https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325349#M174932 <P>There was an actual bug in Splunk for a while that was preventing this from working. I don't know if it was ever officially fixed or not, but I gave up on using macros in eventtypes being that everything seemed to be brittle or unreliable.</P> <P>Last time I heard others discussing it, they seemed to indicate it was still an issue.</P> Wed, 12 Apr 2017 10:33:41 GMT rjthibod 2017-04-12T10:33:41Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325348#M174931 <P>Hi Splunkers,</P> <P>I have distributed environment. when I tried searching for eventtype which contains macro is not working.</P> <P>I have seen docs saying that macros are by default skipped from search head knowledge bundle. But, I have added distsearch.conf in TA where eventtype resides and I can see macros.conf in knowledge bundle getting replicated to search peers. still I am not able to get results from eventtype . when I expand eventtype in search showing results. </P> <P>Thanks in advance.</P> Wed, 12 Apr 2017 08:48:51 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325348#M174931 thambisetty 2017-04-12T08:48:51Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325349#M174932 <P>There was an actual bug in Splunk for a while that was preventing this from working. I don't know if it was ever officially fixed or not, but I gave up on using macros in eventtypes being that everything seemed to be brittle or unreliable.</P> <P>Last time I heard others discussing it, they seemed to indicate it was still an issue.</P> Wed, 12 Apr 2017 10:33:41 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325349#M174932 rjthibod 2017-04-12T10:33:41Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325350#M174933 <P>What version of splunk are you using?</P> <P>If you're on 6.5.x, upgrade to 6.5.3: <A href="http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues">http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues</A><BR /> If you're on 6.4.x, wait for 6.4.7 (allegedly).<BR /> If you're on 6.3.x, upgrade to 6.5.3 <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> If you're on 6.2.x or earlier, eventtypes with macros should work.</P> Wed, 12 Apr 2017 10:42:52 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325350#M174933 martin_mueller 2017-04-12T10:42:52Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325351#M174934 <P>Thanks Martin_mueller..</P> <P>Running on 6.5.2. I will update my splunk to latest version.</P> Wed, 12 Apr 2017 12:26:24 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325351#M174934 thambisetty 2017-04-12T12:26:24Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325352#M174935 <P>Yes, It was listed and fixed in splunk latest version.</P> <P>find comment below from martin_mueller</P> Wed, 12 Apr 2017 12:27:35 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325352#M174935 thambisetty 2017-04-12T12:27:35Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325353#M174936 <P>We are running Splunk 7.0.3, in a distributed setting.</P> <P>On a search cluster running Splunk Enterprise Security, we added the SentenilOne TA, made it work inside ES to search with a macro (s1_index) defined in the TA.</P> <P>However, when searching in ES with "tag=malware" which pulls in that macro, we get these error messages from our indexers:</P> <BLOCKQUOTE> <P>Error in 'SearchParser': The search specifies a macro 's1_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.</P> </BLOCKQUOTE> <P>Inspecting the search job, I find this in the "remoteSearch":</P> <PRE><CODE>( `s1_index` sourcetype=threat ) </CODE></PRE> <P>That seems to mean that the macro is not expanded locally before dispatch, nor is the macro definition included in the search bundle.</P> Thu, 28 Jun 2018 21:03:17 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325353#M174936 ww9rivers 2018-06-28T21:03:17Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325354#M174937 <P>Did you configure distsearch.conf as mentioned in the question? </P> Fri, 29 Jun 2018 06:34:17 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325354#M174937 martin_mueller 2018-06-29T06:34:17Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325355#M174938 <P>Yes. I have added this stanza in the <CODE>distsearch.conf</CODE> file:</P> <PRE><CODE>[replicationSettings:refineConf] replicate.macros = true </CODE></PRE> Thu, 12 Jul 2018 19:19:02 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325355#M174938 ww9rivers 2018-07-12T19:19:02Z https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325356#M174939 <P>Hi,<BR /> I am also facing the same issue in Splunk 7.1.1 version.i tried adding config in distsearch.conf as well.still doe not work out.Do you have the resolution for this ?</P> Tue, 24 Sep 2019 05:40:39 GMT https://community.splunk.com/t5/Splunk-Search/eventtype-which-contains-macro-is-not-working/m-p/325356#M174939 sujanay02 2019-09-24T05:40:39Z