Solved: prestats vs stats

rroberts · ‎03-19-2014

In $SPLUNK_HOME/var/run/splunk/dispatch/1312323432.11 is see:

03-19-2014 17:02:11.147 INFO  SearchParser - PARSING: litsearch index=_internal source="*license_usage.lo*" type=Usage  | bucket  _time span=10m   | eval  indexer_guid=i   | addinfo  type=count label=prereport_events  | fields  keepcolorder=t "_time" "b" "indexer_guid" "prestats_reserved_*" "psrsvd_*"  | prestats  sum(b) by _time indexer_guid

In the search.log file I see my stats command has been translated to prestats. Why is this?

martin_mueller · ‎03-21-2014

I'm fairly certain that's related to running as much as possible on the indexers during the map phase, and hence sending as little as possible to the searchhead for the reduce phase. This should not affect your searching... other than through blazing speed of course.

View solution in original post

martin_mueller · ‎03-21-2014

I'm fairly certain that's related to running as much as possible on the indexers during the map phase, and hence sending as little as possible to the searchhead for the reduce phase. This should not affect your searching... other than through blazing speed of course.

rroberts · ‎03-21-2014

Thanks, found more details here:

http://www.splunk.com/web_assets/pdfs/secure/Splunk_and_MapReduce.pdf

prestats vs stats

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI