Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Are Macro Results Cached Like SavedSearch Results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can invoke a saved search like this:
| savedsearch sla_for_user fred
The doc says the results will be cached. But what about macros? Are their results cached?
`sla_for_user(fred)`
What is the difference between a saved search and a macro?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you invoke a macro, Splunk interprets the macro and places the resulting expansion into the search. So using a macro is similar to using a tag or an eventtype. It is a tool in constructing a search. The macro can be used as part of a search, or - as in your example - it can provide the complete search string. Once the search string is constructed, Splunk runs the search.
There are no "macro results"; there are only the results of the search that is run. When a search is run, the results of that execution are automatically saved for a specific time period, usually 10 minutes.
A saved search can be scheduled to run automatically. When a scheduled saved search is run, the results of the execution are saved until the next scheduled execution. (This is the default; it can be changed, but not in the GUI.)
When people (or the manuals) talk about "cached results", they are often talking about the results of a scheduled saved search. But they could mean the results of running any search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you invoke a macro, Splunk interprets the macro and places the resulting expansion into the search. So using a macro is similar to using a tag or an eventtype. It is a tool in constructing a search. The macro can be used as part of a search, or - as in your example - it can provide the complete search string. Once the search string is constructed, Splunk runs the search.
There are no "macro results"; there are only the results of the search that is run. When a search is run, the results of that execution are automatically saved for a specific time period, usually 10 minutes.
A saved search can be scheduled to run automatically. When a scheduled saved search is run, the results of the execution are saved until the next scheduled execution. (This is the default; it can be changed, but not in the GUI.)
When people (or the manuals) talk about "cached results", they are often talking about the results of a scheduled saved search. But they could mean the results of running any search.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
