Remove macros from eventtypes.

[larrys]

Macros are not pushed down to the indexers. This causes issues when searches use eventypes with macros inside them. All the dashboards already specify the macro, so why duplicate it in the eventtype? This will help fix app installs in Splunk Cloud where we don't have access to easily push the macros down to the indexers.

[derkkila-splunk]

My main issue with removing the macros is the added compute pressure without including the indexes. We could either add the indexes to the eventtypes OR specify that the app also needs to be installed on the indexers.

[larrys]

My main issue with removing the macros is the added compute pressure without including the indexes. We could either add the indexes to the eventtypes OR specify that the app also needs to be installed on the indexers.

As long as the self service install works, without having to create a support ticket is ideal.

[derkkila-splunk]

That is a good call out. Let me talk with the Cloud team and see how that functions with Self Service.

[NeilJed]

Just adding a comment as this issue is making the app pretty much un-suable for us. Github Clould -> Splunk Cloud none of the dashboards are working because the eventtype field is missing.

[derkkila-splunk]

Ok, so the issue isn't with the eventtypes but instead the macros that power them not being replicated to the indexers. I am testing a fix for this right now. I'll close this PR as we have a solution to maintain both the eventtypes and solve the issues reported.