Splunk Search

How come the comment "macro" is not working?

weidertc
Communicator

I must be out of my mind. The comments built-in macro since version 6.5.0 gives me an error that it can't find the macro. I'm using the syntax found in the docs here, with my version of splunk in the url so it shows the one for my version.

https://docs.splunk.com/Documentation/Splunk/6.6.10/Search/Addcommentstosearches

index=* sourcetype=* `comment("THIS IS A COMMENT")`

this gives me an error

Error in 'SearchParser': The search specifies a macro 'comment' that cannot be found.

What could I be doing incorrectly?

Chris

1 Solution

dflodstrom
Builder

For some reason the comment macro's sharing is set to "app" out of the box. You'll have to use a configuration package (app) or navigate to Settings>Advanced Search>Macros to update the permissions.

View solution in original post

petrose
Engager

Hi,
I am experiencing the same as Chris but I have investigated the macro properties of the Comment macro:
alt text
And I am going to use Comments in the service_iam_na application listed in the Permissions overview.

What is cause of my problem ?

,

0 Karma

petrose
Engager

My problem was resolved ! First issue:
'Everyone' had Read access to macro, doesn't mean that every Dashboard can use it...

You have to explicitly allow it to Read the Macro...in order for it to work.

0 Karma

dflodstrom
Builder

For some reason the comment macro's sharing is set to "app" out of the box. You'll have to use a configuration package (app) or navigate to Settings>Advanced Search>Macros to update the permissions.

weidertc
Communicator

Thanks, now I see it, and it's set to app permissions. I'll work with our Splunk admins to update this.

Vijeta
Influencer

what version of splunk you are running? Also make sure you are running it in search app.

0 Karma

weidertc
Communicator

i am on v 6.6.10. So I can't run this in all the apps with a search bar? it only works in search app? Everyone here uses their own department's app to segregate pci/phi/etc with permissions.

0 Karma

Vijeta
Influencer

Check macros.conf in search app , you can copy macro for comments in other app if you need it. Try if your search with comment macro is working on search app, check permissions and copy to other app if needed.

weidertc
Communicator

thanks, i'll work with the splunk admins.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...