackme-report-issues#292 - enhancement - Flex Objects (splk-flx) - New use case for rolling tracking of license usage per index and pool #292 - trackme-limited/trackme-report-issues#293 - bug/enhancement - Machine Learning Outliers detection - Auto correct logic defects leads to avoid generating true positive outliers #293 - trackme-limited/trackme-report-issues#295 - enhancement - Flex Object - Cribl integration UC improvements for health inputs and outputs to remove false positive #295 - trackme-limited/trackme-report-issues#296 - enhancement - Flex Objects use cases library - UC splk_queues_filling improvement - avoid generating alerts when the queues are inactive - trackme-limited/trackme-report-issues#297 - change - Remove owner=admin as the default in default.meta to avoid Enterprise customers with no admin users to be impacted by the default behavior of TrackMe #297 - trackme-limited/trackme-report-issues#298 - enhancement - Roles Based Access Control (RBAC) - Support inheritance globally in TrackMe #298 Version 2.0.60 - build 1695681952 (25/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 859bd778ac65750a5e4eb05cc3c11a884ddbdedd9fffcb1e33fafd54909dd71b **Fixed issues:** - trackme-limited/trackme-report-issues#289 - bug - SLIM partitioning causes ingest issues in Splunk Cloud Classic experience, requires explicit stanza placement in spec files #289 Version 2.0.59 - build 1695559981 (24/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 67d7a8466af72c68705cfeeca6504589ad732bc01c0961f8597f1e1236059d44 **Fixed issues:** - trackme-limited/trackme-report-issues#283 - bug - trackmetrackerhealth (Health Tracker) - Hybrid tracker macro update in the KVstore should only happen if the currently known definition differs from system #283 - trackme-limited/trackme-report-issues#284 - bug - TrackMe alert actions (notable, SmartStatus, Ack) - failures to run actions in the context of a strict least privilege service account owning the tenant #284 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#285 - change - Health Tracker - Improve logging for inactive entities tracking for splk-dsm/splk-dhm #285 - trackme-limited/trackme-report-issues#286 - change - entity_info API endpoints - always return the object and key value in the response to recycle values as needed and ease further processing #286 - trackme-limited/trackme-report-issues#287 - change - Reduce the timerange considered by the delayed entity trackers to 24h by default, after this time inactive entities are taken into account by the health tracker #287 - trackme-limited/trackme-report-issues#288 - enhancement - Data Sources and Hosts tracking (splk-dsm/splk-dhm) - Ensures that the delayed entities tracker updates last entity Metadata information even if the target search did not return any results #288 - trackme-limited/trackme-report-issues#261 - enhancement - Provide cURL examples for each REST API endpoints in the REST API auto-documentation #261 Version 2.0.58 - build 1694716015 (14/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 90119b248d9a1a820a335254a3d994ab4b45a7839f2468c7d087d3604208a91a **Fixed issues:** - trackme-limited/trackme-report-issues#281 - bug - splunkremotesearch - Non meaningful Python exception when calling a non existing account #281 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#282 - enhancement - Workload (splk-wlk) - Workload Virtual Tenant creation wizard improvements #282 Version 2.0.57 - build 1694635429 (13/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 5febf5ab3f93abf7ce8b0218f192374bdd5e3094d6150cc98f1e1a9b6126470a **Fixed issues:** - trackme-limited/trackme-report-issues#275 - bug - Data Hosts tracking (splk-dhm) - error when deleting entity on a per entity basis (list index out of range) #275 - trackme-limited/trackme-report-issues#277 - bug - Data Hosts tracking (splk-dhm) - error when trying to update monitoring hours of a given entity due to wrong REST API endpoint path #277 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#276 - feature - Introducing the CMDB integrator feature - Allows queriying an external third data source for contextual information in TrackMe tenants #276 - See: https://docs.trackme-solutions.com/admin_guide_cmdb_integration.html - trackme-limited/trackme-report-issues#279 - change - RBAC - Optimisation for role membership verification #279 - trackme-limited/trackme-report-issues#280 - enhancement - Workload (splk-wlk) - Virtual Tenant creation wizard improvements, split the search filters to be specific in the UI for Scheduler / Introspection / Splunk Cloud SVC #280 Version 2.0.56 - build 1694411312 (11/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: d7d5ed282cda25375216de5e47eb770c6b8bc34d5d1c89354d7e123923374879 **Fixed issues:** - trackme-limited/trackme-report-issues#264 - bug - typo in RBAC ownership view #264 - trackme-limited/trackme-report-issues#266 - bug - Workload (splk-wlk) - When creating the main tracker, the SVC usage should be part of the avg_svc_usage is trackmegenjsonmetricsmissing from the calls in #266 - trackme-limited/trackme-report-issues#268 - bug/change - INGEST_EVAL migration for all summary events and metric generation workflow, this migration is performed to overcome a Splunk Cloud Classic DMC deployment bug when deploying applications using transforms to override the DEST_KEY - While this issue is Splunk Cloud responsability, this is not going to be fixed in any acceptable timeline, TrackMe therefore turns to a different approach which is not affected by this #268 - trackme-limited/trackme-report-issues#271 - bug - Audit events - When using custom indexes per tenant, audit events remain generated in the default TrackMe configured index rather than the tenant specific index #271 - trackme-limited/trackme-report-issues#273 - bug - Benchmark Burn Test tends to time out for long run queries in Splunk Cloud due to time out reach in Splunk Cloud Web reverse proxy #273 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#265 - feature - TrackMe SVC usage audit dashboard for Splunk Cloud customers #265 - trackme-limited/trackme-report-issues#267 - change - Workload - Switch the default stats mode for the dropdown to max rather than latest to ensure visibility in most use cases #267 - trackme-limited/trackme-report-issues#269 - feature - Flex Object library (splk-flx) - New use case to track SVC consumption in Splunk Cloud by application #269 - trackme-limited/trackme-report-issues#270 - change - Flex Objects (splk-flx) - Licensing restriction increase to 32 trackers for Enterprise Edition customers #270 - trackme-limited/trackme-report-issues#272 - change - Ack behaviour default system wide configuration when returning to green - enables purging Ack by default when returning to non green if non sticky #272 - trackme-limited/trackme-report-issues#274 - enhancement - Feeds tracking (splk-feeds) - synchronize macros knowledge hybrid trackers attributes when the macros are updated in Splunk #274 Version 2.0.55 - build 1693924977 (05/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: b22a72485ba6b09d0b01bb0b19c4faf265aafd3e30a41f076fdc4eba75322b2d **Fixed issues:** - trackme-limited/trackme-report-issues#263 - bug - Virtual Tenants UI for Feeds tracking - indexes discovery feature does not work as expected due to Javascript regression when configured at the Virtual Creation phase #263 Version 2.0.54 - build 1693744485 (03/09/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 1a745c8ae615620d3c526e94742908897a0aa1e85dfa8454b1fb48d84a5b808e **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#42 - feature - Data Sources tracking (splk-dsm) - Tags for Data Source monitoring - Remove tags linked to a tag policy when the tag policy is removed #42 - trackme-limited/trackme-report-issues#259 - bug/enhancement - Virtual Tenants UI optimizations with a new unified endpoint for a faster and safer user experience, this also addresses issues observed in Splunk Cloud classic only #259 - trackme-limited/trackme-report-issues#260 - change - Update moment.js to version 2.29.4 - trackme-limited/trackme-report-issues#262 - enhancement - Virtual Tenants UI - Alphabetically sort tenants in the UI if no positions are preset for the user profile #262 **Fixed issues:** - trackme-limited/trackme-report-issues#256 - bug - Data Hosts / Metrics Hosts (splk-dhm/splk-mhm) - Cannot filter on tags within the Tabulator #256 - trackme-limited/trackme-report-issues#257 - bug - Data Hosts tracking (splk-dhm) - Max global latency & delay per entity should match the highest relevant value between all sourcetypes related to it #257 - trackme-limited/trackme-report-issues#258 - bug - logging issues when checking permissions for trackmeload/trackmetenantstatus (not logging the right user name) #258 Version 2.0.53 - build 1692273340 (17/08/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 42654231000a4bae75d40d4d9317babd93b8cc5e080e8d2367ebc5d45365333f **Enhancement, changes and new features:** - trackme-limited/trackme-report-issues#251 - feature - Data Hosts / Metric hosts preset the alias equal to the raw object without the key(s) addition #251 - trackme-limited/trackme-report-issues#252 - feature - Flex Objects - New use cases for CPU and Memory infrastructure tracking via Splunk introspection #252 - trackme-limited/trackme-report-issues#253 - feature - Data Hosts and Metric Hosts tracking - enhancement for tags enrichment purposes #253 Version 2.0.52 - build 1692002557 (14/08/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 11dc12c922f8005257c1d8bc5eccf0e8d0f3b848b0881a6eabe42ea56944850f **FIxed issues:** - trackme-limited/trackme-report-issues#247 - bug - Replica tenants - logic issues when having more than a single replica tracker with the same component leading to the incorrect purge of replica records #247 - trackme-limited/trackme-report-issues#248 - bug - Replica tenants - The Flex object inactive entities tracker should not be created for Replica tenants #248 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#249 - feature - Allow pre-defining default owner and defaults admin/power/roles in TrackMe general configuration for the Virtual Tenants user interfaces #249 Version 2.0.51 - build 1691618697 (09/08/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 90b21e5cffa2ec91e968def2b857d083f46eb6c0fecfe5cc4f423d3d87168617 **Fixed issues:** - trackme-limited/trackme-report-issues#245 - bug - All components - In large scale scenarios with more than 50k entities on a per tenant/component basis, the Tabulator is limited to 50k entities due to the underneath oneshot SDK search #245 - trackme-limited/trackme-report-issues#246 - bug - Data Sources/Data Hosts tracking (splk-dsm/splk-dhm) - In some rare conditions, a null search can be generated and run unexpectly impacting user quota #246 Version 2.0.50 - build 1691356328 (06/08/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 0147f78edb580e0a67229ee7eb42699e211d1b5791e844e6eb280d52fcf66043 **Fixed issues:** - trackme-limited/trackme-report-issues#242 - bug - SOAR integration custom command trackmesplksoar - issues rendering a POST response rendered as a list #242 - trackme-limited/trackme-report-issues#243 - bug - SOAR integration - pagination issues in some circumstances restricts the number of entities returned #243 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#244 - feature - SOAR integration - Manage Automation Brokers High Availability with TrackMe, update SOAR Assets automatically when an Automation Broker is inactive to an active counter part - High Availability for SOAR Automation Brokers via TrackMe #244 Version 2.0.49 - build 1691080561 (03/08/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 6bd3ea567f0465a4f9e388c04cd95cb839b17594f3adb84619b01d00311de1b2 **Fixed issues:** - trackme-limited/trackme-report-issues#236 - bug - SLA dashboard - Dropdowns populating search is using static 24 hours range rather than timerange picker from the dashboard #236 - trackme-limited/trackme-report-issues#240 - bug - Flex Objects (splk-flx) - UC Splunk Cloud SVC usage - ensure to generate metrics of SVC usage if the licensed SVCs is null #240 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#237 - enhancement - Flex Objects (splk-flx) - Allows the priority to be defined at the phase of the Flex Tracker execution #237 - trackme-limited/trackme-report-issues#238 - change - Workload (splk-wlk) - Increase the last_seen filter to last 90m for the metadata retrieval #238 - trackme-limited/trackme-report-issues#239 - enhancement - Flex Objects (splk-flx) - Include pool_quota_gb metrics in the license pool usage tracking #239 - trackme-limited/trackme-report-issues#241 - enhancement - Flex Objects (splk-flx) - Simplification and better code for the Deployment Server tracking use case #241 Version 2.0.48 - build 1690973605 (02/08/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: cc03ecd66725692e332ad6604ce5c3baddd4f3336883ffb65ff7aaad7ee67a42 **Fixed Issues:** - trackme-limited/trackme-report-issues#219 - bug - Feeds Tracking (splk-dsm) - The delayed entities trackers re-generates non merged entities in a hybrid context of merged / non merged and does not track merged entities properly #219 - trackme-limited/trackme-report-issues#221 - bug - Virtual Tenants UI - Addresses some issues with theming and user preferences, more consistent management of preferences - trackme-limited/trackme-report-issues#222 - bug - Workload (splk-wlk) - error in trackmesplkwlkgetreportsdefstream for metadata retrieval when using remote target multiple load balanced search head targets #222 - trackme-limited/trackme-report-issues#224 - bug - Workload (splk-wlk) - simulation fails for Splunk Cloud SVC when running through the UI due to incorrect quote #224 - trackme-limited/trackme-report-issues#225 - bug - Workload (splk-wlk) - Back button not working from create hybrid trackers #225 - trackme-limited/trackme-report-issues#230 - bug - incorrect report names for the mltrain reports when adding to the report state register component #230 - trackme-limited/trackme-report-issues#231 - bug - Workload (splk-wlk) - Under some circumstances an entity generating execution errors could lead to incorrect definition of the user and looping with multivalue fields gnerating bad objects #231 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#223 - enhancement - Outliers engine - When requesting reset ML, the endpoint performs a search, if the max concurrency is searched on the Search Head this can lead to an unexpected failure, ensures we attempt automated retry if it is the case before failing permanently if necessary #223 - trackme-limited/trackme-report-issues#226 - feature - Flex Object (splk-flx) - new use case for tracking KVstore collections size #226 - trackme-limited/trackme-report-issues#227 -enhancement - Allows a service account owner to be using the minimal level of permissions and capabilites to own and run properly TrackMe objects #227 - trackme-limited/trackme-report-issues#228 - enhancement - Python code sanitization, auto-formatting and unit testings for automated bug identification #228 - trackme-limited/trackme-report-issues#229 - enhancement - Fix any hard coded reference to localhost for the communication with splunkd using best practice Python splunkd uri inherited URI #229 - trackme-limited/trackme-report-issues#232 - enhancement - Data Sources/Data Hosts tracking (spl-dsm/splk-dhm) - Health tracker maintains untracked entities which are out of the scope of any tracker to update and maintain state consistency #232 - trackme-limited/trackme-report-issues#233 - feature - Flex Object (splk-flx) - Use Case for Splunk Enterprise license pool usage tracking #233 - trackme-limited/trackme-report-issues#234 - enhancement - Splunk SOAR integration - Allows a least privilege approach for SOAR interactions #234 - trackme-limited/trackme-report-issues#235 - change - Feeds Tracking - delayed entities tracker switch to False for break by splunk_server and host which is the default now in TrackMe #235 Version 2.0.47 - build 1690295356 (25/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: bcdf0903d3fe531786764ff009911ade7a1a3ca779193733ea3771806d6ef0e3 **fixed issues:** - trackme-limited/trackme-report-issues#220 - bug - regression in trackmeapiautodocs introduced in 2.0.46 when Splunk App for SOAR is not installed on the Search Tier #220 Version 2.0.46 - build 1690266086 (25/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: c62b857fc20638a97e3b17fd03e9cb5f6fb0d76c5027c8d95ba5cb661bc88fb0 **fixed issues:** - trackme-limited/trackme-report-issues#210 - bug - Flex Objects (splk-flx) - When a given entity turns red due to inactivity, a summary state event should also be generated to properly influence the SLA percentage calculation #210 - trackme-limited/trackme-report-issues#213 - bug - Virtual Tenants - endpoint post_vtenants_accounts should not return an exception when there are no tenants yet #213 - trackme-limited/trackme-report-issues#215 - bug - Workload (splk-wlk) - status_message can come back null in some circumstances #215 - trackme-limited/trackme-report-issues#216 - bug - Virtual Tenants - deleting a component should clean up the vtenant summary record #216 **Enhancements, changes & new features:** - trackme-limited/trackme-report-issues#211 - feature - Flex Objects - Splunk SOAR native integration (UCs for SOAR monitoring) #211 - trackme-limited/trackme-report-issues#214 - feature - Flex Object (splk-flx) - lastchanceindex use case for Splunk data_collection #214 - trackme-limited/trackme-report-issues#217 - change - Data Hosts tracking - automatically restrict the indexes to the main and internal indexes for splk-dhm if indexes is left unconfigured at the tenant creation phase with Hybrid tracker creation enabled (click next disease) #217 Version 2.0.45 - build 1689676533 (18/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 2b394e1617836c6e5757cac1ad9c2896d5d1340e008d23d403c47ba52c23f78d **Fixed issues:** - trackme-limited/trackme-report-issues#201 - bug - Flex UC splk_splunk_enterprise_cluster_status - wrong term Down rather than Stopped #201 - trackme-limited/trackme-report-issues#206 - bug - Flipping REST API issue (hitting Splunk CIM) #206 - trackme-limited/trackme-report-issues#207 - bug - CIM Tracking - regression in ML Outliers model generation #207 - trackme-limited/trackme-report-issues#208 - bug - CIM Tracking - deletion of entities in bulk fails since 2.0.40 #208 - trackme-limited/trackme-report-issues#209 - bug - CIM Tracking - failure to generate the initial discovered flipping event #209 **Enhancements and new features:** - trackme-limited/trackme-report-issues#202 - feature - Flex Objects - Cribl Logstream use cases for deep monitoring of Cribl Logstream in TrackMe #202 - trackme-limited/trackme-report-issues#203 - enhancement - Flex Objects - allow multiselect metrics in entity overview #203 - trackme-limited/trackme-report-issues#204 - enhancement - Flex Object - preset the alias of the entity as the short value of the object (without the group) and allows defining custom values for the alias at the entity discovery phase of the tracker #204 - trackme-limited/trackme-report-issues#205 - enhancement - Flex Objects (splk-flx) - Manage inactive entities #205 Version 2.0.44 - build 1689362642 (14/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 7602e39ffcdfa299100fb33e0b25363a11ae25da6a5d3ec5051a8bad3bbb235c **Enhancement and new features:** - trackme-limited/trackme-report-issues#191 - feature - Flex Objects tracking - Introducing the Flex Objects use case library and major component features improvements #191 Version 2.0.43 - build 1689342033 (14/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. hint:: **Workload upgrade:** - review the release special instructions if you are using the workload component - SHA256: 2af481f61b93eaa3c5811856e29871742c50ea176f59446ef39948cac5075cdf **Fix issues** - trackme-limited/trackme-report-issues#195 - bug - Workload (splk-wlk) - In some circumstances the Splunk scheduler logs can lack app and user context leading to the creation of new entities in case of execution errors detected #195 - trackme-limited/trackme-report-issues#198 - bug - Data Sources (splk-dsm) - enable/disable entities in bulk fails due to regression (object not defined) #198 - trackme-limited/trackme-report-issues#199 - bug - Outliers - regression due to the ds_account field decommisioning leading to failures in generating Outliers rules for new entities #199 - trackme-limited/trackme-report-issues#200 - bug - Remove the characters length restrictions in the Vtenant configuration in UCC #200 **Enhancements and new features:** - trackme-limited/trackme-report-issues#197 - enhancement - All components - Execution of TracKers via the UI and when permited via RBAC should be executed as the system user to avoid user related context to impact results consistency #197 **Special intructions or notes for this release:** - To benefit from the fix of issue #195 related to the Workload, the scheduler tracker should be deleted and re-created for each Workload tenant - This can be achieved via the UI, or via REST API Version 2.0.42 - build 1688984590 (10/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 7d4cf2359d629d9f56dd121ab03e981efe0fb1eb2bf98225f1cce6fcb7a882db **fixed issues:** - trackme-limited/trackme-report-issues#190 - bug - Workload - the main tracker does not include the count_ess_notable metrics in the metrics summary popup #190 - trackme-limited/trackme-report-issues#192 - bug - Data Sources (splk-dsm) - Clear state & run sampling resets the entity for DSM #192 - trackme-limited/trackme-report-issues#193 - bug - The number of currently existing trackers should show up in the management UI for Flex Objects and Workloads #193 - trackme-limited/trackme-report-issues#194 - bug - Data Hosts Tracking (splk-dhm) - summary level sourcetype state does not honour properly the latency/delay independently as expected #194 Version 2.0.41 - build 1688538958 (05/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: 9ee5384747ee3d022a3a3d8aaf0ae3794dffb9a501de0ce9e9c4a4002ac593a4 **Fixed issues:** - trackme-limited/trackme-report-issues#189 - bug - splk-dsm (Data Source) bulk edit regression for enable/disable monitoring via bulk edit due to change #182 #189 Version 2.0.40 - build 1688457335 (04/07/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: a163d0b1b0892edecfd09784b39b6ae0ba13aad275b54355d86c92ccb1fa950e **Fixed issues:** - trackme-limited/trackme-report-issues#182 - bug - All components - handle entities changes via their unique identifier rather than the object (handles bad entities with unexpected special characters) #182 - trackme-limited/trackme-report-issues#183 - bug - Performance issues at large scale of entities for Flex / Workload trackers #183 - trackme-limited/trackme-report-issues#186 - bug - splunkremotesearch - splunk-system-user and admin users should be RBAC granted for all configured accounts #186 - trackme-limited/trackme-report-issues#187 - bug - Virtual Tenants UI - count=0 is missing from some rest searches, leading to avoid returning all results from the upstream search (ex: user account selection) #187 **Enhancements, changes and new features:** - trackme-limited/trackme-report-issues#184 - change - Flex Object - allows automated width for the Status description in the Tabulator #184 - trackme-limited/trackme-report-issues#185 - feature - SmartStatus for Workload entities, allows the SmartStatus to handle Workload UCs as well as capturing Splunk internal events with a least privileges approach (no need for users to be able to access to the _internal index to review internal scheduler errors through the SmartStatus control) #185 - trackme-limited/trackme-report-issues#188 - enhancement - REST API logical groups - allows updating min percent if an existing group via REST without having to have to provide the list of current members #188 Version 2.0.39 - build 1687757627 (26/06/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA256: d855a2c6467e7a1d97abfb783a91883a2205b0b59102bef0471aa74aacf49303 **Fixed issues:** - trackme-limited/trackme-report-issues#176 - bug - User Interface - Using DSM "Show disabled entities" filter clears the "Filter field or function" dropdown #176 - trackme-limited/trackme-report-issues#177 - bug - Data Hosts Tracking (splk-dhm) - truncation in trackme:state for entities with a very large amount of related sourcetypes #177 **Enhancements and new features:** - trackme-limited/trackme-report-issues#178 - enhancement - Do not allow deleting or cloning Virtual tenants accounts in the Configuration UCC UI #178 - trackme-limited/trackme-report-issues#179 - enhancement - Check the Splunk Remote account connectivity and authentication at the creation / edit step in the Configuration UI (UCC framework) #179 - trackme-limited/trackme-report-issues#181 - change - Data sources/Data hosts (splk-dsm/spl-dhm) - sets break by splunk_server/host by default to False #181 Version 2.0.38 - build 1687154702 (19/06/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. hint:: **Metrics expansion mode and Workload upgrade:** - review the release special instructions for more information about the metrix expansion mode change in this release - review the release special instructions if you are using the workload component - SHA256: 90a6d51fc68b5e78b2b5a523d834fabbc2eea18cbcefb78e34f3f1ac793de04b **Fixed issues:** - trackme-limited/trackme-report-issues#151 - bug - Workload - the app filter provided as an example in the tracker search constraint can lead to the non detection of some use cases of execution errors #151 - trackme-limited/trackme-report-issues#152 - bug - failure to populate tenants dropdowns in SLA and Data Sampling Dashboard studio dashboards due to earlier changes in trackmeload output #152 - trackme-limited/trackme-report-issues#153 - bug - Workload - trackmesplkwlkgetreportsdefstream should call select url function to properly handle multiple Splunk endpoints for a remote account #153 - trackme-limited/trackme-report-issues#154 - bug - error in endpoint /splk_dsm/ds_get_dsm_sampling_obfuscation_mode due to obfuscation Virtual tenant account change #154 - trackme-limited/trackme-report-issues#155 - bug - Logical group auto group command - flow logic when adding single member groups #155 - trackme-limited/trackme-report-issues#158 - bug - Data Hosts (splk-dhm) - logic flow in trackme_dhm_tracker_abstract macro does not preserve per host max latency/delay and does therefore leads to no honouring these settings #158 - trackme-limited/trackme-report-issues#150 - bug - Elastic Sources - metrics generation fails for raw/from based Elastic Sources definition (shared and dedicated) #150 - trackme-limited/trackme-report-issues#159 - bug - Common Information Model tracking (splk-cim) - button horizontal alignment issue in TrackMe UI #159 - trackme-limited/trackme-report-issues#163 - bug - Vtenant UI - Prevents the running spinner to be removed (due to auto-refresh) before then end of the operation when executing long run operations such as tenants creation #163 - trackme-limited/trackme-report-issues#164 - enhancement - avoids running trackers during the Virtual Tenant creation phase to reduce time required for its creation (multiops endpoints) #164 - trackme-limited/trackme-report-issues#165 - bug - HTML duplicated ids, issues in label definition, various UI related issues #165 - trackme-limited/trackme-report-issues#166 - bug - Workload (splk-wlk) - indentation issues when creating Workload trackers, failures in the tracker creation UI to check remote connectivity #166 - trackme-limited/trackme-report-issues#167 - bug - Acknowledgments - typo when creating Ack manually leads to unstricky rather than unsticky status for Ack, prevent their proper expiration #167 - trackme-limited/trackme-report-issues#168 - bug - Workload (splk-wlk) - Orphan tracker enhancements from Issue#117 were lost during the transition to least privileges #168 - trackme-limited/trackme-report-issues#171 - bug - missing props definition for the command trackmeprettyjson #171 **New features and enhancements:** - trackme-limited/trackme-report-issues#156 - enhancement - Logical Groups - round the percentage of current group status commitment, allows filtering on Blue entities for splk-dsm/dhm/mhm #156 enhancement - User Interface minimal mode and context popup approach to improve readibility for all eligible components #157 - trackme-limited/trackme-report-issues#160 - enhancement - Health Tracker - automatically detect when a TrackMe object no longer exists and cleanup the register knowledge #160 - trackme-limited/trackme-report-issues#161 - bug - mlmonitor reports are not registered with the right name in the component register #161 - trackme-limited/trackme-report-issues#162 - enhancement - Workload - Adding the notable type tracker to allow tracking the number of Enterprise Security notable events per correlation search #162 - trackme-limited/trackme-report-issues#169 - enhancement - Flex Objects (splk-flx) - The tracker wizard should allow trackers not returning any entities to be created, as lookling only bad conditions can be a use case #169 - trackme-limited/trackme-report-issues#170 - enhancement - splunkremotesearch - handle Splunk automated extractions when fields resuting from remote events are not consistents #170 - trackme-limited/trackme-report-issues#172 - enhancement - Workload (splk-wlk) - provides a deeper visibility with a 3 periods metrics approach of scheduled activity #172 - trackme-limited/trackme-report-issues#173 - enhancement - Tabulator component upgrade 5.5 #173 - trackme-limited/trackme-report-issues#174 - enhancement - Bulk edit - when clicking on all entities selector, ensures selected entities honour current filters including header filters and add the count number of entities to be impacted in the bulk edit screen #174 - trackme-limited/trackme-report-issues#175 - enhancements - Logs inspector dashboard - fixes and improvements for the log inspector dashboard #175 **Special instructions for this release:** **Default metrics expanded mode** - This new release introduces a change in the visibility of eligible components (splk-wlk/splk-cim/splk-flx/splk-dhm/splk-mhm) regarding the default expansion of the metrics column and/or JSON formatted context columns - From 2.0.38, the column is not expanded any longer, a user would see a "right click for popup" message instead, right clicking will provide the expected information in a more context menu, providing better global readibility when dealing with many entities - At anytime in the UI, one can switch to the expanded mode by selecting the "full" visibility in the mode selector dropdown in TrackMe - Also, TrackMe administrators can update the default visbility mode when the tenant is loaded by editing the Vtenant preferences (Configuration / Virtual Tenant account) and defining the default mode for **UI prefs - expand metrics** **Workload (splk-wlk)** **Workload notable tracking:** - If you are using Splunk Enterprise Security, you way want to track the notable activity which is a new type of Workload tracker added to this release - The notable track will monitor the number of notable events generated per ES correlation search, and add a new metric "count_ess_notable" which can be used for context and investigations, or Outliers detection eventually. - To add the new notable tracker, run the following command: (replace mytenant with the tenant name, define account according to your context) :: | trackme mode=post url="/services/trackme/v2/splk_wlk/admin/wlk_tracker_create" body="{'tenant_id': 'mytenant', 'account': 'local', 'tracker_type': 'notable'}" - Also, you need to add the "count_ess_notable" metric in the main tracker, you can either edit manually the wrapper main report or follow the next instructions to re-create a brand new main tracker - TrackMe schema version update will not perform this for you as you filter preferences (app filters for instance in the root constraints) would be lost and because this can run on a remote target, this cannot be added to a local macro for persistence) **Workload behaviour enhancements:** If you are using the Workload component, you may want to perform the following actions to benefit from some specific updates: *step 1*: - Go in the tenant, click on "Manage: Workload Trackers" - Locate the main tracker, and click on Delete *step 2:* - Go in a search, run the following command (replace mytenant by the tenant_id, the account is not relevant for main tracker and should always be local): :: | trackme mode=post url="/services/trackme/v2/splk_wlk/admin/wlk_tracker_create" body="{'tenant_id': 'mytenant', 'account': 'local', 'tracker_type': 'main'}" *step 3:* - Search the following macro: "trackme_wlk_set_status_tenant_" - Update its content to: (replace the occurences of with the name of your tenant) :: lookup local=t trackme_wlk_orphan_status_tenant_ object OUTPUT orphan, mtime as orphan_last_check | eval orphan_last_check=case(isnotnull(orphan_last_check), strftime(orphan_last_check, "%c")) | lookup local=t trackme_wlk_versioning_tenant_ object OUTPUT cron_exec_sequence_sec ``` init a status 1``` | eval status=1 ``` If there are execution errors detected, status=2, we use periods data from 60m to 4h to 24h, the JSON metrics will not contain the metric if it equals to 0 ``` ``` Therefore, if a given search generating errors if fixed and has frequent executions, it likely will turn green in the next 60m from the deployment of the fix ``` | eval status=case( count_errors_last_60m=0, status, count_errors_last_4h=0, status, count_errors_last_24h=0, status, count_errors_last_60m>0 OR count_errors_last_4h>0 OR count_errors_last_24h>0, 2, 1=1, status ) ``` If there are skipping searches, define two levels of alerting, less than 5% is 3 (orange), more is 2 (red) ``` ``` we base the calculation over the 24 period (suffix last_24h) - this can be customised up to your preferences if you wish to used the additional periods ``` | eval status=case( isnum(skipped_pct_last_24h) AND skipped_pct_last_24h>0 AND skipped_pct_last_24h<5, 3, isnum(skipped_pct_last_24h) AND skipped_pct_last_60m>0 AND skipped_pct_last_24h>=5, 2, 1=1, status ) ``` If we detected the search as an orphan search (not period related) ``` | eval status=if(orphan=1, 2, status) ``` Calculate the delta in sequence between now and the last execution compared against the requested cron schedule sequence, add 1h of grace time, detect if the execution has been delayed ``` | eval status=if(cron_exec_sequence_sec>0 AND ( now()-last_seen > (cron_exec_sequence_sec + 3600) ), 2, status) ``` Set a brief status description, a more granular description will be provided with the anomaly_reason and status_message fields ``` | eval status_description=case(status=1, "normal", status=2, "degraded", status=3, "warning", 1=1, "unknown") Version 2.0.37 - build 1686088225 (06/06/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. hint:: **Roles Based Access Control enhancements:** - From version 2.0.34, TrackMe implements a new strict **least privilege Role Bbased Access Control** - A new role **trackme_power** is now builtin in TrackMe and designed to allow performing updates to entities of a granted tenant - Access to TrackMe is driven by builtin capabilities provided by TrackMe builtin roles (trackme_user, trackme_power, trackme_admin) - The least privilege approach implemented since this release allows granular access to TrackMe without requiring problematic capabilities which have security implications (list_settings, list_storage_passwords) - TrackMe user interfaces automatically adapt its content and provided options depending on the profile of the current user, a normal user will for instance not see write or admin related actions - TrackMe REST API endpoints are now classified in 3 groups, user level endpoints, write level endpoints and admin level endpoints - The TrackMe ``splunkremotesearch`` also supports Roles Based Access Control, a user calling a given account must be a member of any of the listed roles in the account configuration to be granted access to this account - For retro-compability purposes, TrackMe will allow access to an existing Remote account that has no RBAC roles setup yet to typical admin users in addition with TrackMe builtin roles (admin, sc_admin, trackme_user, trackme_power, trackme_admin) - When TrackMe is **upgraded**, the migration of existing tenant is automatically performed by the **schema version management**, :ref:`trackme_admin_upgrade` - For more **information**, see: :ref:`trackme_admin_rbac` - SHA256: 5a0b110099a769abea3af34cb61f4725c686d0554fcf89a1e63ce98486a7cc23 - trackme-limited/trackme-report-issues#147 - bug - splk-dsm (Data Source) - regression when call run sampling on a particular entity due to obfuscation change in v2.0.36 #147 - trackme-limited/trackme-report-issues#148 - bug - splk-dhm (Data Hosts) - the title of the modal screen incorrectly mentiones splk-mhm #148 - trackme-limited/trackme-report-issues#145 - enhancement: Higher width for the status column (which can truncated under Ack circumstances) #145 - trackme-limited/trackme-report-issues#149 - bug - Workload / Flex (splk-wlk/splk-flx) - Truncate long description to avoid impacting the view screen #149 Version 2.0.36 - build 1685947587 (05/06/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. hint:: **Roles Based Access Control enhancements:** - From version 2.0.34, TrackMe implements a new strict **least privilege Role Bbased Access Control** - A new role **trackme_power** is now builtin in TrackMe and designed to allow performing updates to entities of a granted tenant - Access to TrackMe is driven by builtin capabilities provided by TrackMe builtin roles (trackme_user, trackme_power, trackme_admin) - The least privilege approach implemented since this release allows granular access to TrackMe without requiring problematic capabilities which have security implications (list_settings, list_storage_passwords) - TrackMe user interfaces automatically adapt its content and provided options depending on the profile of the current user, a normal user will for instance not see write or admin related actions - TrackMe REST API endpoints are now classified in 3 groups, user level endpoints, write level endpoints and admin level endpoints - The TrackMe ``splunkremotesearch`` also supports Roles Based Access Control, a user calling a given account must be a member of any of the listed roles in the account configuration to be granted access to this account - For retro-compability purposes, TrackMe will allow access to an existing Remote account that has no RBAC roles setup yet to typical admin users in addition with TrackMe builtin roles (admin, sc_admin, trackme_user, trackme_power, trackme_admin) - When TrackMe is **upgraded**, the migration of existing tenant is automatically performed by the **schema version management**, :ref:`trackme_admin_upgrade` - For more **information**, see: :ref:`trackme_admin_rbac` - SHA256: f0c47447023dca0daf9cb5e5e434dc077a0e8c71bfc75233d73717268eef33a3 - trackme-limited/trackme-report-issues#135 - bug - Data Sampling - Creating an mstats based Elastic Source breaks the Data Sampling query execution #135 - trackme-limited/trackme-report-issues#136 - bug - Outliers engine - When reseting Outliers models, TrackMe should also reset the data outliers records for a more consistent approach #136 - trackme-limited/trackme-report-issues#137 - bug - Acknowledgement - Updating Ack fails due to Python regression introduced in 2.0.34 #137 - trackme-limited/trackme-report-issues#138 - enhancement - Add a new command utility trackmeautogroup to allow auto management of logical group association from an upstream SPL logic #138 - trackme-limited/trackme-report-issues#139 - bug - SmartStatus - incorrect timechart search in UC delay causes no results to be found #139 - trackme-limited/trackme-report-issues#140 - enhancement - SmartStatus - rely on latest known event rather than latest - - trackme-limited/trackme-report-issues#141 - known ingest when defining the earliest for UC delay/latency for better results when looking at an offline entity #140 - trackme-limited/trackme-report-issues#141 - enhancement - vtenants accounts integration scheme for more flexible tenant level configuration management #141 - trackme-limited/trackme-report-issues#142 - enhancement - Improvements and minor fixes for user interfaces behaviours when user is a power user (capability: trackmepoweroperations) #142 - trackme-limited/trackme-report-issues#143 - bug - splk-dhm (Data Host Tracking) - TrackMe does not honor properly the per sourcetype policy due to evaluation of the state at the table loading time which avoids taking into account the status per sourcetype #143 - trackme-limited/trackme-report-issues#144 - feature - Introducing the TrackMe Configuration Manager (TCM) to provides CI/CD capabilities for TrackMe #144 Additional notes: - In version 2.0.36, the data sampling obfuscation macro is deprecated and decommissioned automatically, it is replaced by a much more flexible approach relying on the tenant account setting - To enable the obfuscation mode for a given tenant post-migration, go in Configuration / vtenant preferences and edit the tenant to enable the obfuscation mode Version 2.0.35 - build 1684913150 (24/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. hint:: **Roles Based Access Control enhancements:** - From version 2.0.34, TrackMe implements a new strict **least privilege Role Bbased Access Control** - A new role **trackme_power** is now builtin in TrackMe and designed to allow performing updates to entities of a granted tenant - Access to TrackMe is driven by builtin capabilities provided by TrackMe builtin roles (trackme_user, trackme_power, trackme_admin) - The least privilege approach implemented since this release allows granular access to TrackMe without requiring problematic capabilities which have security implications (list_settings, list_storage_passwords) - TrackMe user interfaces automatically adapt its content and provided options depending on the profile of the current user, a normal user will for instance not see write or admin related actions - TrackMe REST API endpoints are now classified in 3 groups, user level endpoints, write level endpoints and admin level endpoints - The TrackMe ``splunkremotesearch`` also supports Roles Based Access Control, a user calling a given account must be a member of any of the listed roles in the account configuration to be granted access to this account - For retro-compability purposes, TrackMe will allow access to an existing Remote account that has no RBAC roles setup yet to typical admin users in addition with TrackMe builtin roles (admin, sc_admin, trackme_user, trackme_power, trackme_admin) - When TrackMe is **upgraded**, the migration of existing tenant is automatically performed by the **schema version management**, :ref:`trackme_admin_upgrade` - For more **information**, see: :ref:`trackme_admin_rbac` - SHA-256: 0fbba6699287c2ac6fdcbeb28d4d6ccfa3d889b351b26f1e5010bd2ba74f8fef - trackme-limited/trackme-report-issues#133 - bug - SmartStatus - regression introduced by version 2.0.34 causes SmartStatus function failure #133 - trackme-limited/trackme-report-issues#134 - bug - bad entities containing double quotes lead trackmesplkoutlierstrainhelper and trackmesamplingexecutor to continuously fail running searches for these entities with bad request #134 Version 2.0.34 - build 1684860645 (23/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** .. hint:: **Roles Based Access Control enhancements:** - In this release, TrackMe implements a new strict **least privilege Role Bbased Access Control** - A new role **trackme_power** is now builtin in TrackMe and designed to allow performing updates to entities of a granted tenant - Access to TrackMe is driven by builtin capabilities provided by TrackMe builtin roles (trackme_user, trackme_power, trackme_admin) - The least privilege approach implemented since this release allows granular access to TrackMe without requiring problematic capabilities which have security implications (list_settings, list_storage_passwords) - TrackMe user interfaces automatically adapt its content and provided options depending on the profile of the current user, a normal user will for instance not see write or admin related actions - TrackMe REST API endpoints are now classified in 3 groups, user level endpoints, write level endpoints and admin level endpoints - The TrackMe ``splunkremotesearch`` also supports Roles Based Access Control, a user calling a given account must be a member of any of the listed roles in the account configuration to be granted access to this account - For retro-compability purposes, TrackMe will allow access to an existing Remote account that has no RBAC roles setup yet to typical admin users in addition with TrackMe builtin roles (admin, sc_admin, trackme_user, trackme_power, trackme_admin) - When TrackMe is **upgraded**, the migration of existing tenant is automatically performed by the **schema version management**, :ref:`trackme_admin_upgrade` - For more **information**, see: :ref:`trackme_admin_rbac` - SHA-256: ce0d5a73b314c8dc246737149962dc5bd2038f89b313429f13485e3e99e2cd35 - trackme-limited/trackme-report-issues#106 - enhancement - Least privilege implementation - TrackMe implementation of a least privileges approach to provide with minimal capabilities requirement and a best practice security implementation #106 - trackme-limited/trackme-report-issues#119 - enhancement - All components - Performance optimisations #119 - trackme-limited/trackme-report-issues#120 - bug - Compliance Tracking (splk-cim) - UI affected by a previous change (regression from #116) #120 - trackme-limited/trackme-report-issues#121 - enhancement - UI behaviours - Call spinner in a more consistent manner when actions are being performed #121 - trackme-limited/trackme-report-issues#122 - bug - Flex Object (splk-flx) - Convention for status in the docs explanation is wrong #122 - trackme-limited/trackme-report-issues#101 - enhancement - Data Source/Host (splk-dsm/dhm) - Allows managing data in the future detection on a per entity basis #101 - trackme-limited/trackme-report-issues#124 - enhancement - major performance improvements for trackmesplkoutlierssetrules #124 - trackme-limited/trackme-report-issues#125 - enhancement/bug - major performance improvements for Trackers execution (trackmepersistentfields) #125 - trackme-limited/trackme-report-issues#126 - enhancement - major performance enhancements for bulk edit operations in TrackMe #126 - trackme-limited/trackme-report-issues#127 - bug - Remove component does not remove some knowledge objects #127 - trackme-limited/trackme-report-issues#128 - enhancement - Workload - Allow the component to be added to / deleted from an existing Virtual Tenant #128 - trackme-limited/trackme-report-issues#129 - enhancement - splunkremotesearch - Roles Based Access Control support #129 - trackme-limited/trackme-report-issues#130 - enhancement - trackmeapiautodocs - Remove redundant resource_spl_example/resource_desc from endpoint usage output #130 - trackme-limited/trackme-report-issues#131 - bug - Data sampling & events format recognition - escaped double quotes are incorrectly escaped again leading the sampling generation to fail #131 - trackme-limited/trackme-report-issues#132 - bug - Data sampling & events format recognition - Reset loses the preset number of records, sets the number of records would fail if the entity has not been processed yet #132 Version 2.0.33 - build 1683898726 (12/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: b9e8494d654bc60d1f0e12afe220d10c10f87aab1dd2fd20e517511040f9f9c8 - trackme-limited/trackme-report-issues#115 - bug - splk-dsm - tags - tags policies not applied as expected due a native multivalue format when taken into account by TrackMe's REST API #115 - trackme-limited/trackme-report-issues#116 - enhancements - Acknowledgments UI behaviours consistency #116 - trackme-limited/trackme-report-issues#117 - enhancement - Workload (splk-wlk) - The Orphan check and maintain search takes too long #117 - trackme-limited/trackme-report-issues#118 - bug - Data Host Monitoring (splk-dhm) - max delay and max latency are not honoured properly #118 Version 2.0.32 - build 1683797653 (11/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: b570f9e6a668cfd895832cb2812e540e8a8e263606b49ae9014900d8e0683137 - bug - Workload (splk-wlk) - false positive issues with anomaly_reason=execution_delayed under some specific conditions #113 - bug - Workload (splk-wlk) - introspection metrics generation - introduce a bucket _time span=1m to properly aggregate metrics for pct_cpu/memory, sum the scan eventcount #114 Version 2.0.31 - build 1683730441 (10/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: 32d31b6b3c8eade39c27af09dbe2e5d8497a7cecbc5b374f1ba939555ae59069 - bug - ucc-framework issue with urllib3 v2.0.x - latest version of urllib3 require fresher openssl version which builtin Splunk versions do not meet causing issues in alert actions #112 Version 2.0.30 - build 1683715542 (10/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: 4652676182e6271bef61bc368db1fcdc3c216a26d022d4eb54dd6f28e8ec9168 - bug - all components - Tracking Alerts UI always created splk-dsm Alert #110 - bug - all components - SLA single should turn red if the entity has never been green since it was discovered #111 Version 2.0.29 - build 1683576225 (08/05/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: 60e8e0665f3d924d3f7b636fc372fb8f1c6d4ca9274681913ea795706ac804cb - bug - Workload (splk-wlk) - issues in Metadata collection when using a remote account with more than one member in the account definition #107 - bug - Flex Object - demo search for deployment servers should filter for the group when doing the inputlookup back #108 - bug - Workload (splk-wlk) - mltrain should be scheduled once per hour, mlmonitor should be scheduled every 20 minutes to prevent skipping searches #109 Version 2.0.28 - build 1682667017 (28/04/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: 198ddc37df076de98e42a530bf66aa903eff8ae87c4c7d2e601b0c6316611c5d - bug - splk-wlk (Workload) - If running in remote, introspection and Splunk Cloud SVC queries cannot rely on app fieldaliases #105 Version 2.0.27 - build 1682578920 (27/04/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: b226ad96a069f070b5293bfe50fab101503e56c2bdf2c2d2027ed2d06bb8bf50 - bug - splk-wlk - Missing field alias for svc-consumer causes SVC consumption not to render expected SVC metrics #104 Version 2.0.26 - build 1682503730 (26/04/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: fe68d95983066a1f8a2fcf2a4a60271ad1ce91d457c56f76f228a68418059baa - feature - Introducing the new Splunk Workload component for TrackMe, to monitor your Splunk scheduling activity and take the control back #102 - bug - splk-cim - avoids append=t in the very first pipe which causes issues in Splunk Cloud #103 Version 2.0.25 - build 1682069909 (21/04/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** Note: Hybrid Trackers need to be re-created to benefit from the latest_eventcount_5m - SHA-256: d992c12d1bb9998bc39be0171c3721d4c3f30ecef2ee0be1bfc1ab93dac29897 - bug/enhancement - latest_eventcount_5m from TrackMe metrics should perform an aggregation to properly represent the 5m sum of eventcounts #94 Version 2.0.23 - build 1681985039 (20/04/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: e03e25136a8803cea926721d959a2312cdbcdec70f810279de3ffdf9c3cf5043 - bug - splk-feeds - Hybrid tracker creation, if breaking by host in splk-dsm, the dcount host leads to wrongly interpreting the host value, issues with burn test in raw mode #99 - bug - Outliers detection - incorrect message statement when upperBound is breached #100 Version 2.0.22 - build 1681860827 (19/04/2023) ============================================== .. hint:: **Splunk 8.1.x and later, Linux, Python3 support only** - SHA-256: 08ae4facab3c6c141f0967998562bd1440fe1e1d6fe8ee8c85cef47a0191b81a - bug - ack tracker regression issue introduced in release 2.0.21 #97 - bug - alerts creation - incorrect statement when including orange status for entities #95 - enhancement - splunkremotesearch - accepts a list of multiple Splunk REST endpoints and address targets randomly with HA and DR #93 - bug/enhancement - avoid disabling access to the acnknowledgement if it is still active althrough the entity is back in green state #96 Version 2.0.21 - build 1681766136 (17/04/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 3b15dff23199adb46b8305cda8172062e25ddc24d3610e8da3a90345e4d08077 - bug - regression in trackmecollect for splk-dhm. the field splk_dhm_st_summary is required by the UI for processing #92 Version 2.0.20 - build 1681751403 (17/04/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 59f122da1acc5728f8192365adf4a8b4f83bbd5e740d87f05d62678bdfaea020 - change - disable drilldown in API ref table #78 - change - Add skipping search shortcut access in Virtual Tenant (skipping donut screen) #79 - bug - mistmatch between custom command log files and associated props stanza #80 - bug/enhancement - improve detection of latency at ingest and its sensittivity using TrackMe metrics #81 - bug - trackmepersistentfields backend would raise an exception and block the remaining updates if an unexpected error occurs in the update process #82 - enhancement - avoids TrackMe custom command to be distributed amongst indexes while it's unecessary #83 - bug/enhancement - reduce the foot print of TrackMe state events stored in the summary indexes, prevents unecessary large fields (metrics summary, etc) #84 - enhancement - Preparation for the Implementation of least privileges approach in TrackMe and advanced capabilities management #85 - enhancements - Python backend enhancements #86 - enhancement - Add or Delete components for a TrackMe Virtual Tenant after it was created #87 - bug - "Show burn test search" creates a persistent macro #88 - bug/enhancenent - splk-feeds - Maintain delayed entities running out of the scope of TrackMe trackers #89 - enhancement - massive performance gains in events generating Python backends #90 - enhancement - trackmesplkoutlierstrainhelper should implement a max run time sec mechanism to avoid generating skipping search #91 Version 2.0.19 - build 1680519959 (03/04/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 7f418e954415f4bdd74e8ce685eca7dab1b160ea6706dc6a0170b8fca65b571a - bug - splk-dsm - data_first_time_seen should be part of persistent fields in the macro trackme_dsm_lookup_persistent_fields #75 - enhancement - trackmepersistentfields command - in some circumstances, there can be an unexpected duplication of entities, this enhancement ensures that this cannot happen #76 Version 2.0.18 - build 1680475914 (02/04/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 71dd7ac5314ea3826c19a323844834bad95f3f98de317edb1ea05313761667e3 - bug/enhancement - TrackMe metrics generation and vizualisation issues when suffering from latency or low frequency entities #72 - bug - Virtual Tenant UI graphical issue when testing remote connectivity #73 - bug/enhancement - Improve latency detection by taking into account TrackMe metrics at Hybrid Tracker execution time #74 - enhancement - improve consistency of wording for lagging / latency / delay concepts #10 Version 2.0.17 - build 1680257518 (31/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: c4c68dc01cf1998db95566c15dc89228478848d969a583eaa617b142ac276547 - bug - splk-dsm/splk-flx status flipping will incorrectly continue to see new entities being discovered due to regression in 2.0.15 #71 Version 2.0.16 - build 1680138733 (30/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: e07a3f909033b93089541f27b1834ef327910f9f6c50ff11eade33b7e24fbb5c - bug - splk-dsm - bad syntax in screen auto lagging def #68 - bug - splk-dsm/splk-dhm - avoid continuing to generate TrackMe metrics for an entity which data flow is interrupted, restrict the metrics scope to the 5 last minutes against the last event of the entity #69 - enhancement - Some high scale SHC environments with a large number of entities, especially in Splunk Cloud, were reported to encounter out of sync issues due to ML models update activity, this release reduce the frequency of the ML train activity to avoid this #70 Notes: - Regarding fix #69, Hybrid Trackers need to be re-created, or manually updated: *trackme_dsm_hybrid_abstract_* *the break by change may change depending on your context, the fix relies on restricting the the spantime to avoid generating new metrics while the flow is interrupted* :: | eval spantime=_time | eventstats max(data_last_time_seen) as data_last_time_seen by index,sourcetype | eval spantime=if(spantime>=(now()-300), spantime, null()) Version 2.0.15 - build 1679995508 (28/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: affba63ecf9fc7a8b718d5c45894dc64f920ec6d36f1e9794ca7d76f3ca54272 - bug / enhancements - introducing the custom command trackmepersistentfields to protect KVstore collection records from conflicting updates and replace the call to outputlookup Splunk command with more control #55 - bug - Vtenant creation endpoint should set the current schema_version immediately at the creation phase #56 - enhancement - Allow splunkremotesearch command to inherit earliest and latest from the environment (time range picker) #57 - bug/enhancement - avoid skipping searches for ML train/monitor and data sampling by reducing the default cron to every 20 when creating a new tenant #58 - enhancement - Limit the tenant name identifier to 15 characters max to avoid allowing users from reaching any Splunk limitations, reduce the random digits for trackers to 5 #59 - bug/enhancement - splk-dsm and splk-flx, at large scale with large number of concurrent Hybrid Trackers, concurrent loading of whole collections lead to impacts on other entities #60 - enhancement - Store the root constraint in a macro when creating the Hybrid Trackers for splk-feeds, for easier design, update and management #61 - bug - inherit trackmer_user role in trackme_admin to avoid any non explicit read access #62 - bug - If using Federated search in the instance running TrackMe, makeresults duplicates results unexpectly #63 - enhancement - splk-feeds Hybrid Tracker creation improvements, new builtin options to control performance denominators, review Burn test search before execution #64 - bug - Outliers management issues and enhancements #65 - change - Licensing management evolutions #66 - bug - log rotation is lacking for the various trackme logs #67 Version 2.0.14 - build 1679295918 (20/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 5cc6306228293260ee82801bbf198a65ca13aedc6bf68bc0bda983b6ba6cae8c - bug - conflict the same object exists already error when attempting to create a lagging class for the same conditions if one exists already for another category #45 - feature - splk-flx - Allow to control grouping of entities #46 - bug - splk-cim/splk-flx - metric ingestion issues when objects have space characters #47 - bug - negative value metrics will be ignored in splk-flx #48 - bug - indexes preset by default in tenant creation dropdown regression from 2.0.13 - showing first result index rather than preset index #49 - bug/enhancement - detect and degrade a Virtual Tenant using remote splunk account that was removed later on, or if all remote accounts were removed post configuration #50 - bug - Virtual Tenant UI - copy spl button may generate trackme SPL commands that cannot be parsed properly #52 - feature - Provide a burn test performance benchmark feature while creating Hybrid Trackers to investigate the run time performance ahead of the tracker creation #53 Version 2.0.13 - build 1678259747 (08/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: cc4d34f9f54e4fce2dd4299cc4bb549974ec7395a63b6eb4159ee46f2a7b02e5 - bug/enhancement - reduce volume of logs in trackme_splk_outliers_train_helper.log #41 - bug - lagging classes does not accept splk-dsm / splk-dhm pattern, failures to apply lagging classes against object!=all, various issues affecting lagging classes for splk-dhm #40 - bug - timezone issue in REST API and custom command logging events when the user running the command is in a non UTC timezone #43 Version 2.0.12 - build 1678171647 (07/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 001d57ab9960024fde3eabf9439e1643ee118b99626b7f46e1d7ad3797c65378 - enhancement - avoids any enabled scheduled report by default including app level management utilities (Ack tracker, backup scheduler, maintenance mode tracker) #33 - bug - merged mode for splk-dsm not behaving as expected #34 - bug - Virtual Tenants UI regression when deleting the last tenant (should refresh and show up Welcome modal screen) #35 - enhancement - reduce the default earliest to -4h instead of -7d when creating Hybrid trackers to limit design requirements for first time users #36 - enhancement - improve consistency of wording for lagging / latency / delay concepts #10 - bug - missing perc95_latency_5m and stdev_latency_5m metrics for splk-dhm #38 - enhancement - Improve global TrackMe experience for splk-feeds with Overview based on TrackMe metrics primarly rather than direct Splunk query (Allows faster query and scalability, enhance RBAC consistency) #37 Version 2.0.11 - build 1677767350 (01/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 16f797f4140bbff976c9d7ff7fb093f5ac519f1b699ff7010aa097e8474c4e8e - bug - Entity remains in red state due to Data sampling detection altrhough the feature has been disabled #28 Version 2.0.10 - build 1677707255 (01/03/2023) ============================================== .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 423dc06178dd7360ccbffa3741dd7e41ae4ad63eb8cdb9bb703f86828729a3d2 - bug - custom indexes not properly used when creating Virtual Tenants from the user interfaces for splk-dsm/dhm/mhm #30 - bug - regression from 2.0.9 preventing access to RBAC update from the Virtual Tenant UI #31 Version 2.0.9 - build 1677588126 (28/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: edd8c6d22bc6fb80c9b7c08ee46b58d05ea2970f41678c89d6cfbf8f88f3d5d4 - bug: Virtual Tenants UI fails to load properly if a Virtual Tenant is disabled and was created with value for its description #21 - bug: Virtual Tenant creation error handling issues can lead to undetected failures within the Virtual Tenant user interface #22 - bug/enhancement: Virtual Tenants objects creation - avoid and enhance detection and re-attempt if splunkd API is not ready yet to server the newly created object #23 - bug/enhancement: disable auto-refresh in Virtual Tenants UI during long run operations to avoid loosing the spinner #24 - enhancement: splk-feeds - bulk edit management for Logical groups (splk-dsm/dhm/mhm) #25 - feature: introducing the concept of TrackMe schema versioning to allow future automated updates to the Virtual Tenants & Knowledge Objects schema #27 - feature: Sticky Acknowledgements #9 - bug/enhancement: Single forms and Donut drilldown do not lead to actions (all components) #16 - feature: license model update to allow an intermediate pricing plan with the Enterprise Edition #29 Version 2.0.8 - build 1677163367 (23/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 80d0437c355c1ab71930bbf68f6ae0739817994c087712888f65d86d074678b2 - bug/enhancement: splk-dsm Data sampling - Tabulator occasionally loads before the modal screen, optimize and avoid multiple REST calls #11 - bug/enhancement - splk-flx - simplify the regular expression used in the deploymet server example #12 - bug - splk-flx - copy to clipboard button not working for deployment server example from first level modal screen #13 - Enhancement - improving naming convention consistancy in status and anomaly_reason #20 - Feature request - logical grouping to be made available for splk-dsm component #18 - bug - splk-dhm/splk-mhm entity view host Metadata filter do not apply when hybrid tracker was created manually in a tenant (opposed to created during the Virtual Tenant creation phase) #19 Version 2.0.7 - build 1676377640 (14/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 13bc28f5693f9e6f7391ac2f61ddd598818d372c396d4f0d53bc6f5faf4fa865 - bug: splk-dsm - dictinct count host issue inconsistency when setting up a dcount_host treshold #1 - bug: splk-dsm - Elastic source syntax issue with from datamodel sources - error in identification of remote from searches #5 - feature: splk-dsm - Feature request - Simulation of thresholds before applying #3 - enhancement: Put a clear RBAC related message in when creating Virtual Tenants regarding membership explicit management - enhancement: TrackMe Alert Suppression/Throttling Enhancements #6 - bug/enhancement: bug Tabulator loading modal - all components - In some circumstances, the screen can load before the REST endpoint call return the Tabulator data #7 - enhancement: Feature - Disable Ack when an entity goes back to green #8 - You can now enable the option "Remove Ack behaviour" in configuration if you wish to have Ack being disabled automatically when a previously non green entity comes back to green, rather than relying only on the Ack expiration - As well, there has been enhancements on the Ack tracker backend for better reporting and auditing of its activity (generate an audit event per entity) Notes: - Hybrid/Elastic Trackers need to be re-created to benefit from the new distinct count hosts metrics for splk-dsm (Feeds tracking for Data Sources) Version 2.0.6 - build 1675851310 (08/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: a5bf6e9580ca9924d20ea00c029a4cd61f6bffa700a493a2a8e251934d030bdb - issue with splk-dhm timecharts in Splunk remote deployments when data gaps occur #9 - issue with splk-dhm compact mode which should show the sourcetype in addition with the index in the JSON summary #11 - wrong label in lagging classes applies to dropdown for splk-dsm/splk-dhm #12 Version 2.0.5 - build 1675711433 (06/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: ab77d89634b3debc5d2ddd881243310bbb18b959254efc53dcf6a83a873c5427 - Fix - Some REST endpoints are unexpectedly limiting their output to the first 100 records #7 Version 2.0.4 - build 1675617150 (05/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - Optimization - function dataset_update_cache should sleep before retrying in case of max concurrent searches run Optimization - function dataset_update_cache should sleep before retrying in case of max concurrent searches run #4 - Optimization - avoid logging check license return in non debug mode Optimization - avoid logging check license return in non debug mode #3 - Optimization - reduce internal logs from datagen custom command Optimization - reduce internal logs from datagen custom command #6 Version 2.0.3 - build 1675586140 (05/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: 661069bc7dfe803c9e6c10021cb693c85e616dce13b54c708f38ddc760848df4 - Data sampling engine - syntax error leads custom rule in simulation mode to fail rendering the expected results #1 Version 2.0.2 - build 1675379421 (02/02/2023) ============================================= .. hint:: **Splunk 8.2.x/9.x and Python3 support only** - SHA-256: b5edf46f5bf6a293b318d33b0e4b07c982019dae427d4ad7b7b1b6881fb74145 - This the first official release for TrackMe V2