Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

Gaikwad
Explorer
‎09-30-2022 02:43 AM

I'm getting this error after upgrading Microsoft 365 app in Splunk 

error - Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Labels (1)
Labels
0 Karma
Reply

Gaikwad
Explorer
‎10-03-2022 10:03 PM

Hi 

as I check TA is already updated, but unable to fix this issue. how can we define m365_default_index

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 01:45 AM

When I looked microsoft_cloud_app/default/macro.conf that is defined like

[m365_default_index]
iseval = 0
definition = (index=main OR index=*)

You could use that in context of that app (microsoft_cloud_app) without any additional configuration. But if you want to use it also e.g. in search app then you must grant access to this app or at least to this macro as system/global. After that you can use it any where.

Probably easiest way to do this is just open in GUI (inside this app) all macros and then grant that global access to it.

Settings -> Advanced search -> Search Macros 

Then grant access to this object.

0 Karma
Reply

Gaikwad
Explorer
‎10-05-2022 09:54 PM

Hi @isoutamo 

Thanks for your reply.

as I check both Microsoft 365 app and Add-on got updated already since the Microsoft 365 app dashboards are not working. there are few observations I would like to share

1.  few dashboard query which contain `m365_default_index` sourcetype="o365:management:activity"            are working fine and showing data.
 2. dashboard query which contains `m365_default_index` sourcetype="o365:graph:api" , `m365_default_index` sourcetype="o365:service:healthIssue"  OR `m365_default_index` sourcetype="o365:graph:api"  are not showing any details.  before update it was working fine.

please note I'm checking this in Microsoft 365 app -> Executive overview 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:20 AM

Hi

have you followup upgrade instructions?

This error means that you haven't have macro which is named as m365_default_index which define to where you have stored all m365 events. I cannot recall if this macro is defined in this app or was there a separate TA for Splunk KOs which this app is needed. I guess that the last one is how it works now. This means that you must also update that TA to correct version, grant global access to it and then define local version of this macro to define where those events are found.

On https://splunkbase.splunk.com/app/3786/#/details is said that you are needing https://splunkbase.splunk.com/app/4055/. The installation/upgrade instructions are here https://docs.splunk.com/Documentation/AddOns/released/MSO365/Install

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...