Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Are Macro Results Cached Like SavedSearch Results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can invoke a saved search like this:
| savedsearch sla_for_user fred
The doc says the results will be cached. But what about macros? Are their results cached?
`sla_for_user(fred)`
What is the difference between a saved search and a macro?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you invoke a macro, Splunk interprets the macro and places the resulting expansion into the search. So using a macro is similar to using a tag or an eventtype. It is a tool in constructing a search. The macro can be used as part of a search, or - as in your example - it can provide the complete search string. Once the search string is constructed, Splunk runs the search.
There are no "macro results"; there are only the results of the search that is run. When a search is run, the results of that execution are automatically saved for a specific time period, usually 10 minutes.
A saved search can be scheduled to run automatically. When a scheduled saved search is run, the results of the execution are saved until the next scheduled execution. (This is the default; it can be changed, but not in the GUI.)
When people (or the manuals) talk about "cached results", they are often talking about the results of a scheduled saved search. But they could mean the results of running any search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you invoke a macro, Splunk interprets the macro and places the resulting expansion into the search. So using a macro is similar to using a tag or an eventtype. It is a tool in constructing a search. The macro can be used as part of a search, or - as in your example - it can provide the complete search string. Once the search string is constructed, Splunk runs the search.
There are no "macro results"; there are only the results of the search that is run. When a search is run, the results of that execution are automatically saved for a specific time period, usually 10 minutes.
A saved search can be scheduled to run automatically. When a scheduled saved search is run, the results of the execution are saved until the next scheduled execution. (This is the default; it can be changed, but not in the GUI.)
When people (or the manuals) talk about "cached results", they are often talking about the results of a scheduled saved search. But they could mean the results of running any search.
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
