Knowledge Management

Can eventtypes contain macro references

Adam_Sealey
Explorer

I'm working on an app, and have defined various macros to allow easier customization.

An example of my macros.conf

[fooBar]
definition = fooBar*

Then, in my eventtypes.conf, I the following does not work:

[myEventType]
search = sourcetype `fooBar`:risk

When I modify eventtypes.conf to remove the macro, it seems to work:

[myEventType]
search = sourcetype fooBar*:risk

Is there a limitation on eventtypes and macros that I am missing? I looked through all 46 apps that I have installed, 26 of which have eventtypes.conf specified, and none of them use macros.

find -L /opt/splunk/etc/apps -name eventtypes.conf -exec grep "\`" {} \;

My only thought is to define an eventtype that mirrors the macro functionality, although in my reading, it sounds like macros are generally preferred to eventtypes (reference this splunkbase article on eventtypes vs. saved searches)

lguinn2
Legend

If the macro ONLY contains search elements, then it should be able to be used in an eventtype definition. So the example that you have given should work.

However, if your macro contains a | (pipe) or a subsearch, then the macro cannot be used as part of an eventtype definition.

Rules for eventtypes here

guilmxm
Influencer

Hi,

Have you find the solution for this issue ?

I am facing the same, In standalone instance this works fine, in cluster (indexer cluster and sh cluster) having a macro in the eventtype definitions makes it fails to work as expected.

Inspecting the job and search.log did really helped

Thank you

0 Karma

greich
Communicator

macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster.
You can add it in distsearch.conf.

0 Karma

lguinn2
Legend

Use the search job inspector (appears as a white i on a blue button near the search controls). The search job inspector provides a lot of info, both for valid searches and for searches with errors. It will give you more details on the error messages, and may show you the macro expansion - if it gets that far.

0 Karma

Adam_Sealey
Explorer

Yes, my macros are exactly this simple (some don't even have wildcards). Do you have any suggestions for troubleshooting where the processing of the eventtype is going south?

0 Karma

Adam_Sealey
Explorer

Yes, it's for different types of events that are within the same sourcetype. I plan to use these eventtypes several times

0 Karma

dart
Splunk Employee
Splunk Employee

What are you using the eventtype for in your app? Is it for searches or is it for classification of events?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...