Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- ERROR SearchParser - The search specifies a macro ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting the error below in the 1.0.3 version of the Technology Add-on for CrowdStrike.
ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
ERROR TsidxStats - Error in 'SearchParser': The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.
[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent
[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent
[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent
[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"
[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"
[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="
[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting this in Splunk Cloud, any work arounds?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.
[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent
[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent
[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent
[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"
[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"
[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="
[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bug still here in 1.0.4 and breaking the ES datamodel used by Intrusion Center dashboards
My workaround on the searchHeads is to replace the macro directly by the index name of crowdstrike.
cd etc/apps/TA-crowdstrike ; mkdir -p local
sed 's/`cs_get_index`/index=crowdstrike/' default/eventtypes.conf > local/eventtypes.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Weird, ran into this issue with palo_alto add-on after pushing a shcluster bundle and forcing a SH restart.
The pan_traps index was not able to be found. I just created the macro myself since and made it global but just weird how this issue appeared after the app was working fine before.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
