Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunkd.log error tracking

jarjoh42
Path Finder
‎06-10-2013 06:23 AM

I have this error continually coming up in my splunkd.log and I cannot figure out where I need to put in the conf-change stanza. Is there a way to get a file or app location from this error?

05-23-2013 23:40:04.486 -0400 ERROR SearchParser - Could not find macro 'conf-change' that takes 0 arguments. Expecting stanza name 'conf-change'.

0 Karma
Reply

krugger
Communicator
‎06-11-2013 03:37 AM

This should locate the conf-change
grep -R conf-change etc/*

0 Karma
Reply

aholzer
Motivator
‎06-10-2013 08:56 AM

This means that you have a search that is trying to run with a "conf-change" macro, but it's not finding it. The simplest way of figuring out what is going on is to identify what app the "conf-change" macro is defined vs what app the search that is using it is defined (a couple of simple text searches through your *.conf files should get you both answers).

Once you have identified these things you can ensure that the macro's permissions allow it's usage from outside the app it's in, or clone the macro to the app that the search is in.

Hope this helps.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top