Re: Fields vs table vs nothing?

aberkow · ‎03-20-2020

Thought there was an answer on this already but can't find it, but for something like this, which is the most performant and why?

index=potato | evals | fields | stats

index=potato | evals | stats

index=potato | evals | table | stats

I would have that just the stats would've been the fastest, but potentially if fields can be done on the indexer that would be faster?

Thanks!

woodcock · ‎03-21-2020

You should never use table in the middle of any search; always use fields if anything and save table for the very end (or debugging, because it forces your search to switch to the stats tab). If you are immediately pumping the data into stats then there is no reason to do fields because it is an extra pass through all events to add no value (because stats is going to drop all of those fields as part of its work anyway).

richgalloway · ‎03-20-2020

The chief distinction between table and fields is that table returns results to the search head whereas 'fields' does not.
Early use of 'fields' can improve performance in events with many fields by reducing the number of fields the query has to process.

---
If this reply helps you, Karma would be appreciated.

yshen · ‎04-07-2022

I also note that with Splunk SDK (Python), at the end of the embedded query, using 'fields' to select the returned fields, it does not work as I desired with all fields returned. But 'table' would result in only the listed fields returned.

Fields vs table vs nothing?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases