Is there any difference between top and stats in t...

apple143 · ‎09-03-2018

I could see the same result in
index=* ~~~ | top abc
index=* ~~~ | stats count by abc | sort -count
(ignore percent column and so on)

is there any critical difference between in this case?

mstjohn_splunk · ‎09-04-2018

hi @apple143,

Did the answer below help you out? If so, go ahead and approve it! If not, give us more information, so the community can continue trying to help ya.

Thanks for posting!

inventsekar · ‎09-03-2018

index= ~~~ | top abc
index= ~~~ | stats count by abc | sort -count
top and stats count are same..

per my understandings, after tstats, we can only use stats.. not top.

about tstats command, please check this post - https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
tstats is faster than stats since tstats only looks at the indexed metadata (the .tsidx files in the buckets on the indexers) whereas stats is working off the data (in this case the raw events) before that command.

Since tstats can only look at the indexed metadata it can only search fields that are in the metadata. By default, this only includes index-time fields such as sourcetype, host, source, _time, etc.

Is there any difference between top and stats in tstats?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability