Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Updating App Macros

JohnEGones
Communicator
‎01-15-2024 10:42 AM

Hi Community People.

Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the app is expecting the data.

Specifically, the predefined queries (some using macros) seem to not work, unless there is an index specified. Is there an explanation behind this?

 

 

 

 

 

sourcetype=[some preconfigured type from the app] | stats count by someField <===doesn't seem to work

index=someIndex sourcetype=appDefinedSourceType | stats count by someField <===this works

 

 

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dtburrows3
Builder
‎01-15-2024 11:38 AM

There is a setting for roles in Splunk that configures what indexes are searched by default if an index is not specified in the search itself. This would be my guess is what is going on here if I understood your question correctly.

The user's role that is utilizing the macro probably doesn't have the index set as a default searched index where the data resides.

Here is a screenshot of the UI settings for roles default searched indexes.

dtburrows3_0-1705347463713.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...