Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Updating App Macros

JohnEGones
Communicator
‎01-15-2024 10:42 AM

Hi Community People.

Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the app is expecting the data.

Specifically, the predefined queries (some using macros) seem to not work, unless there is an index specified. Is there an explanation behind this?

 

 

 

 

 

sourcetype=[some preconfigured type from the app] | stats count by someField <===doesn't seem to work

index=someIndex sourcetype=appDefinedSourceType | stats count by someField <===this works

 

 

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dtburrows3
Builder
‎01-15-2024 11:38 AM

There is a setting for roles in Splunk that configures what indexes are searched by default if an index is not specified in the search itself. This would be my guess is what is going on here if I understood your question correctly.

The user's role that is utilizing the macro probably doesn't have the index set as a default searched index where the data resides.

Here is a screenshot of the UI settings for roles default searched indexes.

dtburrows3_0-1705347463713.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...