Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

Gaikwad
Explorer
‎09-30-2022 02:43 AM

I'm getting this error after upgrading Microsoft 365 app in Splunk 

error - Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Labels (2)
Labels
0 Karma
Reply

Gaikwad
Explorer
‎10-03-2022 10:03 PM

Hi 

as I check TA is already updated, but unable to fix this issue. how can we define m365_default_index

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 01:45 AM

When I looked microsoft_cloud_app/default/macro.conf that is defined like

[m365_default_index]
iseval = 0
definition = (index=main OR index=*)

You could use that in context of that app (microsoft_cloud_app) without any additional configuration. But if you want to use it also e.g. in search app then you must grant access to this app or at least to this macro as system/global. After that you can use it any where.

Probably easiest way to do this is just open in GUI (inside this app) all macros and then grant that global access to it.

Settings -> Advanced search -> Search Macros 

Then grant access to this object.

0 Karma
Reply

Gaikwad
Explorer
‎10-05-2022 09:54 PM

Hi @isoutamo 

Thanks for your reply.

as I check both Microsoft 365 app and Add-on got updated already since the Microsoft 365 app dashboards are not working. there are few observations I would like to share

1.  few dashboard query which contain `m365_default_index` sourcetype="o365:management:activity"            are working fine and showing data.
 2. dashboard query which contains `m365_default_index` sourcetype="o365:graph:api" , `m365_default_index` sourcetype="o365:service:healthIssue"  OR `m365_default_index` sourcetype="o365:graph:api"  are not showing any details.  before update it was working fine.

please note I'm checking this in Microsoft 365 app -> Executive overview 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:20 AM

Hi

have you followup upgrade instructions?

This error means that you haven't have macro which is named as m365_default_index which define to where you have stored all m365 events. I cannot recall if this macro is defined in this app or was there a separate TA for Splunk KOs which this app is needed. I guess that the last one is how it works now. This means that you must also update that TA to correct version, grant global access to it and then define local version of this macro to define where those events are found.

On https://splunkbase.splunk.com/app/3786/#/details is said that you are needing https://splunkbase.splunk.com/app/4055/. The installation/upgrade instructions are here https://docs.splunk.com/Documentation/AddOns/released/MSO365/Install

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...