- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which is more efficient - filldown or streamstats

simpkins1958
Contributor
12-10-2015
12:08 PM
... | sort _time | filldown l_lat l_lon by UID | table _time UID w_tbys w_tbyr l_lat l_lon
or
... | sort _time | streamstats last(l_lat) as lastLat last(l_lon) as lastLon by UID | table _time UID w_tbys w_tbyr l_lat lastLat l_lon lastLon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RR5027153
New Member
02-23-2019
01:49 AM
filldown does not support "by" argument so if you need "by" arguments , filldown is not an right option for you . check here https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Filldown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

MuS
Legend
12-10-2015
12:14 PM
Run both searches on your system searching your events over the same time range and check the job inspector for each search and you will get the answer which one will perform best for you in your environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

woodcock
Esteemed Legend
12-10-2015
12:25 PM
What @MuS said (he beat me to it).
