Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the root cause of the message preventing saving a search: "Error in 'SearchParser': The search specifies a macro.."

landen99
Motivator
‎02-19-2020 08:13 AM

What is the root cause of the message preventing saving a search:
alt text
Error in 'SearchParser': The search specifies a macro..
This error started appearing after a migration from an old SHC to a new SHC.

The resolution was to move the macro to the same app as the search, even though it was set to Global sharing, but that doesn't explain the root cause. The error returns when the macro is moved back to the original app.

Tags (1)
Preview file
117 KB
0 Karma
Reply

jpolvino
Builder
‎02-19-2020 09:01 AM

What happens when you grab that search and run it on its own in the app, with the macro in its native location set as global?

Same as above, but with the macro homed to the app you're running from?

One test in each case is to expand all the macros with Control-Shift-E. Might take a minute.

When I'm in app "A" and do Control-Shift-E on a macro from app "B" that is shared global (with Everyone=Read, Power=Write) it expands and works fine.

Finally, check your App permissions (where the macro lives). Mine says Everyone=Read, Power=Write, and the bottom radio button is true.

0 Karma
Reply

landen99
Motivator
‎02-19-2020 08:19 PM

The macro works fine at the SPL line. Permissions are global.

0 Karma
Reply

niketn
Legend
‎02-20-2020 06:19 AM

@landen99 if you put back the SPL for macro wildfire do the other macros work? Have you checked permission/app for other macros and compare them with wildfire in case others work?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...