Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can Splunk Enterprise Security use macros from another app?

khagan
Path Finder
‎08-28-2017 04:04 AM

I'm trying to create a correlation search that uses a macro from a custom application, but when I try to save it, I get the error:
There was an error saving the correlation search. Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Trying to run the search within Enterprise Security returns the same error:
Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

I have looked in Advanced Search->Search macros, and the custom macro definitely does exist and is spelled correctly, and I have edited the permissions so that is available in all apps and all users have "read" permission.

If I run the same search from another app such as Search & Reporting, or another custom application, it executes without any errors and returns data. The only app that cannot run it is Enterprise Security. What might be causing this?

0 Karma
Reply

sk314
Builder
‎08-28-2017 12:39 PM

Have you looked at https://docs.splunk.com/Documentation/ES/4.7.2/Install/ImportCustomApps? Esp. this part "Import add-ons with a different naming convention". In short, edit the update_es input with a regex matching your custom app that has the macro is question.

Reply

DalJeanis
Legend
‎08-28-2017 09:43 AM

Is there any chance that within that app the name of custom_macro is colliding with another custom_macro that you have no permissions for?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...