Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

Gaikwad
Explorer
‎09-30-2022 02:43 AM

I'm getting this error after upgrading Microsoft 365 app in Splunk 

error - Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Labels (1)
Labels
0 Karma
Reply

Gaikwad
Explorer
‎10-03-2022 10:03 PM

Hi 

as I check TA is already updated, but unable to fix this issue. how can we define m365_default_index

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 01:45 AM

When I looked microsoft_cloud_app/default/macro.conf that is defined like

[m365_default_index]
iseval = 0
definition = (index=main OR index=*)

You could use that in context of that app (microsoft_cloud_app) without any additional configuration. But if you want to use it also e.g. in search app then you must grant access to this app or at least to this macro as system/global. After that you can use it any where.

Probably easiest way to do this is just open in GUI (inside this app) all macros and then grant that global access to it.

Settings -> Advanced search -> Search Macros 

Then grant access to this object.

0 Karma
Reply

Gaikwad
Explorer
‎10-05-2022 09:54 PM

Hi @isoutamo 

Thanks for your reply.

as I check both Microsoft 365 app and Add-on got updated already since the Microsoft 365 app dashboards are not working. there are few observations I would like to share

1.  few dashboard query which contain `m365_default_index` sourcetype="o365:management:activity"            are working fine and showing data.
 2. dashboard query which contains `m365_default_index` sourcetype="o365:graph:api" , `m365_default_index` sourcetype="o365:service:healthIssue"  OR `m365_default_index` sourcetype="o365:graph:api"  are not showing any details.  before update it was working fine.

please note I'm checking this in Microsoft 365 app -> Executive overview 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:20 AM

Hi

have you followup upgrade instructions?

This error means that you haven't have macro which is named as m365_default_index which define to where you have stored all m365 events. I cannot recall if this macro is defined in this app or was there a separate TA for Splunk KOs which this app is needed. I guess that the last one is how it works now. This means that you must also update that TA to correct version, grant global access to it and then define local version of this macro to define where those events are found.

On https://splunkbase.splunk.com/app/3786/#/details is said that you are needing https://splunkbase.splunk.com/app/4055/. The installation/upgrade instructions are here https://docs.splunk.com/Documentation/AddOns/released/MSO365/Install

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...