Thought there was an answer on this already but can't find it, but for something like this, which is the most performant and why?
I would have that just the stats would've been the fastest, but potentially if fields can be done on the indexer that would be faster?
You should never use
table in the middle of any search; always use
fields if anything and save
table for the very end (or debugging, because it forces your search to switch to the
stats tab). If you are immediately pumping the data into
stats then there is no reason to do
fields because it is an extra pass through all events to add no value (because
stats is going to drop all of those fields as part of its work anyway).
The chief distinction between
fields is that
table returns results to the search head whereas 'fields' does not.
Early use of 'fields' can improve performance in events with many fields by reducing the number of fields the query has to process.