I am using tstats command from a while, right now we want to make tstats command to limit record as we are using in kubernetes and there are way too many events. I have looked around and don't see limit option. though as a work around I use `| head 100` to limit but that won't stop processing the main search query.
If you want to filter by column try something like this
| tstats allow_old_summaries=t summariesonly=t
count min(_time) as first_time max(_time) as last_time
from datamodel=Network_Traffic
where All_Traffic.action="allowed"
by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport
| rename All_Traffic.* as *
| sort 0 - last_time
| convert ctime(first_time) ctime(last_time)
| fields dvc rule src_ip dest dest_port transport count first_time last_time action
Maybe it is correct from theoretical side, but it was checked in a practical way:
In comparison query with prestats for the same data and time frame takes 0.874 seconds
| tstats prestats=t count(your field) where index=index by field
| head 50
| stats count(your field) by field
This search has completed and has returned 5 results by scanning 6,460 events in 0.874 seconds
While without prestats - > 6.305 seconds
| tstats count(your field) where index=index by field
| head 50
This search has completed and has returned 5 results by scanning 76,972 events in 6.305 seconds
Interesting! Thanks for sharing!
This is possible with argument prestats=t and then for example command stats:
| tstats prestats=t count(your field) where index=index by field
| head 50
| stats count(your field) by field
That will limit the number of results, but as the OP says, it has no effect on the number of events read from disk.