- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Can eventtypes contain macro references
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can eventtypes contain macro references
I'm working on an app, and have defined various macros to allow easier customization.
An example of my macros.conf
[fooBar]
definition = fooBar*
Then, in my eventtypes.conf, I the following does not work:
[myEventType]
search = sourcetype `fooBar`:risk
When I modify eventtypes.conf to remove the macro, it seems to work:
[myEventType]
search = sourcetype fooBar*:risk
Is there a limitation on eventtypes and macros that I am missing? I looked through all 46 apps that I have installed, 26 of which have eventtypes.conf specified, and none of them use macros.
find -L /opt/splunk/etc/apps -name eventtypes.conf -exec grep "\`" {} \;
My only thought is to define an eventtype that mirrors the macro functionality, although in my reading, it sounds like macros are generally preferred to eventtypes (reference this splunkbase article on eventtypes vs. saved searches)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the macro ONLY contains search elements, then it should be able to be used in an eventtype definition. So the example that you have given should work.
However, if your macro contains a | (pipe) or a subsearch, then the macro cannot be used as part of an eventtype definition.
Rules for eventtypes here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have you find the solution for this issue ?
I am facing the same, In standalone instance this works fine, in cluster (indexer cluster and sh cluster) having a macro in the eventtype definitions makes it fails to work as expected.
Inspecting the job and search.log did really helped
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster.
You can add it in distsearch.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the search job inspector (appears as a white i on a blue button near the search controls). The search job inspector provides a lot of info, both for valid searches and for searches with errors. It will give you more details on the error messages, and may show you the macro expansion - if it gets that far.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, my macros are exactly this simple (some don't even have wildcards). Do you have any suggestions for troubleshooting where the processing of the eventtype is going south?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's for different types of events that are within the same sourcetype. I plan to use these eventtypes several times
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you using the eventtype for in your app? Is it for searches or is it for classification of events?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
