Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for AWS: How do I resolve error "The search specifies a macro 'aws-description-instance' that cannot be foun

jaibalaraman
Path Finder
‎10-15-2020 06:03 PM

How do I resolve the  following error?

 

sample 1.PNG

 

Error in 'SearchParser': The search specifies a macro 'aws-cloudtrail-sourcetype' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Labels (1)
Labels
Reply

jaibalaraman
Path Finder
‎10-20-2020 06:40 PM

screen.JPG

0 Karma
Reply

jaibalaraman
Path Finder
‎10-20-2020 06:37 PM

Hi 

I assume why i am getting error is because the below macro are not seen in the search macros

`aws-cloudtrail-sourcetype` eventName=StopInstances OR eventName=RebootInstances OR eventName=TerminateInstances NOT errorCode | rename "requestParameters.instancesSet.items{}.instanceId" AS instanceId | stats values(instanceId) as instanceId count(instanceId) as count by awsRegion eventName eventTime userIdentity.arn eventID

However i tried clone the existing macro and tried to create a new one , still i am getting an error message when saving. 

Err msg " Encountered the following error while trying to save: Number of arguments provided (1) does not match with the number implied by the macro name (0)"

0 Karma
Reply

jaibalaraman
Path Finder
‎10-15-2020 08:28 PM

Hi 

Yes i am able to see the macro , also have permission to Edit , Enable or disable.

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-15-2020 08:10 PM

ohk, on the settings, advanced search, search macros, are you able to search/view that macro -  'aws-cloudtrail-sourcetype' ...probably, as you have some permissions issues, you may not be able to "Read" it, i think. if you are running this from "search" app, try to run it from some other app(just in case, if this macro is not shared with "search" app).
if still you face the same error, then, you will need to check with splunk admins/power users/aws splunk admins for read permission. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

jaibalaraman
Path Finder
‎10-20-2020 06:40 PM

Hi 

I assume why i am getting error is because the below macro are not seen in the search macros

`aws-cloudtrail-sourcetype` eventName=StopInstances OR eventName=RebootInstances OR eventName=TerminateInstances NOT errorCode | rename "requestParameters.instancesSet.items{}.instanceId" AS instanceId | stats values(instanceId) as instanceId count(instanceId) as count by awsRegion eventName eventTime userIdentity.arn eventID

However i tried clone the existing macro and tried to create a new one , still i am getting an error message when saving. 

Err msg " Encountered the following error while trying to save: Number of arguments provided (1) does not match with the number implied by the macro name (0)"

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...