Splunk Search

eventtype which contains macro is not working

thambisetty
SplunkTrust
SplunkTrust

Hi Splunkers,

I have distributed environment. when I tried searching for eventtype which contains macro is not working.

I have seen docs saying that macros are by default skipped from search head knowledge bundle. But, I have added distsearch.conf in TA where eventtype resides and I can see macros.conf in knowledge bundle getting replicated to search peers. still I am not able to get results from eventtype . when I expand eventtype in search showing results.

Thanks in advance.

————————————
If this helps, give a like below.
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

What version of splunk are you using?

If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.

View solution in original post

ww9rivers
Communicator

We are running Splunk 7.0.3, in a distributed setting.

On a search cluster running Splunk Enterprise Security, we added the SentenilOne TA, made it work inside ES to search with a macro (s1_index) defined in the TA.

However, when searching in ES with "tag=malware" which pulls in that macro, we get these error messages from our indexers:

Error in 'SearchParser': The search specifies a macro 's1_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Inspecting the search job, I find this in the "remoteSearch":

( `s1_index` sourcetype=threat )

That seems to mean that the macro is not expanded locally before dispatch, nor is the macro definition included in the search bundle.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Did you configure distsearch.conf as mentioned in the question?

0 Karma

ww9rivers
Communicator

Yes. I have added this stanza in the distsearch.conf file:

[replicationSettings:refineConf]
replicate.macros = true
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What version of splunk are you using?

If you're on 6.5.x, upgrade to 6.5.3: http://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/6.5.3#Uncategorized_issues
If you're on 6.4.x, wait for 6.4.7 (allegedly).
If you're on 6.3.x, upgrade to 6.5.3 🙂
If you're on 6.2.x or earlier, eventtypes with macros should work.

sujanay02
New Member

Hi,
I am also facing the same issue in Splunk 7.1.1 version.i tried adding config in distsearch.conf as well.still doe not work out.Do you have the resolution for this ?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Thanks Martin_mueller..

Running on 6.5.2. I will update my splunk to latest version.

————————————
If this helps, give a like below.
0 Karma

rjthibod
Champion

There was an actual bug in Splunk for a while that was preventing this from working. I don't know if it was ever officially fixed or not, but I gave up on using macros in eventtypes being that everything seemed to be brittle or unreliable.

Last time I heard others discussing it, they seemed to indicate it was still an issue.

thambisetty
SplunkTrust
SplunkTrust

Yes, It was listed and fixed in splunk latest version.

find comment below from martin_mueller

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...