Hi Splunkers,
I have distributed environment. when I tried searching for eventtype which contains macro is not working.
I have seen docs saying that macros are by default skipped from search head knowledge bundle. But, I have added distsearch.conf in TA where eventtype resides and I can see macros.conf in knowledge bundle getting replicated to search peers. still I am not able to get results from eventtype . when I expand eventtype in search showing results.
Thanks in advance.
What version of splunk are you using?
If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.
We are running Splunk 7.0.3, in a distributed setting.
On a search cluster running Splunk Enterprise Security, we added the SentenilOne TA, made it work inside ES to search with a macro (s1_index) defined in the TA.
However, when searching in ES with "tag=malware" which pulls in that macro, we get these error messages from our indexers:
Error in 'SearchParser': The search specifies a macro 's1_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
Inspecting the search job, I find this in the "remoteSearch":
( `s1_index` sourcetype=threat )
That seems to mean that the macro is not expanded locally before dispatch, nor is the macro definition included in the search bundle.
Did you configure distsearch.conf as mentioned in the question?
Yes. I have added this stanza in the distsearch.conf
file:
[replicationSettings:refineConf]
replicate.macros = true
What version of splunk are you using?
If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.
Hi,
I am also facing the same issue in Splunk 7.1.1 version.i tried adding config in distsearch.conf as well.still doe not work out.Do you have the resolution for this ?
Thanks Martin_mueller..
Running on 6.5.2. I will update my splunk to latest version.
There was an actual bug in Splunk for a while that was preventing this from working. I don't know if it was ever officially fixed or not, but I gave up on using macros in eventtypes being that everything seemed to be brittle or unreliable.
Last time I heard others discussing it, they seemed to indicate it was still an issue.
Yes, It was listed and fixed in splunk latest version.
find comment below from martin_mueller