topic Re: ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. in All Apps and Add-ons

ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

kevinmanson — Tue, 29 Sep 2020 19:41:55 GMT

Getting the error below in the 1.0.3 version of the Technology Add-on for CrowdStrike.

ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

ERROR TsidxStats - Error in 'SearchParser': The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Re: ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

kevinmanson — Sun, 27 May 2018 09:40:15 GMT

To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.

[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent

[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent

[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent

[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"

[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"

[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="

[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="

Re: ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

FloSwiip — Mon, 23 Jul 2018 09:11:22 GMT

Bug still here in 1.0.4 and breaking the ES datamodel used by Intrusion Center dashboards

My workaround on the searchHeads is to replace the macro directly by the index name of crowdstrike.

cd etc/apps/TA-crowdstrike ; mkdir -p local
sed 's/`cs_get_index`/index=crowdstrike/' default/eventtypes.conf  > local/eventtypes.conf

Re: ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

Sahr_Lebbie — Wed, 04 Dec 2019 15:16:45 GMT

Weird, ran into this issue with palo_alto add-on after pushing a shcluster bundle and forcing a SH restart.

The pan_traps index was not able to be found. I just created the macro myself since and made it global but just weird how this issue appeared after the app was working fine before.

Re: ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

gregz00 — Tue, 04 Feb 2020 18:01:53 GMT

Getting this in Splunk Cloud, any work arounds?