Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

migration

SN1
Path Finder
‎02-20-2025 08:57 PM

so i copied enterprise security app folder from old sh to new but it is showing macro error not found where i can find the macro of this app and how to migrate them also.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-20-2025 10:49 PM

Hi @SN1 

I would recommend running the following on our old SH to find out where the macro is easily:

 

/opt/splunk/bin/splunk btool macros list MacroName --debug

 

Replace MacroName with the name of your missing macro - this should output a the configuration of the macro and include the path that the macro resides in.

If you still do not see the macro there then it could be a private Knowledge Object. Did you copy you user's custom data from /opt/splunk/etc/users aswell? Did you copy all the apps from the old SH to the new SH?

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-20-2025 09:18 PM

@SN1When migrating from an old search head to a new one, it's essential to ensure that all configurations, including macros, are correctly transferred. However, if you're encountering issues such as missing macros after the migration, it indicates that some components may not have been properly moved. To address this, I recommend reaching out to Splunk Support for personalized assistance.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2025 10:52 PM

Hi @kiran_panchavat ,

adding a bit of information the the perfect answer of @kiran_panchavat:

it's always a best practice to save all the customizations that you did in ES in a custom app, e.g. custom field extractions, custom correlation searches or dashboards or reports, or, as in your case, macros: don't leave anything custom in the Enterprise Security (and the other module) app.

Ciao.

Giuseppe

Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-20-2025 09:15 PM

@SN1 

Locate Macros in the Old Search Head

From the Splunk UI:

  • Navigate to Settings > Advanced Search > Search Macros

kiran_panchavat_0-1740114927214.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...