Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come the comment "macro" is not working?

weidertc
Contributor
‎01-24-2019 01:25 PM

I must be out of my mind. The comments built-in macro since version 6.5.0 gives me an error that it can't find the macro. I'm using the syntax found in the docs here, with my version of splunk in the url so it shows the one for my version.

https://docs.splunk.com/Documentation/Splunk/6.6.10/Search/Addcommentstosearches

index=* sourcetype=* `comment("THIS IS A COMMENT")`

this gives me an error

Error in 'SearchParser': The search specifies a macro 'comment' that cannot be found.

What could I be doing incorrectly?

Chris

Reply
1 Solution
Solved! Jump to solution
Solution

dflodstrom
Builder
‎01-24-2019 02:04 PM

For some reason the comment macro's sharing is set to "app" out of the box. You'll have to use a configuration package (app) or navigate to Settings>Advanced Search>Macros to update the permissions.

View solution in original post

Reply
Solved! Jump to solution

petrose
Engager
‎10-28-2019 12:42 AM

Hi,
I am experiencing the same as Chris but I have investigated the macro properties of the Comment macro:
alt text
And I am going to use Comments in the service_iam_na application listed in the Permissions overview.

What is cause of my problem ?

,

Preview file
15 KB
0 Karma
Reply
Solved! Jump to solution

petrose
Engager
‎11-06-2019 01:16 AM

My problem was resolved ! First issue:
'Everyone' had Read access to macro, doesn't mean that every Dashboard can use it...

You have to explicitly allow it to Read the Macro...in order for it to work.

0 Karma
Reply
Solved! Jump to solution
Solution

dflodstrom
Builder
‎01-24-2019 02:04 PM

For some reason the comment macro's sharing is set to "app" out of the box. You'll have to use a configuration package (app) or navigate to Settings>Advanced Search>Macros to update the permissions.

Reply
Solved! Jump to solution

weidertc
Contributor
‎01-24-2019 02:25 PM

Thanks, now I see it, and it's set to app permissions. I'll work with our Splunk admins to update this.

Reply
Solved! Jump to solution

Vijeta
Influencer
‎01-24-2019 01:33 PM

what version of splunk you are running? Also make sure you are running it in search app.

0 Karma
Reply
Solved! Jump to solution

weidertc
Contributor
‎01-24-2019 01:51 PM

i am on v 6.6.10. So I can't run this in all the apps with a search bar? it only works in search app? Everyone here uses their own department's app to segregate pci/phi/etc with permissions.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎01-24-2019 02:04 PM

Check macros.conf in search app , you can copy macro for comments in other app if you need it. Try if your search with comment macro is working on search app, check permissions and copy to other app if needed.

Reply
Solved! Jump to solution

weidertc
Contributor
‎01-24-2019 02:20 PM

thanks, i'll work with the splunk admins.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...