Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any performance impact when you use "search" vs using "where"?

ShawnClark
Explorer
‎09-01-2015 02:08 PM

Hi,

I am wondering if there is any guidelines as to using the "search" or "where" commands within a search query when trying to filter data. It seems that both can be used sort of interchangeably. I am curious if there is any performance impact of using one over the other.

Thanks

Tags (1)
Reply

steveyz
Splunk Employee
Splunk Employee
‎09-01-2015 05:21 PM

search is going to be slightly more efficient than where, but not enough that you would notice for any realistic search scenario. Both commands can comparing the value of a field to some static value, but that is where the commonality ends. 'where' can be used to compare 2 fields against each other, to compared complex functions of a field to other fields or static values. E.g. you can't do something like to compare fields x and y.

| search x>y

That search would actually search for cases where field x is greater (lexicographically) than the literal value "y"

Note that this is also why the syntax for search and where are slightly different. Because search is designed to compare a field against a static value, it assumes the right hand side of any expression is a literal value. For where, the RHS can be a literal or a field, so literals need to be disambiguated by using double quotes.

Reply

MuS
Legend
‎09-01-2015 02:26 PM

Hi ShawnClark,

there are tons of answers to this question, but here is the best one:

https://answers.splunk.com/answers/128739/difference-between-where-and-search-commands.html

Kudos go to @martin_mueller 😛

cheers, MuS

0 Karma
Reply

ShawnClark
Explorer
‎09-01-2015 02:37 PM

Reading that thread doesn't instill much confidence in the performance difference between using one over the other. The last comment "I doubt there's a significant difference in performance..." is more a gut feeling instead of actually numbers around it. I was hoping to find someone that has done some evaluations of both or a Splunk engineer giving insight on why there is both ways of doing the same thing. If there isn't anything out there then I will have to try some evaluations myself. 😞

0 Karma
Reply

MuS
Legend
‎09-01-2015 03:30 PM

Okay, I changed the question since you are interested in the performance impact and not the basic difference between when to use search or where.
Nevertheless I did some basic searches on my VM and here are the results;

Each search was run three times and results are in seconds:

index=_internal earliest=0 | where sourcetype="splunkd" | stats count by sourcetype
  • 38.717
  • 34.757

  • 33.494

    index=_internal earliest=0 | search sourcetype="splunkd" | stats count by sourcetype

  • 34.569

  • 36.454

  • 33.638

Hope this helps ...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-01-2015 04:59 PM

For more speed you'll want this:

 index=_internal earliest=0 sourcetype="splunkd" | stats count by sourcetype
Reply

bmacias84
Champion
‎09-01-2015 03:12 PM

In my experience the where clause is good for well defined fields/extractions. While the search command allows you to find text which my be in multiple fields or in the _raw data. Depending on the use case one will perform better than the other.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...