Thought there was an answer on this already but can't find it, but for something like this, which is the most performant and why?
index=potato
| evals
| fields
| stats
index=potato
| evals
| stats
index=potato
| evals
| table
| stats
I would have that just the stats would've been the fastest, but potentially if fields can be done on the indexer that would be faster?
Thanks!
You should never use table
in the middle of any search; always use fields
if anything and save table
for the very end (or debugging, because it forces your search to switch to the stats
tab). If you are immediately pumping the data into stats
then there is no reason to do fields
because it is an extra pass through all events to add no value (because stats
is going to drop all of those fields as part of its work anyway).
The chief distinction between table
and fields
is that table
returns results to the search head whereas 'fields' does not.
Early use of 'fields' can improve performance in events with many fields by reducing the number of fields the query has to process.