Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

indexer_cluster_name macro not found #19

Closed
barrettnet opened this issue Aug 28, 2023 · 2 comments
Closed

indexer_cluster_name macro not found #19

barrettnet opened this issue Aug 28, 2023 · 2 comments

Comments

@barrettnet
Copy link

There are 14 references to a macro called indexer_cluster_name in default/savedsearches.conf Some of these supply a single argument while others supply none. default/macros.conf defines [index_cluster_name(1)] which means that those that do not provide an argument are silently failing within an error in index=_internal about the indexer_cluster_name macro not being found.

index=_internal sourcetype=splunkd TERM(SearchParser) component=SearchParser TERM(ERROR) log_level=ERROR event_message="The search specifies a macro * that cannot be found.*"

I believe that the fix is to also define a variant of the indexer_cluster_name macro which does not accept any arguments:

[indexer_cluster_name]
definition = "default"
iseval = 0
@gjanders
Copy link
Owner

Thankyou for finding that, I've put some updates into the testing branch and will try to get that released today

gjanders added a commit that referenced this issue Aug 28, 2023
@gjanders
New alerts:
5011aca 
- `SearchHeadLevel - summary indexing searches not using durable search`

New macros:
- `indexer_cluster_name` without any parameters created as per issue #19 (barrettnet)

New reports:
- `SearchHeadLevel - audit.log - lookup usage`
- `SearchHeadLevel - license usage per sourcetype per index`
- `SearchHeadLevel - Lookup file owners`
- `IndexerLevel - RemoteSearches - lookup usage`

Updated alerts:
- `AllSplunkEnterpriseLevel - Splunkd Log Messages Admins Only` - more matching criteria
- `SearchHeadLevel - Scheduled Searches That Cannot Run` - as per issue #18 (AHCL1)
- `SearchHeadLevel - SHC Captain unable to establish common bundle` - additional exclusion for Splunk 9.0.x

Updated reports:
- `IndexerLevel - platform_stats.indexers totalgb measurement` - added * to the end of `license_usage.log`, updated `indexer_cluster_name` with parameter as per issue #19 (barrettnet)
- `IndexerLevel - platform_stats.indexers totalgb_thruput measurement` - updated `indexer_cluster_name` with parameter as per issue #19 (barrettnet)
- `SearchHeadLevel - Search Queries summary exact match` - removed newlines to improve accuracy
- `SearchHeadLevel - Search Queries summary non-exact match` - removed newlines to improve accuracy

Updated recommended links in nav menu
@gjanders
Copy link
Owner

Released version 3.0.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gjanders @barrettnet