Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Updating App Macros

JohnEGones
Communicator
‎01-15-2024 10:42 AM

Hi Community People.

Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the app is expecting the data.

Specifically, the predefined queries (some using macros) seem to not work, unless there is an index specified. Is there an explanation behind this?

 

 

 

 

 

sourcetype=[some preconfigured type from the app] | stats count by someField <===doesn't seem to work

index=someIndex sourcetype=appDefinedSourceType | stats count by someField <===this works

 

 

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dtburrows3
Builder
‎01-15-2024 11:38 AM

There is a setting for roles in Splunk that configures what indexes are searched by default if an index is not specified in the search itself. This would be my guess is what is going on here if I understood your question correctly.

The user's role that is utilizing the macro probably doesn't have the index set as a default searched index where the data resides.

Here is a screenshot of the UI settings for roles default searched indexes.

dtburrows3_0-1705347463713.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...