What is the root cause of the message preventing s...

landen99 · ‎02-19-2020

What is the root cause of the message preventing saving a search:

Error in 'SearchParser': The search specifies a macro..
This error started appearing after a migration from an old SHC to a new SHC.

The resolution was to move the macro to the same app as the search, even though it was set to Global sharing, but that doesn't explain the root cause. The error returns when the macro is moved back to the original app.

jpolvino · ‎02-19-2020

What happens when you grab that search and run it on its own in the app, with the macro in its native location set as global?

Same as above, but with the macro homed to the app you're running from?

One test in each case is to expand all the macros with Control-Shift-E. Might take a minute.

When I'm in app "A" and do Control-Shift-E on a macro from app "B" that is shared global (with Everyone=Read, Power=Write) it expands and works fine.

Finally, check your App permissions (where the macro lives). Mine says Everyone=Read, Power=Write, and the bottom radio button is true.

landen99 · ‎02-19-2020

The macro works fine at the SPL line. Permissions are global.

niketn · ‎02-20-2020

@landen99 if you put back the SPL for macro wildfire do the other macros work? Have you checked permission/app for other macros and compare them with wildfire in case others work?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

What is the root cause of the message preventing saving a search: "Error in 'SearchParser': The search specifies a macro.."

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?