Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

Gaikwad
Explorer
‎09-30-2022 02:43 AM

I'm getting this error after upgrading Microsoft 365 app in Splunk 

error - Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Labels (2)
Labels
0 Karma
Reply

Gaikwad
Explorer
‎10-03-2022 10:03 PM

Hi 

as I check TA is already updated, but unable to fix this issue. how can we define m365_default_index

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 01:45 AM

When I looked microsoft_cloud_app/default/macro.conf that is defined like

[m365_default_index]
iseval = 0
definition = (index=main OR index=*)

You could use that in context of that app (microsoft_cloud_app) without any additional configuration. But if you want to use it also e.g. in search app then you must grant access to this app or at least to this macro as system/global. After that you can use it any where.

Probably easiest way to do this is just open in GUI (inside this app) all macros and then grant that global access to it.

Settings -> Advanced search -> Search Macros 

Then grant access to this object.

0 Karma
Reply

Gaikwad
Explorer
‎10-05-2022 09:54 PM

Hi @isoutamo 

Thanks for your reply.

as I check both Microsoft 365 app and Add-on got updated already since the Microsoft 365 app dashboards are not working. there are few observations I would like to share

1.  few dashboard query which contain `m365_default_index` sourcetype="o365:management:activity"            are working fine and showing data.
 2. dashboard query which contains `m365_default_index` sourcetype="o365:graph:api" , `m365_default_index` sourcetype="o365:service:healthIssue"  OR `m365_default_index` sourcetype="o365:graph:api"  are not showing any details.  before update it was working fine.

please note I'm checking this in Microsoft 365 app -> Executive overview 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:20 AM

Hi

have you followup upgrade instructions?

This error means that you haven't have macro which is named as m365_default_index which define to where you have stored all m365 events. I cannot recall if this macro is defined in this app or was there a separate TA for Splunk KOs which this app is needed. I guess that the last one is how it works now. This means that you must also update that TA to correct version, grant global access to it and then define local version of this macro to define where those events are found.

On https://splunkbase.splunk.com/app/3786/#/details is said that you are needing https://splunkbase.splunk.com/app/4055/. The installation/upgrade instructions are here https://docs.splunk.com/Documentation/AddOns/released/MSO365/Install

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...