Knowledge Management

Why would you ever *not* use a macro? (as opposed to a Tag, EventType, or Calculated Field)

New Member

This question has two parts:
Macros vs. Tags
Macros vs. Event Types
Macros vs. Calculated Fields

To me, it seems that a Macro is almost always a better, more transparent option, so I'm wondering what the motivation is for ever using the other option? (eg. performance, optimisation)

Here's my reasoning:
1. Macros are always more transparent. You can quickly and easily expand them inline to view the entire source string, whereas the other three options require you to click through several screens to find their original definitions.
2. Macros are always more flexible.
- Calculated Fields can't access any 'locally' defined information, such as lookups or the results of previous evals in the search pipeline, but Macros can use arguments to get around this restriction
- Event Types and Tags are restricted to being either a set of search filters or a single field-value pair, which could be recreated with a simple macro.
3. Centralising "knowledge objects" into a single directory seems much less cluttered. I have a gut-reaction to the idea of my searches being influenced by a confusing group of knowledge objects spread across many different pages (tags, event types, macros, calculated fields), such that a) you could easily end up with duplicate logic (i.e. a macro and a calc. field that do the same thing), or b) not be able to find which of these areas you decided to implement some logic (which would probably result in (a) occurring).
4. Macros, being more text-based than UI-based objects, appeal to my programmer sensibility.

Ways I might be wrong.
1. It seems that the purpose of Tags and EventTypes is making the non-expert user's experience better by giving more user-friendly search terms...but I don't see why this couldn't be accomplished similarly by a Macro that creates an entirely new 'tags' field. I can see that it would be difficult to manage the multiplicity of tags (that one key-value pair can have many tags), so If that is "the reason" why tags and event types are useful, so be it, but it would still be nice to know if there are any other advantages I haven't spotted.

In asking my final question, I want to distinguish between Tags/EventTypes as one 'thing', and Calculated Fields as another.
I can 'sort of' see why Tags/EventTypes are useful outside of Macros...but I still feel like things would be cleaner without them, so I'm looking for justification of why I should value them, and what they can do that macros can't.

With calculated fields, I simply don't see the value at all. It seems like a huge headache having both systems, one of which seems to be a strict subset of the other in terms of capability. I must be missing something, so if anyone can point me towards the advantage here (perhaps performance?). that would be great!

Thanks 🙂

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...