AnsweredAssumed Answered

Qualys - Splunk integration - macro not found

Question asked by Ivelin Penchev on Feb 18, 2020
Latest reply on Feb 26, 2020 by Ivelin Penchev

Hi All,

 

We have Splunk QA and Splunk prod in cluster mode. On QA evrything is running as expected, data is populated and dashboards with info is displayed properly. However the same settings are transferred to Splunk production bit the dashboards are not displaying. The files are populated as the DevOps confirmed that it is getting data.

We tried/checked:

- Permissions are global;

- Copied Qulays -TA to indexers (as apparently macro.conf is not replicated by default):ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. - Question | Splunk Answers 

- Created macro.conf in Splunk-Qulays-TA folder /local/macro.conf and copied the config from the QA instance.

- Also checked: Troubleshooting Splunk Error "Search Process Did Not Exit Cleanly" • Helge Klein 

 

Issue:

Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.

Error1

We still see last 3 rows of the failing search:

ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'SearchParser': The search specifies a macro 'qualys_host_summary_event' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

If I run this search (part of the dashboard), but replace prestats with stats, as "prestats" is no recognized that way: 

(`qualys_host_summary_event` (sourcetype="qualys:hostDetection" OR sourcetype="qualys_vm_detection") "HOSTSUMMARY") | addinfo  type=count label=prereport_events track_fieldmeta_events=true | fields  keepcolorder=t "HOST_ID" "prestats_reserved_*" "psrsvd_*" | stats  distinct_count(HOST_ID)

I get results - in this case 2850

Outcomes