Knowledge Management

Can Splunk Enterprise Security use macros from another app?

khagan
Path Finder

I'm trying to create a correlation search that uses a macro from a custom application, but when I try to save it, I get the error:
There was an error saving the correlation search. Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Trying to run the search within Enterprise Security returns the same error:
Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

I have looked in Advanced Search->Search macros, and the custom macro definitely does exist and is spelled correctly, and I have edited the permissions so that is available in all apps and all users have "read" permission.

If I run the same search from another app such as Search & Reporting, or another custom application, it executes without any errors and returns data. The only app that cannot run it is Enterprise Security. What might be causing this?

0 Karma

sk314
Builder

Have you looked at https://docs.splunk.com/Documentation/ES/4.7.2/Install/ImportCustomApps? Esp. this part "Import add-ons with a different naming convention". In short, edit the update_es input with a regex matching your custom app that has the macro is question.

DalJeanis
SplunkTrust
SplunkTrust

Is there any chance that within that app the name of custom_macro is colliding with another custom_macro that you have no permissions for?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.