Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Streamed search execute failed Error in 'Searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This morning I updated my splunk servers to Splunk 6.1 (1 SH, 1 Indexer, 1 Deployment)
No errors during the upgrade.
I restart Splunk and he did not complain.
I tried to display a dashboard and I had this error message:
[slpiussplnk02] Streamed search execute failed because: Error in 'SearchParser': Could not find macro 'sep_admin_sourcetype' that takes 0 arguments. Expecting stanza name 'sep_admin_sourcetype'
This message appears on every search, even if it's not related to SEP (symantec Endpoint protection).
I looked for macros.conf into the SH and Indexer and "sep_admin_sourcetype" was here.
Now I don't know where to look.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do you have the same issue?
I changed multiple things in eventtypes.conf:
I replaced all macro relative to sourcetypes like:
`sep_scan_sourcetype`
by
index=symantec sourcetype=sep12:scan
I use sep12 and my index is symantec, so you might have to tweak it. Another Example:
#### sep:admin
[sep_admin_authentication]
#search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed")
search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed")
#tags = authentication
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do you have the same issue?
I changed multiple things in eventtypes.conf:
I replaced all macro relative to sourcetypes like:
`sep_scan_sourcetype`
by
index=symantec sourcetype=sep12:scan
I use sep12 and my index is symantec, so you might have to tweak it. Another Example:
#### sep:admin
[sep_admin_authentication]
#search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed")
search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed")
#tags = authentication
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you solve it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK it was a problem with the Application SplunkForSymantec.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The permission is set to Global.
All apps in Read for everyone and Write for Admin.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One thing to look here could be the Sharing permission of the macro. Go to Manager » Advanced search » Search macros, select appropriate app context and see if the macro exists and its sharing permission is set to 'All apps' and read/write to appropriate roles.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
