Knowledge Management

what is the difference between search macro and calculated fields

New Member

What is difference between the two when we save the search query in both and reuse it.

Tags (2)
0 Karma


A calculated field allows you to script the evaluation of a single field, based on contents of existing fields. The result of a calculated field will be stored in the single field you named for that particular calculation. Good info about calculated fields:

A macro allows you to store a chunk of SPL (Search Processing Language) to reuse in future searches. It does not need to be a calculation (although it could be), and it does not necessarily store a result into a single particular field. For example, you might make a macro that defines all indexes that contain web logs index=web1 OR index=bluecoat OR index=otherwebsource and name it web_logs and then you could search all of your web logs for visits to by typing:


This would save you from having to always remember (and type) the names of all the indexes storing logs related to web traffic.

Macros can also take arguments, so you can use them to store evaluations that will need different argument values in different circumstances. Good info about macros:

Super Champion

calculated field is nothing but A field that represents the output of an eval expression.
so you can provide host/source/sourcetype while creating calculated fields you can see these 3 options
so whenever you search for particular host/source/sourcetype it will automatically gets calculated.

Macro is reusable assembly of Splunk (or business) logic basically it is also a calculation with we can provide arguments to run
so it can be dynamically reused by changing simply parameter.
It is used when we require a complex calculation to be perform many times by simply changing arguments
When you put a search macro in a search string, place a back tick character ( ` ) before and after the macro name

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...