I could see the same result in
index=* ~~~ | top abc
index=* ~~~ | stats count by abc | sort -count
(ignore percent column and so on)
but I got totally different results between
| tstats prestats=true ~~~ | top abc
| tstats prestats=true ~~~ | stats count by abc | sort -count
is there any critical difference between in this case?
hi @apple143,
Did the answer below help you out? If so, go ahead and approve it! If not, give us more information, so the community can continue trying to help ya.
Thanks for posting!
index= ~~~ | top abc
index= ~~~ | stats count by abc | sort -count
top and stats count are same..
per my understandings, after tstats, we can only use stats.. not top.
about tstats command, please check this post - https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
tstats is faster than stats since tstats only looks at the indexed metadata (the .tsidx files in the buckets on the indexers) whereas stats is working off the data (in this case the raw events) before that command.
Since tstats can only look at the indexed metadata it can only search fields that are in the metadata. By default, this only includes index-time fields such as sourcetype, host, source, _time, etc.