Macro not found when generating a search for a ser...

siraj · ‎10-24-2023

I need to configure a service in Splunk ITSI, while creating a KPI am facing an issue. I gave a search string but when its generating a search I get an error in the result:

Error in 'SearchParser': The search specifies a macro 'aggregate_raw_into_entity' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Is there any way to modify the Generated Search.

anatolvd · ‎10-24-2023

Hey @siraj , there should be no need to modify the Generated Search, as both the aggregate_raw_into_entity and aggregate_raw_into_service macros are intended to be part of the KPI's SPL. Are you getting the error when running the Generated Search in a separate Search tab? If so, what App context are you in while attempting to run the search?

To troubleshoot, follow the instructions in the error message to make sure that your user account has the appropriate permission for the macro. Also, make sure that the macro is not only shared in the SA-ITOA app while you're trying to run the test search in a different App context. Both of these settings are accessed from the Permissions setting of the macro.

Let me know if this helps,

avd

Macro not found when generating a search for a service

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk