Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

performance considerations macros vs. eventtypes vs. data-models

christian_l
Path Finder
‎05-26-2015 07:16 AM

Hi all,

are there any experiences out there regarding performance-comparison of macros, eventtypes and data-models?

We're currently planing a rebuild of a huge Splunk app which should get more flexible to be run within other landscapes. Therefore we'd like to build some kind of sublayer between the individual Splunk landscapes and the upper Splunk App-Part.
In Enterprise Security App this has been done using eventtypes.

I'm currently unsure if eventtypes are the best solution.
From my understanding eventtypes are some kind of "subsearches" - based on the behaviour of Splunk, this means a second search-thread is being initialized for each search eventtype-definition. Is this assumption correct?
How do macros behave in this situation? Only replacing parts of the search string, and no additional search-thread?
At least how do data-models fit in these thoughts?

How is the experience in performance and maintaining a huge set of macros, eventtypes or data-models?
Would love to hear some real-life experience.
Thank you all

Regards,
Christian

Reply

gfuente
Motivator
‎05-27-2015 12:00 AM

Hello

From a performace point of view:

  1. Macros: doesn't produce any performance improvements, they are just for code reusing and to keeps things simple an easy.
  2. Event-Types: they are not subsearaches, and have some kind of impact on performance but its not a big deal
  3. DataModels: If you use data model acceleration you will get a big performance improvement. So this will be your choice

Regards

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...