Hello Splunkers,  I recently deployed ES and went through a "proper' installation. I'm running into an issue with most dashboards and looking at logs this is what I see: "Error in 'SearchParser': The search specifies a macro 'cim_Network_Traffic_indexes' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information." When I go into the macro settings and click on the macro it takes me to the CIM Setup page AND the macro is enabled, spelled correctly, and exists! I've tried (and sometimes this works) to create my own macro with same name and global settings. But does not work 100% of the time.  Has anyone run into this? Thanks! Best, A ... View more

Hello Splunkies,  Having some issues with getting ES dashboards to populate...  Query for Network Traffic Dashboard titled, "Traffic Search" :  | tstats `summariesonly` max(_time) as _time,values(All_Traffic.action) as action,values(All_Traffic.src_port) as src_port,count from datamodel=Network_Traffic.All_Traffic where * $action_dm$ $src_dm$ $dest_dm$ $transport_dm$ $dest_port_dm$ by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | sort - count | fields _time,action,src,src_port,dest,transport,dest_port,count Error I get when launching: Error in 'TsidxStats': WHERE clause is not an exact query. Thanks in advance for the help!    ... View more