topic Re: How come a specific macro ends up in generic searches and breaks some of them? in Splunk Search

How come a specific macro ends up in generic searches and breaks some of them?

danielbb — Thu, 14 Nov 2019 21:57:49 GMT

We use the TA-Varonis-DatAlert and it creates the varonis_index macro defined as index=*, which is global.

When running a generic search such as index = _internal sourcetype=splunkd, we see errors from all the indexers saying -

-- 10-17-2019 14:38:32.526 ERROR SearchParser - The search specifies a macro varonis_index that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

How come this specific macro ends up in such a generic search?

Re: How come a specific macro ends up in generic searches and breaks some of them?

yannK — Thu, 14 Nov 2019 22:59:10 GMT

Look like the app or the macro are not global, change that if you want to use the macro outside of the app.

However to have the macro apply to another search, look at :

automatic eval fields that may be calling the macro
tag or eventtypes calling the macro
role search restrictions that may be using the macro

Re: How come a specific macro ends up in generic searches and breaks some of them?

danielbb — Fri, 15 Nov 2019 15:26:15 GMT

Thank you @yannK

$SPLUNK_HOME/etc/apps/TA-Varonis-DatAlert/default/eventtypes.conf starts with -

[possible_credential_stuffing_attack_from_a_single_source]
search = `varonis_index` sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible credential stuffing attack from a single source"

Based on the discussions with Splunk and Varonis Support teams, it seems that the varonis_index macro within the eventtypes causes the macro to be embedded in searches such as index = _internal sourcetype=splunkd, which is hard for me to grasp.

Re: How come a specific macro ends up in generic searches and breaks some of them?

danielbb — Tue, 26 Nov 2019 20:24:05 GMT

Replacing the call for the macro varonis_index with the explicit index=<index name> solved the issue.

Re: How come a specific macro ends up in generic searches and breaks some of them?

yannK — Tue, 26 Nov 2019 20:35:14 GMT

cool, you can probably mark the answer as accepted, it will help the other users.

Re: How come a specific macro ends up in generic searches and breaks some of them?

danielbb — Tue, 26 Nov 2019 20:37:15 GMT

Thank you @yannK