Knowledge Management

Can eventtypes contain macro references

Explorer

I'm working on an app, and have defined various macros to allow easier customization.

An example of my macros.conf

[fooBar]
definition = fooBar*

Then, in my eventtypes.conf, I the following does not work:

[myEventType]
search = sourcetype `fooBar`:risk

When I modify eventtypes.conf to remove the macro, it seems to work:

[myEventType]
search = sourcetype fooBar*:risk

Is there a limitation on eventtypes and macros that I am missing? I looked through all 46 apps that I have installed, 26 of which have eventtypes.conf specified, and none of them use macros.

find -L /opt/splunk/etc/apps -name eventtypes.conf -exec grep "\`" {} \;

My only thought is to define an eventtype that mirrors the macro functionality, although in my reading, it sounds like macros are generally preferred to eventtypes (reference this splunkbase article on eventtypes vs. saved searches)

Legend

If the macro ONLY contains search elements, then it should be able to be used in an eventtype definition. So the example that you have given should work.

However, if your macro contains a | (pipe) or a subsearch, then the macro cannot be used as part of an eventtype definition.

Rules for eventtypes here

SplunkTrust
SplunkTrust

Hi,

Have you find the solution for this issue ?

I am facing the same, In standalone instance this works fine, in cluster (indexer cluster and sh cluster) having a macro in the eventtype definitions makes it fails to work as expected.

Inspecting the job and search.log did really helped

Thank you

0 Karma

Communicator

macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster.
You can add it in distsearch.conf.

0 Karma

Legend

Use the search job inspector (appears as a white i on a blue button near the search controls). The search job inspector provides a lot of info, both for valid searches and for searches with errors. It will give you more details on the error messages, and may show you the macro expansion - if it gets that far.

0 Karma

Explorer

Yes, my macros are exactly this simple (some don't even have wildcards). Do you have any suggestions for troubleshooting where the processing of the eventtype is going south?

0 Karma

Explorer

Yes, it's for different types of events that are within the same sourcetype. I plan to use these eventtypes several times

0 Karma

Splunk Employee
Splunk Employee

What are you using the eventtype for in your app? Is it for searches or is it for classification of events?

0 Karma