Which is the best implementation of macros.conf file for both app and TA?

New Member

I have a macro.conf file containing a macro with definition:
definition = index="SOMEINDEX" AND sourcetype="SOMESOURCETYPE" both of which dymanic from client side.

The above macro is being used in eventtype.conf (inside TA) and a summaries macro in savedsearch.conf (inside App).

Currently, the macros.conf is in TA and hence the App Inspect shows failure for App as it could not find the given macros.conf file.

As per splunk practices, keeping a same macro file in both app and TA is not recommended.
Also, there is another workaround of using role-based indexing which is a norm but we used macro-based workflow because of the following case:

What is the best practice implementation which should be implemented?
1) Using two macros.conf in App and TA (each having individual macro for savedsearch and eventtype)
2) Request App cert team to allow the scenario as App and TA would always be bundled together on client environment
3) Any other scenario which do not affect the finctionality as well passes Splunk certification?

Tags (1)
0 Karma