We have Splunk QA and Splunk prod in cluster mode. On QA evrything is running as expected, data is populated and dashboards with info is displayed properly. However the same settings are transferred to Splunk production bit the dashboards are not displaying. The files are populated as the DevOps confirmed that it is getting data.
- Permissions are global;
- Copied Qulays -TA to indexers (as apparently macro.conf is not replicated by default):ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. - Question | Splunk Answers
- Created macro.conf in Splunk-Qulays-TA folder /local/macro.conf and copied the config from the QA instance.
Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
We still see last 3 rows of the failing search:
ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'SearchParser': The search specifies a macro 'qualys_host_summary_event' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
If I run this search (part of the dashboard), but replace prestats with stats, as "prestats" is no recognized that way:
(`qualys_host_summary_event` (sourcetype="qualys:hostDetection" OR sourcetype="qualys_vm_detection") "HOSTSUMMARY") | addinfo type=count label=prereport_events track_fieldmeta_events=true | fields keepcolorder=t "HOST_ID" "prestats_reserved_*" "psrsvd_*" | stats distinct_count(HOST_ID)
I get results - in this case 2850