I must be out of my mind. The comments built-in macro since version 6.5.0 gives me an error that it can't find the macro. I'm using the syntax found in the docs here, with my version of splunk in the url so it shows the one for my version.
https://docs.splunk.com/Documentation/Splunk/6.6.10/Search/Addcommentstosearches
index=* sourcetype=* `comment("THIS IS A COMMENT")`
this gives me an error
Error in 'SearchParser': The search specifies a macro 'comment' that cannot be found.
What could I be doing incorrectly?
Chris
For some reason the comment macro's sharing is set to "app" out of the box. You'll have to use a configuration package (app) or navigate to Settings>Advanced Search>Macros to update the permissions.
My problem was resolved ! First issue:
'Everyone' had Read access to macro, doesn't mean that every Dashboard can use it...
You have to explicitly allow it to Read the Macro...in order for it to work.
For some reason the comment macro's sharing is set to "app" out of the box. You'll have to use a configuration package (app) or navigate to Settings>Advanced Search>Macros to update the permissions.
Thanks, now I see it, and it's set to app permissions. I'll work with our Splunk admins to update this.
what version of splunk you are running? Also make sure you are running it in search app.
i am on v 6.6.10. So I can't run this in all the apps with a search bar? it only works in search app? Everyone here uses their own department's app to segregate pci/phi/etc with permissions.
Check macros.conf in search app , you can copy macro for comments in other app if you need it. Try if your search with comment macro is working on search app, check permissions and copy to other app if needed.
thanks, i'll work with the splunk admins.