I'm trying to create a correlation search that uses a macro from a custom application, but when I try to save it, I get the error: There was an error saving the correlation search. Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. Trying to run the search within Enterprise Security returns the same error: Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. I have looked in Advanced Search->Search macros, and the custom macro definitely does exist and is spelled correctly, and I have edited the permissions so that is available in all apps and all users have "read" permission. If I run the same search from another app such as Search & Reporting, or another custom application, it executes without any errors and returns data. The only app that cannot run it is Enterprise Security. What might be causing this? ... View more

I've written some Correlation Searches in Enterprise Security and saved them in a custom app: "SA-Custom". I've chosen Notable event as the adaptive response and filled in some amount of detail: Title, Drill-down search, etc. The searches run fine and generate Notable events, but none of the detail I've written comes through to the Incident Response dashboard, and all of my alerts are completely blank except for the title, which is in the format " Access - nameofsearch - Rule", not the title I specified in the Notable Event settings. Is there something missing that's keeping my adaptive response settings from taking effect when the notable event is generated? ... View more

Hi, I am trying to create a credential in Splunk Enterprise Security's credential management feature, but I keep getting the error: Credential updating failed on host: https://127.0.0.1:8089. II think this may be related to the format of the username, which is "user\name". There is no warning against using backslashes, but credentials created without them don't cause this error, and when I attempted to delete it via curl, it threw an error "no user called username", ignoring the backslash. Attempting to escape the backslash didn't work. This is unfortunately the user needed to bypass the proxy, so how can I create this user with a backslash included? ... View more

Hi, I recently migrated a Splunk instance from a Windows environment to a Linux environment. Since the migration, dashboards on the "License Usage" page have been displaying usage values up to ten times larger than are actually being indexed. There have been no license violations, so this data can't be correct. What might be causing this? ... View more

I've configured my own asset list, and now I want to stop asset information from the "demo assets" lookup from showing up in Dashboards, searches, etc. I've disabled the asset in the ES configuration, but it hasn't had any effect. How can I get rid of this junk data? ... View more

Hi, I'm trying to add a new asset list to Splunk Enterprise Security. I can see the lookup in Configuration->Data Enrichment->Identity Management, but it's not showing up when I search for assets: " assets returns only the demonstration assets. I tried to force a merge with *$SPLUNK_HOME/bin/splunk cmd splunkd print-modinput-config identity_manager | $SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/SA-IdentityManagement/bin/identity_manager.py --username=admin *, but this had no effect. The search suggested in the documentation to verify the merge (index=_internal source=*python_modular_input.log "Updated: target lookup table") shows 0 results, but searching these logs for errors returns numerous instances of the error in the title. Sample log: 2016-07-22 09:08:38,411 ERROR pid=80905 tid=asset file=lookup_modinput.py:streaming_merge_task:298 | status="Error processing record" count="1518" record="fields(ip='xx.x.xx.xx', mac='xxxxxx', nt_host='xxxxxxxx', dns='', owner='', priority='', lat='', long='', city='', country='', category='', pci_domain='', is_expected='', should_timesync='', should_update='', requires_av='')" Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/lookup_conversion/lookup_modinput.py", line 288, in streaming_merge_task success = output_handler.process_streaming_record(result) File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/lookup_conversion/output.py", line 147, in process_streaming_record for field, value in [(k, v) for k, v in record.iteritems() if k != self.KEY_FIELD]: AttributeError: 'NoneType' object has no attribute 'iteritems' Does anybody know what this error is referring to, and how I can fix or get around it? Many thanks. ... View more

I have a Heavy Forwarder set to forward load balanced data to two Splunk indexers on 9997. When I enable receiving on the indexers (via Settings -> Forwarding and Receiving -> Configure Receiving), no data is showing up. Examining the splunkd.log on the forwarder and indexers shows the connection is being made with no errors. If I enable a Data Input to listen to port 9997, I can see data showing up in the index, albeit cooked data, which isn't readable - so the data is making it to the Splunk server, but just not showing up when I configure it to receive from another Splunk. What might be causing this? ... View more

A Splunk Universal Forwarder has been using an unusual amount of CPU (between 40% and 50%), specifically by splunk-winevtlog.exe. Checking the splunkd.log shows this error occurring fairly constantly: INFO PipelineComponent - <process> took longer than seems reasonable (xxxxx milliseconds) in callbackRunnerThread. Might indicate hardware or splunk limitations. The offending process varies between "triggerCollection" and "metricsmanager:probeandreport". I can't find a clear indication of what either of these processes does. The server has higher than the minimum recommendations - 4GB RAM and a 2.4 Ghz processor - so it shouldn't be hardware limitations. What other limitations can this error be referring to? ... View more