dwaler/forwarder_versions.xml

## forwarder_versions.xml
<dashboard>
  <label>Forwarder Versions</label>
  <description>The Splunk Forwarder and Splunk&gt;Cloud versions should align in order to avoid ingestion errors. Please consider upgrading the Splunk Forwarders whose versions are out of date or flagged as buggy.</description>
  <row>
    <panel id="versionSummary">
      <chart>
        <title>Version Summary</title>
        <search>
          <query>
            index=_internal sourcetype=splunkd source="*/var/log/splunk/metrics.log" Metrics group=tcpin_connections
            | dedup hostname
            | stats c as fwdCount by version
            | rex field=version "^(?&lt;fwdV&gt;\d+.\d+)"
            | eval splV=
              [| makeresults
              | eval VERSION=7.0
              | append
                  [ search index=_internal source="*/etc/splunk.version" sourcetype=splunk_version PRODUCT=splunk VERSION=* earliest=-7d latest=now ]
              | rex field=VERSION "^(?&lt;version&gt;\d+.\d+)"
              | stats max(version) as splV
              | return $splV ]
            | eval warn=if((splV-fwdV)&gt;0.2, fwdCount, 0)
            | eval info=fwdCount-warn
            | rename warn as "Out of Date", info as "Up to Date"
            | fields - fwdV, splV, fwdCount
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.text">Forwarder Version</option>
        <option name="charting.axisTitleY.text">Forwarder Count</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"Out of Date": 0xDC4E41, "Up to Date":0x53A051}</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel id="currentSplunkVersion">
      <single>
        <title>Current Splunk&gt;Cloud Version</title>
        <search>
          <query>
            | makeresults
            | eval VERSION="7.0.3"
            | append
              [ search index=_internal source="*/etc/splunk.version" sourcetype=splunk_version PRODUCT=splunk VERSION=* earliest=-7d latest=now]
            | stats max(VERSION) as splV
          </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">272</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel id="upgradeRecommendations">
      <table>
        <title>Upgrade Recommendations</title>
        <search>
          <query>
            index=_internal sourcetype=splunkd source="*/var/log/splunk/metrics.log" Metrics group=tcpin_connections
            | dedup hostname
            | rex field=version "^(?&lt;fwdV&gt;\d+.\d+)"
            | eval splV=
              [ | makeresults
              | eval VERSION=7.0
              | append
                  [ search index=_internal source="*/etc/splunk.version" sourcetype=splunk_version PRODUCT=splunk VERSION=* earliest=-7d latest=now ]
              | rex field=VERSION "^(?&lt;version&gt;\d+.\d+)"
              | stats max(version) as splV
              | return $splV ]
            | eval Recommendation=if((splV-fwdV)&gt;0.2,"Upgrade", "No Upgrade Needed")
            | eval "Forwarder Type" = case(fwdType=="uf","Universal", fwdType=="lwf", "Light", fwdType=="full", "Heavy")
            | rename hostname as "Forwarder Name", version as "Forwarder Version"
            | table "Forwarder Name", "Forwarder Version", "Forwarder Type", Recommendation
            | sort "Forwarder Version"
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">20</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="Recommendation">
          <colorPalette type="map">{"Upgrade":#DC4E41, "No Upgrade Needed":#53A051}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel id="flaggedVersions">
      <table>
        <title>Flagged Forwarder Versions</title>
        <search>
          <query>
            index=_internal sourcetype=splunkd source="*/var/log/splunk/metrics.log" Metrics group=tcpin_connections | dedup hostname
            | rex field=version "^(?&lt;VERSION&gt;\d+.\d+.\d+)"
            | lookup forwarder_bugs.csv VERSION
            | search BUG=*
            | rename hostname as "Forwarder Name", version as "Forwarder Version"
            | table "Forwarder Name", "Forwarder Version"
            | sort "Forwarder Version", "Forwarder Name"
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>
	<dashboard>
	<label>Forwarder Versions</label>
	<description>The Splunk Forwarder and Splunk>Cloud versions should align in order to avoid ingestion errors. Please consider upgrading the Splunk Forwarders whose versions are out of date or flagged as buggy.</description>
	<row>
	<panel id="versionSummary">
	<chart>
	<title>Version Summary</title>
	<search>
	<query>
	index=_internal sourcetype=splunkd source="*/var/log/splunk/metrics.log" Metrics group=tcpin_connections
	\| dedup hostname
	\| stats c as fwdCount by version
	\| rex field=version "^(?<fwdV>\d+.\d+)"
	\| eval splV=
	[\| makeresults
	\| eval VERSION=7.0
	\| append
	[ search index=_internal source="/etc/splunk.version" sourcetype=splunk_version PRODUCT=splunk VERSION= earliest=-7d latest=now ]
	\| rex field=VERSION "^(?<version>\d+.\d+)"
	\| stats max(version) as splV
	\| return $splV ]
	\| eval warn=if((splV-fwdV)>0.2, fwdCount, 0)
	\| eval info=fwdCount-warn
	\| rename warn as "Out of Date", info as "Up to Date"
	\| fields - fwdV, splV, fwdCount
	</query>
	<earliest>-15m</earliest>
	<latest>now</latest>
	</search>
	<option name="charting.axisTitleX.text">Forwarder Version</option>
	<option name="charting.axisTitleY.text">Forwarder Count</option>
	<option name="charting.chart">bar</option>
	<option name="charting.chart.showDataLabels">none</option>
	<option name="charting.chart.stackMode">stacked</option>
	<option name="charting.drilldown">none</option>
	<option name="charting.fieldColors">{"Out of Date": 0xDC4E41, "Up to Date":0x53A051}</option>
	<option name="charting.layout.splitSeries">0</option>
	<option name="refresh.display">progressbar</option>
	</chart>
	</panel>
	<panel id="currentSplunkVersion">
	<single>
	<title>Current Splunk>Cloud Version</title>
	<search>
	<query>
	\| makeresults
	\| eval VERSION="7.0.3"
	\| append
	[ search index=_internal source="/etc/splunk.version" sourcetype=splunk_version PRODUCT=splunk VERSION= earliest=-7d latest=now]
	\| stats max(VERSION) as splV
	</query>
	<earliest>$earliest$</earliest>
	<latest>$latest$</latest>
	</search>
	<option name="drilldown">none</option>
	<option name="height">272</option>
	<option name="refresh.display">progressbar</option>
	</single>
	</panel>
	</row>
	<row>
	<panel id="upgradeRecommendations">
	<table>
	<title>Upgrade Recommendations</title>
	<search>
	<query>
	index=_internal sourcetype=splunkd source="*/var/log/splunk/metrics.log" Metrics group=tcpin_connections
	\| dedup hostname
	\| rex field=version "^(?<fwdV>\d+.\d+)"
	\| eval splV=
	[ \| makeresults
	\| eval VERSION=7.0
	\| append
	[ search index=_internal source="/etc/splunk.version" sourcetype=splunk_version PRODUCT=splunk VERSION= earliest=-7d latest=now ]
	\| rex field=VERSION "^(?<version>\d+.\d+)"
	\| stats max(version) as splV
	\| return $splV ]
	\| eval Recommendation=if((splV-fwdV)>0.2,"Upgrade", "No Upgrade Needed")
	\| eval "Forwarder Type" = case(fwdType=="uf","Universal", fwdType=="lwf", "Light", fwdType=="full", "Heavy")
	\| rename hostname as "Forwarder Name", version as "Forwarder Version"
	\| table "Forwarder Name", "Forwarder Version", "Forwarder Type", Recommendation
	\| sort "Forwarder Version"
	</query>
	<earliest>-15m</earliest>
	<latest>now</latest>
	</search>
	<option name="count">20</option>
	<option name="drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	<format type="color" field="Recommendation">
	<colorPalette type="map">{"Upgrade":#DC4E41, "No Upgrade Needed":#53A051}</colorPalette>
	</format>
	</table>
	</panel>
	</row>
	<row>
	<panel id="flaggedVersions">
	<table>
	<title>Flagged Forwarder Versions</title>
	<search>
	<query>
	index=_internal sourcetype=splunkd source="*/var/log/splunk/metrics.log" Metrics group=tcpin_connections \| dedup hostname
	\| rex field=version "^(?<VERSION>\d+.\d+.\d+)"
	\| lookup forwarder_bugs.csv VERSION
	\| search BUG=*
	\| rename hostname as "Forwarder Name", version as "Forwarder Version"
	\| table "Forwarder Name", "Forwarder Version"
	\| sort "Forwarder Version", "Forwarder Name"
	</query>
	<earliest>-15m</earliest>
	<latest>now</latest>
	</search>
	<option name="drilldown">none</option>
	<option name="refresh.display">progressbar</option>
	</table>
	</panel>
	</row>
	</dashboard>