Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

what is the difference between search macro and calculated fields

56838396
New Member
‎02-08-2018 09:13 AM

What is difference between the two when we save the search query in both and reuse it.

Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎02-08-2018 09:36 AM

A calculated field allows you to script the evaluation of a single field, based on contents of existing fields. The result of a calculated field will be stored in the single field you named for that particular calculation. Good info about calculated fields:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/definecalcfields

A macro allows you to store a chunk of SPL (Search Processing Language) to reuse in future searches. It does not need to be a calculation (although it could be), and it does not necessarily store a result into a single particular field. For example, you might make a macro that defines all indexes that contain web logs index=web1 OR index=bluecoat OR index=otherwebsource and name it web_logs and then you could search all of your web logs for visits to google.com by typing:

`web_logs` google.com

This would save you from having to always remember (and type) the names of all the indexes storing logs related to web traffic.

Macros can also take arguments, so you can use them to store evaluations that will need different argument values in different circumstances. Good info about macros:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usesearchmacros

Reply

493669
Super Champion
‎02-08-2018 09:34 AM

calculated field is nothing but A field that represents the output of an eval expression.
so you can provide host/source/sourcetype while creating calculated fields you can see these 3 options
so whenever you search for particular host/source/sourcetype it will automatically gets calculated.

Macro is reusable assembly of Splunk (or business) logic basically it is also a calculation with we can provide arguments to run
so it can be dynamically reused by changing simply parameter.
It is used when we require a complex calculation to be perform many times by simply changing arguments
When you put a search macro in a search string, place a back tick character ( ` ) before and after the macro name
reference: http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usesearchmacros
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/definecalcfields

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...