Hi,
This morning I updated my splunk servers to Splunk 6.1 (1 SH, 1 Indexer, 1 Deployment)
No errors during the upgrade.
I restart Splunk and he did not complain.
I tried to display a dashboard and I had this error message:
[slpiussplnk02] Streamed search execute failed because: Error in 'SearchParser': Could not find macro 'sep_admin_sourcetype' that takes 0 arguments. Expecting stanza name 'sep_admin_sourcetype'
This message appears on every search, even if it's not related to SEP (symantec Endpoint protection).
I looked for macros.conf into the SH and Indexer and "sep_admin_sourcetype" was here.
Now I don't know where to look.
Hi,
Do you have the same issue?
I changed multiple things in eventtypes.conf:
I replaced all macro relative to sourcetypes like:
`sep_scan_sourcetype`
by
index=symantec sourcetype=sep12:scan
I use sep12 and my index is symantec, so you might have to tweak it. Another Example:
#### sep:admin
[sep_admin_authentication]
#search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed")
search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed")
#tags = authentication
Hi,
Do you have the same issue?
I changed multiple things in eventtypes.conf:
I replaced all macro relative to sourcetypes like:
`sep_scan_sourcetype`
by
index=symantec sourcetype=sep12:scan
I use sep12 and my index is symantec, so you might have to tweak it. Another Example:
#### sep:admin
[sep_admin_authentication]
#search = `sep_admin_sourcetype` ("log on succeeded" OR "log on failed")
search = index=symantec sourcetype=sep12:admin ("log on succeeded" OR "log on failed")
#tags = authentication
How did you solve it?
OK it was a problem with the Application SplunkForSymantec.
The permission is set to Global.
All apps in Read for everyone and Write for Admin.
One thing to look here could be the Sharing permission of the macro. Go to Manager » Advanced search » Search macros, select appropriate app context and see if the macro exists and its sharing permission is set to 'All apps' and read/write to appropriate roles.