Note: Unless you are on 6.2 there is a bug where if you have Splunk generate a PDF of a dashboard where a macro is in an inline search and the macro is not shared globablly the PDF generation will fail. This most impacts the Change Overview Dashboard which was designed with the idea that you would automate email delivery. Baring upgrading your environment to 6.2 the workaround is to make the macros for this dashboard all global (or convert the serarches to a saved search). The macros in question are basically all of them from the top of the macro page until you get down to and to include ct_whitelisted_dates.
The full set of instructions are included in the app.
The app has two components; both are within this app. The first component is the TA that will need to be deployed to each indexer and search head. That is located in the appserver/addons directory. The second is the visualizations contained within this app.
Once installed there are a few things you will need to adjust.
1. Adjust the number and naming convetion of your indexers and search heads in the indexer_name/count and search_head_name/count macros.
2. By default the TA will put the output of the scheduled searches (once a day) into the _audit directory. If this is adjusted you will need to adjust the ct_config_index macro.
3. The change overview dashboard is configured to show changes over the last week. If you want to adjust that simply adjust the ct_report_period macro
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.