It would make sense that stats on the IDX will do something similar to "sort" on the IDX, where it will presort its own results before sending to the SH.

I would therefore expect stats on the IDX to perhaps run pre-stats of its own data before returning the split by fields to the SH and therefore "fields" would NEVER be necessary before stats.

... but ... would be nice to get a definitive answer

Hi @bowesmana,

I agree with you, only someone from Splunk can answer to your question.

Ciao.

Giuseppe

@gcusello 

Did some tests and looking at Job inspector phase0 for litsearch, it tells what is going one

so with the basic search

index=x
| table rulename
| stats count by rulename

Job inspector reports

litsearch index=x | ifields + rulename | addinfo type=count label=prereport_events track_fieldmeta_events=true | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" "rulename" | prestats count by rulename

replacing table with fields gives

litsearch index=x | fields + rulename | addinfo type=count label=prereport_events track_fieldmeta_events=true | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" "rulename" | prestats count by rulename

and with neither, you get

litsearch index=x | addinfo type=count label=prereport_events track_fieldmeta_events=true | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" "rulename" | prestats count by rulename

so, very minor differences, but all doing prestats and returning only the restricted field list.

hi @bowesmana,

what'd the different job time in the different searches?

As I said the main difference I found is between fields and neither when there are many events and many fields, otherwise I found little differences and I usually don't use it.

Ciao.

Giuseppe

job time variation was insignificant - but I'm not testing it on a large data set or with index clustering - I'll do that at some point