topic Re: What is the difference between the metasearch and tstats commands? in Splunk Search

What is the difference between the metasearch and tstats commands?

muebel — Thu, 25 Aug 2016 21:07:29 GMT

I've been using tstats for most of the use cases that metasearch covers, and so I'm interested in what metasearch can do that tstats can't. From my reading of the documentation, it seems that metasearch is a subset of the capability of tstats (i.e. tstats can search over accelerated datamodels).

Am I missing anything?

Re: What is the difference between the metasearch and tstats commands?

somesoni2 — Thu, 25 Aug 2016 21:11:59 GMT

No.. that's pretty much it. metasearch was older way to query tsidx data (metadata fields). The tstats command is advanced/improved form of metasearch.

Re: What is the difference between the metasearch and tstats commands?

martin_mueller — Thu, 25 Aug 2016 22:34:45 GMT

Adding to that, metasearch is often around two orders of magnitude slower than tstats.

This takes 0.23 seconds on my PC: | tstats count where index=_internal by source
This takes 29.4 seconds: | metasearch index=_internal | stats count by source

One thing metasearch can do that tstats can't: Discovery of indexed fields:

| metasearch index=_internal | fieldsummary

tstats forces you to stats your data, while not allowing something like values(*) to peek into unknown data.

Re: What is the difference between the metasearch and tstats commands?

cpride_splunk — Thu, 25 Aug 2016 23:50:04 GMT

The two are operators on a different level.
tstats -- all about stats. It does this based on fields encoded in the tsidx files. You can use this to result in rudimentary searches by just reducing the question you are asking to stats. It is however a reporting level command and is designed to result in statistics.

metasearch -- this actually uses the base search operator in a special mode where we do not read from the journal.gz. So this is an event based command. We actually treat things as events. Due to the fact that we are not reading form the journal.gz this can only use information that exists in the tsidx files.

Thus they are both tsidx based, however one is based on events and the other is based on statistics as a base object type.

Re: What is the difference between the metasearch and tstats commands?

muebel — Mon, 29 Aug 2016 13:46:17 GMT

thanks Martin! That fieldsummary bit is a good point.