Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any performance impact when you use "search" vs using "where"?

ShawnClark
Explorer
‎09-01-2015 02:08 PM

Hi,

I am wondering if there is any guidelines as to using the "search" or "where" commands within a search query when trying to filter data. It seems that both can be used sort of interchangeably. I am curious if there is any performance impact of using one over the other.

Thanks

Tags (1)
Reply

steveyz
Splunk Employee
Splunk Employee
‎09-01-2015 05:21 PM

search is going to be slightly more efficient than where, but not enough that you would notice for any realistic search scenario. Both commands can comparing the value of a field to some static value, but that is where the commonality ends. 'where' can be used to compare 2 fields against each other, to compared complex functions of a field to other fields or static values. E.g. you can't do something like to compare fields x and y.

| search x>y

That search would actually search for cases where field x is greater (lexicographically) than the literal value "y"

Note that this is also why the syntax for search and where are slightly different. Because search is designed to compare a field against a static value, it assumes the right hand side of any expression is a literal value. For where, the RHS can be a literal or a field, so literals need to be disambiguated by using double quotes.

Reply

MuS
Legend
‎09-01-2015 02:26 PM

Hi ShawnClark,

there are tons of answers to this question, but here is the best one:

https://answers.splunk.com/answers/128739/difference-between-where-and-search-commands.html

Kudos go to @martin_mueller 😛

cheers, MuS

0 Karma
Reply

ShawnClark
Explorer
‎09-01-2015 02:37 PM

Reading that thread doesn't instill much confidence in the performance difference between using one over the other. The last comment "I doubt there's a significant difference in performance..." is more a gut feeling instead of actually numbers around it. I was hoping to find someone that has done some evaluations of both or a Splunk engineer giving insight on why there is both ways of doing the same thing. If there isn't anything out there then I will have to try some evaluations myself. 😞

0 Karma
Reply

MuS
Legend
‎09-01-2015 03:30 PM

Okay, I changed the question since you are interested in the performance impact and not the basic difference between when to use search or where.
Nevertheless I did some basic searches on my VM and here are the results;

Each search was run three times and results are in seconds:

index=_internal earliest=0 | where sourcetype="splunkd" | stats count by sourcetype
  • 38.717
  • 34.757

  • 33.494

    index=_internal earliest=0 | search sourcetype="splunkd" | stats count by sourcetype

  • 34.569

  • 36.454

  • 33.638

Hope this helps ...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-01-2015 04:59 PM

For more speed you'll want this:

 index=_internal earliest=0 sourcetype="splunkd" | stats count by sourcetype
Reply

bmacias84
Champion
‎09-01-2015 03:12 PM

In my experience the where clause is good for well defined fields/extractions. While the search command allows you to find text which my be in multiple fields or in the _raw data. Depending on the use case one will perform better than the other.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...