Splunk Search

Is there any difference between top and stats in tstats?

apple143
Engager

I could see the same result in
index=* ~~~ | top abc
index=* ~~~ | stats count by abc | sort -count
(ignore percent column and so on)

but I got totally different results between
| tstats prestats=true ~~~ | top abc
| tstats prestats=true ~~~ | stats count by abc | sort -count

is there any critical difference between in this case?

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @apple143,

Did the answer below help you out? If so, go ahead and approve it! If not, give us more information, so the community can continue trying to help ya.

Thanks for posting!

0 Karma

inventsekar
Ultra Champion

index= ~~~ | top abc
index= ~~~ | stats count by abc | sort -count
top and stats count are same..

per my understandings, after tstats, we can only use stats.. not top.

about tstats command, please check this post - https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
tstats is faster than stats since tstats only looks at the indexed metadata (the .tsidx files in the buckets on the indexers) whereas stats is working off the data (in this case the raw events) before that command.

Since tstats can only look at the indexed metadata it can only search fields that are in the metadata. By default, this only includes index-time fields such as sourcetype, host, source, _time, etc.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...