Splunk Search

How come a specific macro ends up in generic searches and breaks some of them?

danielbb
Motivator

We use the TA-Varonis-DatAlert and it creates the varonis_index macro defined as index=*, which is global.

When running a generic search such as index = _internal sourcetype=splunkd, we see errors from all the indexers saying -

-- 10-17-2019 14:38:32.526 ERROR SearchParser - The search specifies a macro varonis_index that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

How come this specific macro ends up in such a generic search?

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Look like the app or the macro are not global, change that if you want to use the macro outside of the app.

However to have the macro apply to another search, look at :

  • automatic eval fields that may be calling the macro
  • tag or eventtypes calling the macro
  • role search restrictions that may be using the macro

View solution in original post

yannK
Splunk Employee
Splunk Employee

Look like the app or the macro are not global, change that if you want to use the macro outside of the app.

However to have the macro apply to another search, look at :

  • automatic eval fields that may be calling the macro
  • tag or eventtypes calling the macro
  • role search restrictions that may be using the macro

danielbb
Motivator

Thank you @yannK

$SPLUNK_HOME/etc/apps/TA-Varonis-DatAlert/default/eventtypes.conf starts with -

[possible_credential_stuffing_attack_from_a_single_source]
search = `varonis_index` sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible credential stuffing attack from a single source"

Based on the discussions with Splunk and Varonis Support teams, it seems that the varonis_index macro within the eventtypes causes the macro to be embedded in searches such as index = _internal sourcetype=splunkd, which is hard for me to grasp.

0 Karma

danielbb
Motivator

Replacing the call for the macro varonis_index with the explicit index=<index name> solved the issue.

0 Karma

yannK
Splunk Employee
Splunk Employee

cool, you can probably mark the answer as accepted, it will help the other users.

0 Karma

danielbb
Motivator

Thank you @yannK

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...