Splunk Search

eventtype which contains macro is not working

thambisetty
SplunkTrust
SplunkTrust

Hi Splunkers,

I have distributed environment. when I tried searching for eventtype which contains macro is not working.

I have seen docs saying that macros are by default skipped from search head knowledge bundle. But, I have added distsearch.conf in TA where eventtype resides and I can see macros.conf in knowledge bundle getting replicated to search peers. still I am not able to get results from eventtype . when I expand eventtype in search showing results.

Thanks in advance.

————————————
If this helps, give a like below.
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

What version of splunk are you using?

If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.

View solution in original post

ww9rivers
Contributor

We are running Splunk 7.0.3, in a distributed setting.

On a search cluster running Splunk Enterprise Security, we added the SentenilOne TA, made it work inside ES to search with a macro (s1_index) defined in the TA.

However, when searching in ES with "tag=malware" which pulls in that macro, we get these error messages from our indexers:

Error in 'SearchParser': The search specifies a macro 's1_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Inspecting the search job, I find this in the "remoteSearch":

( `s1_index` sourcetype=threat )

That seems to mean that the macro is not expanded locally before dispatch, nor is the macro definition included in the search bundle.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Did you configure distsearch.conf as mentioned in the question?

0 Karma

ww9rivers
Contributor

Yes. I have added this stanza in the distsearch.conf file:

[replicationSettings:refineConf]
replicate.macros = true
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What version of splunk are you using?

If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.

sujanay02
New Member

Hi,
I am also facing the same issue in Splunk 7.1.1 version.i tried adding config in distsearch.conf as well.still doe not work out.Do you have the resolution for this ?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Thanks Martin_mueller..

Running on 6.5.2. I will update my splunk to latest version.

————————————
If this helps, give a like below.
0 Karma

rjthibod
Champion

There was an actual bug in Splunk for a while that was preventing this from working. I don't know if it was ever officially fixed or not, but I gave up on using macros in eventtypes being that everything seemed to be brittle or unreliable.

Last time I heard others discussing it, they seemed to indicate it was still an issue.

thambisetty
SplunkTrust
SplunkTrust

Yes, It was listed and fixed in splunk latest version.

find comment below from martin_mueller

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...