We use the
TA-Varonis-DatAlert and it creates the
varonis_index macro defined as
index=*, which is global.
When running a generic search such as
index = _internal sourcetype=splunkd, we see errors from all the indexers saying -
-- 10-17-2019 14:38:32.526 ERROR SearchParser - The search specifies a macro
varonis_index that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
How come this specific macro ends up in such a generic search?
Look like the app or the macro are not global, change that if you want to use the macro outside of the app.
However to have the macro apply to another search, look at :
Thank you @yannK
$SPLUNK_HOME/etc/apps/TA-Varonis-DatAlert/default/eventtypes.conf starts with -
[possible_credential_stuffing_attack_from_a_single_source] search = `varonis_index` sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible credential stuffing attack from a single source"
Based on the discussions with Splunk and Varonis Support teams, it seems that the
varonis_index macro within the eventtypes causes the macro to be embedded in searches such as
index = _internal sourcetype=splunkd, which is hard for me to grasp.
Replacing the call for the macro
varonis_index with the explicit
index=<index name> solved the issue.
cool, you can probably mark the answer as accepted, it will help the other users.