Splunk Search

eventtype which contains macro is not working

thambisetty
SplunkTrust
SplunkTrust

Hi Splunkers,

I have distributed environment. when I tried searching for eventtype which contains macro is not working.

I have seen docs saying that macros are by default skipped from search head knowledge bundle. But, I have added distsearch.conf in TA where eventtype resides and I can see macros.conf in knowledge bundle getting replicated to search peers. still I am not able to get results from eventtype . when I expand eventtype in search showing results.

Thanks in advance.

————————————
If this helps, give a like below.
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

What version of splunk are you using?

If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.

View solution in original post

ww9rivers
Communicator

We are running Splunk 7.0.3, in a distributed setting.

On a search cluster running Splunk Enterprise Security, we added the SentenilOne TA, made it work inside ES to search with a macro (s1_index) defined in the TA.

However, when searching in ES with "tag=malware" which pulls in that macro, we get these error messages from our indexers:

Error in 'SearchParser': The search specifies a macro 's1_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Inspecting the search job, I find this in the "remoteSearch":

( `s1_index` sourcetype=threat )

That seems to mean that the macro is not expanded locally before dispatch, nor is the macro definition included in the search bundle.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Did you configure distsearch.conf as mentioned in the question?

0 Karma

ww9rivers
Communicator

Yes. I have added this stanza in the distsearch.conf file:

[replicationSettings:refineConf]
replicate.macros = true
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What version of splunk are you using?

If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.

sujanay02
New Member

Hi,
I am also facing the same issue in Splunk 7.1.1 version.i tried adding config in distsearch.conf as well.still doe not work out.Do you have the resolution for this ?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Thanks Martin_mueller..

Running on 6.5.2. I will update my splunk to latest version.

————————————
If this helps, give a like below.
0 Karma

rjthibod
Champion

There was an actual bug in Splunk for a while that was preventing this from working. I don't know if it was ever officially fixed or not, but I gave up on using macros in eventtypes being that everything seemed to be brittle or unreliable.

Last time I heard others discussing it, they seemed to indicate it was still an issue.

thambisetty
SplunkTrust
SplunkTrust

Yes, It was listed and fixed in splunk latest version.

find comment below from martin_mueller

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...