https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154519#M1479 <P>Hi,</P> <P>Do you have the same issue?</P> <P>I changed multiple things in eventtypes.conf:<BR /> I replaced all macro relative to sourcetypes like: </P> <PRE><CODE>`sep_scan_sourcetype` by index=symantec sourcetype=sep12:scan </CODE></PRE> <P>I use sep12 and my index is symantec, so you might have to tweak it. Another Example:</P> <PRE><CODE>#### sep:admin [sep_admin_authentication] #search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed") search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed") #tags = authentication </CODE></PRE> Fri, 16 May 2014 15:09:15 GMT bgaignon 2014-05-16T15:09:15Z https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154514#M1474 <P>Hi,</P> <P>This morning I updated my splunk servers to Splunk 6.1 (1 SH, 1 Indexer, 1 Deployment)<BR /> No errors during the upgrade.<BR /> I restart Splunk and he did not complain.</P> <P>I tried to display a dashboard and I had this error message:</P> <PRE><CODE>[slpiussplnk02] Streamed search execute failed because: Error in 'SearchParser': Could not find macro 'sep_admin_sourcetype' that takes 0 arguments. Expecting stanza name 'sep_admin_sourcetype' </CODE></PRE> <P>This message appears on every search, even if it's not related to SEP (symantec Endpoint protection).</P> <P>I looked for macros.conf into the SH and Indexer and "sep_admin_sourcetype" was here.<BR /> Now I don't know where to look.</P> Tue, 06 May 2014 19:49:49 GMT https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154514#M1474 bgaignon 2014-05-06T19:49:49Z https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154515#M1475 <P>One thing to look here could be the Sharing permission of the macro. Go to Manager » Advanced search » Search macros, select appropriate app context and see if the macro exists and its sharing permission is set to 'All apps' and read/write to appropriate roles.</P> Tue, 06 May 2014 20:00:12 GMT https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154515#M1475 somesoni2 2014-05-06T20:00:12Z https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154516#M1476 <P>The permission is set to Global.<BR /> All apps in Read for everyone and Write for Admin.</P> Tue, 06 May 2014 20:04:06 GMT https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154516#M1476 bgaignon 2014-05-06T20:04:06Z https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154517#M1477 <P>OK it was a problem with the Application SplunkForSymantec. </P> Tue, 06 May 2014 21:53:54 GMT https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154517#M1477 bgaignon 2014-05-06T21:53:54Z https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154518#M1478 <P>How did you solve it?</P> Fri, 16 May 2014 14:55:46 GMT https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154518#M1478 zowa 2014-05-16T14:55:46Z https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154519#M1479 <P>Hi,</P> <P>Do you have the same issue?</P> <P>I changed multiple things in eventtypes.conf:<BR /> I replaced all macro relative to sourcetypes like: </P> <PRE><CODE>`sep_scan_sourcetype` by index=symantec sourcetype=sep12:scan </CODE></PRE> <P>I use sep12 and my index is symantec, so you might have to tweak it. Another Example:</P> <PRE><CODE>#### sep:admin [sep_admin_authentication] #search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed") search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed") #tags = authentication </CODE></PRE> Fri, 16 May 2014 15:09:15 GMT https://community.splunk.com/t5/Knowledge-Management/Streamed-search-execute-failed-Error-in-SearchParser/m-p/154519#M1479 bgaignon 2014-05-16T15:09:15Z