topic Re: Help understanding the commands - Search vs Where after first pipe in Splunk Search

Help understanding the commands - Search vs Where after first pipe

Kukkadapu — Thu, 14 Apr 2016 17:42:52 GMT

Hi , Can you help me understanding "search" vs "where" command after first pipe. Is there any performance impact because of using either one?

Thanks

Re: Help understanding the commands - Search vs Where after first pipe

masonmorales — Thu, 14 Apr 2016 17:50:23 GMT

where is used strictly for comparison operations (e.g. fieldX!=fieldY, numeric_field>500, etc.), whereas search is used for actual search expressions (e.g. search foo OR bar NOT field=x "and some phrase" OR whatever keywords you want etc.).

I haven't tested the performance impact of the two but I assume if you are doing a comparison (because that's the only one you could do with both), the performance would be the same. You could try it both ways and use the job inspector to see what the completion time is for each way to determine which is faster for your use case.

Re: Help understanding the commands - Search vs Where after first pipe

jplumsdaine22 — Thu, 14 Apr 2016 17:52:41 GMT

https://answers.splunk.com/answers/389111/help-understanding-search-command-where.html

TLDR; Use search if you can, use where if you need to do something complicated.

Re: Help understanding the commands - Search vs Where after first pipe

Kukkadapu — Thu, 14 Apr 2016 18:37:37 GMT

Thanks for your time and links jplumsdaine22 :).

Re: Help understanding the commands - Search vs Where after first pipe

Kukkadapu — Thu, 14 Apr 2016 18:37:59 GMT

That makes sense. Thanks for your time 🙂

Re: Help understanding the commands - Search vs Where after first pipe

martin_mueller — Thu, 14 Apr 2016 22:11:59 GMT

Additionally, move as much filtering as you can into search before the first pipe.

(Exception: Report Acceleration / Postprocessing / etc. scenarios where you pre-compute a data cube style thingy and feed many things off it, here filtering late can make sense)