Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come a specific macro ends up in generic searches and breaks some of them?

danielbb
Motivator
‎11-14-2019 01:57 PM

We use the TA-Varonis-DatAlert and it creates the varonis_index macro defined as index=*, which is global.

When running a generic search such as index = _internal sourcetype=splunkd, we see errors from all the indexers saying -

-- 10-17-2019 14:38:32.526 ERROR SearchParser - The search specifies a macro varonis_index that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

How come this specific macro ends up in such a generic search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-14-2019 02:59 PM

Look like the app or the macro are not global, change that if you want to use the macro outside of the app.

However to have the macro apply to another search, look at :

  • automatic eval fields that may be calling the macro
  • tag or eventtypes calling the macro
  • role search restrictions that may be using the macro

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-14-2019 02:59 PM

Look like the app or the macro are not global, change that if you want to use the macro outside of the app.

However to have the macro apply to another search, look at :

  • automatic eval fields that may be calling the macro
  • tag or eventtypes calling the macro
  • role search restrictions that may be using the macro
Reply
Solved! Jump to solution

danielbb
Motivator
‎11-15-2019 07:26 AM

Thank you @yannK

$SPLUNK_HOME/etc/apps/TA-Varonis-DatAlert/default/eventtypes.conf starts with -

[possible_credential_stuffing_attack_from_a_single_source]
search = `varonis_index` sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible credential stuffing attack from a single source"

Based on the discussions with Splunk and Varonis Support teams, it seems that the varonis_index macro within the eventtypes causes the macro to be embedded in searches such as index = _internal sourcetype=splunkd, which is hard for me to grasp.

0 Karma
Reply
Solved! Jump to solution

danielbb
Motivator
‎11-26-2019 12:24 PM

Replacing the call for the macro varonis_index with the explicit index=<index name> solved the issue.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-26-2019 12:35 PM

cool, you can probably mark the answer as accepted, it will help the other users.

0 Karma
Reply
Solved! Jump to solution

danielbb
Motivator
‎11-26-2019 12:37 PM

Thank you @yannK

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...