We use the TA-Varonis-DatAlert
and it creates the varonis_index
macro defined as index=*
, which is global.
When running a generic search such as index = _internal sourcetype=splunkd
, we see errors from all the indexers saying -
-- 10-17-2019 14:38:32.526 ERROR SearchParser - The search specifies a macro varonis_index
that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
How come this specific macro ends up in such a generic search?
Look like the app or the macro are not global, change that if you want to use the macro outside of the app.
However to have the macro apply to another search, look at :
Look like the app or the macro are not global, change that if you want to use the macro outside of the app.
However to have the macro apply to another search, look at :
Thank you @yannK
$SPLUNK_HOME/etc/apps/TA-Varonis-DatAlert/default/eventtypes.conf
starts with -
[possible_credential_stuffing_attack_from_a_single_source]
search = `varonis_index` sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible credential stuffing attack from a single source"
Based on the discussions with Splunk and Varonis Support teams, it seems that the varonis_index
macro within the eventtypes causes the macro to be embedded in searches such as index = _internal sourcetype=splunkd
, which is hard for me to grasp.
Replacing the call for the macro varonis_index
with the explicit index=<index name>
solved the issue.
cool, you can probably mark the answer as accepted, it will help the other users.
Thank you @yannK