Splunk Search

Is there any difference between top and stats in tstats?

apple143
Engager

I could see the same result in
index=* ~~~ | top abc
index=* ~~~ | stats count by abc | sort -count
(ignore percent column and so on)

but I got totally different results between
| tstats prestats=true ~~~ | top abc
| tstats prestats=true ~~~ | stats count by abc | sort -count

is there any critical difference between in this case?

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @apple143,

Did the answer below help you out? If so, go ahead and approve it! If not, give us more information, so the community can continue trying to help ya.

Thanks for posting!

0 Karma

inventsekar
Ultra Champion

index= ~~~ | top abc
index= ~~~ | stats count by abc | sort -count
top and stats count are same..

per my understandings, after tstats, we can only use stats.. not top.

about tstats command, please check this post - https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
tstats is faster than stats since tstats only looks at the indexed metadata (the .tsidx files in the buckets on the indexers) whereas stats is working off the data (in this case the raw events) before that command.

Since tstats can only look at the indexed metadata it can only search fields that are in the metadata. By default, this only includes index-time fields such as sourcetype, host, source, _time, etc.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...