Reporting

Are Macro Results Cached Like SavedSearch Results?

bill_chatfield
Explorer

I can invoke a saved search like this:

| savedsearch sla_for_user fred

The doc says the results will be cached. But what about macros? Are their results cached?

`sla_for_user(fred)`

What is the difference between a saved search and a macro?

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

When you invoke a macro, Splunk interprets the macro and places the resulting expansion into the search. So using a macro is similar to using a tag or an eventtype. It is a tool in constructing a search. The macro can be used as part of a search, or - as in your example - it can provide the complete search string. Once the search string is constructed, Splunk runs the search.

There are no "macro results"; there are only the results of the search that is run. When a search is run, the results of that execution are automatically saved for a specific time period, usually 10 minutes.

A saved search can be scheduled to run automatically. When a scheduled saved search is run, the results of the execution are saved until the next scheduled execution. (This is the default; it can be changed, but not in the GUI.)

When people (or the manuals) talk about "cached results", they are often talking about the results of a scheduled saved search. But they could mean the results of running any search.

View solution in original post

0 Karma

lguinn2
Legend

When you invoke a macro, Splunk interprets the macro and places the resulting expansion into the search. So using a macro is similar to using a tag or an eventtype. It is a tool in constructing a search. The macro can be used as part of a search, or - as in your example - it can provide the complete search string. Once the search string is constructed, Splunk runs the search.

There are no "macro results"; there are only the results of the search that is run. When a search is run, the results of that execution are automatically saved for a specific time period, usually 10 minutes.

A saved search can be scheduled to run automatically. When a scheduled saved search is run, the results of the execution are saved until the next scheduled execution. (This is the default; it can be changed, but not in the GUI.)

When people (or the manuals) talk about "cached results", they are often talking about the results of a scheduled saved search. But they could mean the results of running any search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...