Knowledge Management

Eventtype vs. Saved Search

Legend

What is the difference between an “eventtype” and a “Saved Search”? While I know eventtypes can be entered right into the Search box, it seems like they serve a similar purpose as Saved Searches.

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

The do not serve the same purpose. First of all, an event type can only express terms of a base index query, not a full search or any other Splunk search commands. So there are many places where they can not be used. Saved searches can also be used in dashboards and populated automatically into menus.

The most important and the most distinct feature of event types is that they are automatically evaluated and applied to every single event that you query and return. Saved searches do not do this. This is extremely powerful functionality as it allows Splunk to classify data into event types. However, if you don't need this auto-classification, you incur an unnecessary cost on every single search you perform. The more event types you have in scope when you run a search, the more the cost. If you do not need this auto-classification, you should avoid this cost. Note that even if you are looking at events where you have no interest or expectation that event types might apply, every event returned is checked against every event type regardless. (But Splunk does optimize and will not run the event typer for some queries if it can determine that the event types field is unnecessary, so it's not that bad.)

Event types have other functionality other than the auto-classification that may be desirable. However, this functionality is available without incurring the event type retrieval costs by using other features in Splunk.

Using event types as abbreviations or modularizer for search is not a good idea, as it is wasteful, and macros do it better. If you just want to abbreviate a portion of a search, it is much better to use macros. They are more flexible in what they can express, can include other search commands and not just base query terms, can be parameterized, and do not incur costs when events are retrieved. This can sometimes be easier to manage, since, for example, a single parameterized macro can take the place of multiple event types.

Even if you want Splunk to perform auto-classification, if your classification is based on a uniform set of fields with fixed values, then you will be better of using a lookup table rather than creating many event types. For example, if you are classifying Windows events into categories based on the log name and the event id, you get better performance and easier maintenance by constructing a lookup table.

Event types are powerful and have their place, but they are more costly on search retrieval than other mechanisms and it is wasteful to use them unless their key salient function is needed and can't be provided otherwise.

View solution in original post

Splunk Employee
Splunk Employee

The do not serve the same purpose. First of all, an event type can only express terms of a base index query, not a full search or any other Splunk search commands. So there are many places where they can not be used. Saved searches can also be used in dashboards and populated automatically into menus.

The most important and the most distinct feature of event types is that they are automatically evaluated and applied to every single event that you query and return. Saved searches do not do this. This is extremely powerful functionality as it allows Splunk to classify data into event types. However, if you don't need this auto-classification, you incur an unnecessary cost on every single search you perform. The more event types you have in scope when you run a search, the more the cost. If you do not need this auto-classification, you should avoid this cost. Note that even if you are looking at events where you have no interest or expectation that event types might apply, every event returned is checked against every event type regardless. (But Splunk does optimize and will not run the event typer for some queries if it can determine that the event types field is unnecessary, so it's not that bad.)

Event types have other functionality other than the auto-classification that may be desirable. However, this functionality is available without incurring the event type retrieval costs by using other features in Splunk.

Using event types as abbreviations or modularizer for search is not a good idea, as it is wasteful, and macros do it better. If you just want to abbreviate a portion of a search, it is much better to use macros. They are more flexible in what they can express, can include other search commands and not just base query terms, can be parameterized, and do not incur costs when events are retrieved. This can sometimes be easier to manage, since, for example, a single parameterized macro can take the place of multiple event types.

Even if you want Splunk to perform auto-classification, if your classification is based on a uniform set of fields with fixed values, then you will be better of using a lookup table rather than creating many event types. For example, if you are classifying Windows events into categories based on the log name and the event id, you get better performance and easier maintenance by constructing a lookup table.

Event types are powerful and have their place, but they are more costly on search retrieval than other mechanisms and it is wasteful to use them unless their key salient function is needed and can't be provided otherwise.

View solution in original post

Splunk Employee
Splunk Employee

No, it does expand the eventtype out and run it as if the components were in the search string. So in that case, it does work like a macro. However, it also does all these other things that may not be necessary or desired.

Path Finder

I donot get, how macros, event types and tags differ. All tags and event types can be macros. Also why is it usefull to tag an event type because the same thing can be done by TAG.

When we specify a multi value TAG they get seperated by comma. While running search do comma get evaluated as an OR. if yes ,then how it is different from a eventtype which has string field=value Or field=value ?

0 Karma

Splunk Employee
Splunk Employee

When you do a search, say eventtype="Failed Login" startdaysago=1, how does the search actually work. Does it retrieve all events in the past day, and then filter out the ones that are not of the "Failed Login" eventtype, or is there some other magic?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!