Splunk Search

More efficient way to search besides macros?

SMM10
Explorer

Right now I have a lot of macros to help with reports, dashboards and knowledge items in general. We do not really use tags/eventtypes. Right now though each business has multiple macros that need to be managed based on how our items our logged (this is the root cause but this wont change easily). I am wondering from a performance standpoint is there a way I could more easily get the events I need through a tag/event type or other way?

 

For example I need to get a list of all functions that get called. So with that we need to have an over all macro, something to exclude some carryovers/one time jobs and other items we dont care about. We are implementing more and its becoming a huge mess so far. I was thinking use the macros to create a weekly lookup that then can be used in dashboards/reports to try and make things more efficient as well. Just looking for ideas as to what might be a better/cleaner way to do things.

 

Edit: I get macros are not a performance issue and will just run whatever SPL is in there. I was more wondering is this generally the most efficient way or could I benefit from using something different here.

Labels (1)
Tags (1)
0 Karma

PickleRick
Ultra Champion

What do you mean by 'efficient' here? Macros of course do simplify writing searches. That's what they're for 🙂

Tags can help you select events more easily indeed. Not "more efficiently" in terms of search performance, just more easily in terms of specifying search conditions. But even if you select various types of events using tags, you have to normalize the results. So it might be worth considering making a datamodel and map fields to datamodel. It has the additional advantage that it lets you build pivots withou the need to write spl searches.

0 Karma

PickleRick
Ultra Champion

Macros have nothing to do with performance. Macro is just a placeholder which gets expanded with a simple text substitution before search execution.

0 Karma