- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Streamed search execute failed Error in 'SearchPar...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This morning I updated my splunk servers to Splunk 6.1 (1 SH, 1 Indexer, 1 Deployment)
No errors during the upgrade.
I restart Splunk and he did not complain.
I tried to display a dashboard and I had this error message:
[slpiussplnk02] Streamed search execute failed because: Error in 'SearchParser': Could not find macro 'sep_admin_sourcetype' that takes 0 arguments. Expecting stanza name 'sep_admin_sourcetype'
This message appears on every search, even if it's not related to SEP (symantec Endpoint protection).
I looked for macros.conf into the SH and Indexer and "sep_admin_sourcetype" was here.
Now I don't know where to look.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do you have the same issue?
I changed multiple things in eventtypes.conf:
I replaced all macro relative to sourcetypes like:
`sep_scan_sourcetype`
by
index=symantec sourcetype=sep12:scan
I use sep12 and my index is symantec, so you might have to tweak it. Another Example:
#### sep:admin
[sep_admin_authentication]
#search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed")
search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed")
#tags = authentication
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do you have the same issue?
I changed multiple things in eventtypes.conf:
I replaced all macro relative to sourcetypes like:
`sep_scan_sourcetype`
by
index=symantec sourcetype=sep12:scan
I use sep12 and my index is symantec, so you might have to tweak it. Another Example:
#### sep:admin
[sep_admin_authentication]
#search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed")
search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed")
#tags = authentication
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you solve it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK it was a problem with the Application SplunkForSymantec.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The permission is set to Global.
All apps in Read for everyone and Write for Admin.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One thing to look here could be the Sharing permission of the macro. Go to Manager » Advanced search » Search macros, select appropriate app context and see if the macro exists and its sharing permission is set to 'All apps' and read/write to appropriate roles.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
