Knowledge Management

Setup endpoints for macros?

bojanz
Communicator

Hi,

I created an app that uses the setup.xml file to allow easy configuration.
The app is configured to use two macros that I want to setup through the setup.xml file, which looks like this:

<setup>

  <block title="Specify the index with your Windows Event Logs"
         endpoint="admin/macros"
         entity="windowsindex">

    <input field="definition">
      <label>Specify the index</label>
      <type>index=main</type>
    </input>

  </block>
</setup>

This works fine and the administrator can setup the application. However, I noticed that after setting up the application, the macro is not visible for normal users of Splunk, who get the following error:

Error in 'SearchParser': Could not find macro 'windowsindex' that takes 0 arguments. Expecting stanza name 'windowsindex'.

In splunkd.log I can see this error:

08-15-2011 10:57:18.036 +0200 ERROR SearchParser - Could not find macro 'windowsindex' that takes 0 arguments. Expecting stanza name 'windowsindex'.

It works perfect for the admin user, and I can see in /local/macros.conf that the new macros have been created correctly, but it doesn't work for normal users.

Am I using a wrong endpoint? Or something additional has to be done for normal users?

Thanks.

Tags (3)
0 Karma

sideview
SplunkTrust
SplunkTrust

I ran into something similar recently. Basically the problem is that because macros are not shared by default, you have to mark them as shared in the app config. As an app developer you get used to everything being shared or even 'global' (for instance savedsearches are shared by default so they dont need this trick) but macros are for some reason different.

So the solution is probably just as simple as packaging a 'default.meta' file in the 'metadata' directory of your app, that looks like this. (lets say your macro is called 'foo')

[macros/geo_foo]
access = read : [ * ], write : [ admin ]
export = none
owner = admin

All this does is make that macro shared to all users of your app, and that might be all it takes. I cant be sure -- I had a little more going on since I was using a custom endpoint, not the default setup.xml behavior, so i cant say for sure.

Also make sure that if your testing has created a situation where you have two 'foo' macros in manager, where one is the 'no-owner' one, and one is a 'private' one, delete the private one or the code can get pretty confused and give you weird errors.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...