Knowledge Management

Can Splunk Enterprise Security use macros from another app?

khagan
Path Finder

I'm trying to create a correlation search that uses a macro from a custom application, but when I try to save it, I get the error:
There was an error saving the correlation search. Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Trying to run the search within Enterprise Security returns the same error:
Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

I have looked in Advanced Search->Search macros, and the custom macro definitely does exist and is spelled correctly, and I have edited the permissions so that is available in all apps and all users have "read" permission.

If I run the same search from another app such as Search & Reporting, or another custom application, it executes without any errors and returns data. The only app that cannot run it is Enterprise Security. What might be causing this?

0 Karma

sk314
Builder

Have you looked at https://docs.splunk.com/Documentation/ES/4.7.2/Install/ImportCustomApps? Esp. this part "Import add-ons with a different naming convention". In short, edit the update_es input with a regex matching your custom app that has the macro is question.

DalJeanis
Legend

Is there any chance that within that app the name of custom_macro is colliding with another custom_macro that you have no permissions for?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...