topic Re: Fields vs table vs nothing? in Splunk Search

Fields vs table vs nothing?

aberkow — Fri, 20 Mar 2020 20:16:27 GMT

Thought there was an answer on this already but can't find it, but for something like this, which is the most performant and why?

index=potato | evals | fields | stats

index=potato | evals | stats

index=potato | evals | table | stats

I would have that just the stats would've been the fastest, but potentially if fields can be done on the indexer that would be faster?

Thanks!

Re: Fields vs table vs nothing?

richgalloway — Fri, 20 Mar 2020 21:03:29 GMT

The chief distinction between table and fields is that table returns results to the search head whereas 'fields' does not.
Early use of 'fields' can improve performance in events with many fields by reducing the number of fields the query has to process.

Re: Fields vs table vs nothing?

woodcock — Sat, 21 Mar 2020 20:46:24 GMT

You should never use table in the middle of any search; always use fields if anything and save table for the very end (or debugging, because it forces your search to switch to the stats tab). If you are immediately pumping the data into stats then there is no reason to do fields because it is an extra pass through all events to add no value (because stats is going to drop all of those fields as part of its work anyway).

Re: Fields vs table vs nothing?

yshen — Thu, 07 Apr 2022 18:25:41 GMT

I also note that with Splunk SDK (Python), at the end of the embedded query, using 'fields' to select the returned fields, it does not work as I desired with all fields returned. But 'table' would result in only the listed fields returned.