Why is License Monitor for Splunk unable to locate...

Hutch · ‎08-23-2022

We are currently attempting to locate why a scheduled search cannot run. We were finally able to locate the search and the reason why. The search that cannot run is a default search that is apart of a default dashboard within the License Monitor for Splunk application that is located on Splunk Base. The search is failing because a macro is either misspelled or does not exist, which in this case it appears that it does not exist.

The macro 'index_assignment_notable_management' does not exist. I was wondering if this macros is perhaps located within another app or if it is no longer contained within the app?

https://splunkbase.splunk.com/app/3521/

gcusello · ‎08-24-2022

Hi @Hutch,

the above marco is present in this app (your can see it in default/macros.conf), so you should see if there's some grants problem: what's the role associated to the app and to the macro?

your user has the grants to use it?

anyway, you could solve the problem giving execution grants to all (not writing rights).

Only for my knowledge: why do you need this app? the Monitoring Copsole isn't sufficient for your needs?

Ciao.

Giuseppe

Hutch · ‎08-24-2022

I just checked the default/macros.conf file and was unable to locate the macro as it appears to be missing. I also installed the app on one of our sandbox servers and was still unable to locate the app. The app is shared with everyone having read access and only admins and power users being able to write to it.

Do I need to give execution rights when the macro doesn't appear in the default/macros.conf file for my environment?

To be honest, I am not sure. I have recently taken over this environment and am working on cleaning up any searching issues at the moment. I would imagine it was used by the previous administrator for something.

gcusello · ‎08-25-2022

Hi @Hutch,

Sorry I confused another similar macro ("index_assignment_notable_license_management").

Which app version are you using?

I downloaded the last version (2.1.0) of the app, but I didn't find the macro you mentioned.

Anyway, try ro replace in your dashboard the macro "index_assignment_notable_management" with the macro "index_assignment_notable_license_management", probably it was an error.

Ciao.

Giuseppe

Hutch · ‎08-25-2022

It is also on version (2.1.0). I also see the marcro ("index_assignment_notable_license_management").

I will try replacing them. If this doesn't work I will most likely remove it as it is not really needed and to my knowledge nobody is using it.

gcusello · ‎08-26-2022

Hi @Hutch,

don't remove this macro because it's used in almost all the panels.

Try to use this macro replacing the missing macro in your dashboard, probably it's the correct one.

What's the dashboard using this macro? i didn't find it.

Ciao.

Giuseppe

Hutch · ‎08-31-2022

@gcusello

We ended up remove the app. We were not using it and we are in the process of cleaning up thing that are no longer needed. Removing the app resolved the issue.

gcusello · ‎08-31-2022

Hi @Hutch,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Why is License Monitor for Splunk unable to locate macro?

configuration

other

troubleshooting

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector