Splunk Search

prestats vs stats

Splunk Employee
Splunk Employee

In $SPLUNK_HOME/var/run/splunk/dispatch/1312323432.11 is see:

03-19-2014 17:02:11.147 INFO  SearchParser - PARSING: litsearch index=_internal source="*license_usage.lo*" type=Usage  | bucket  _time span=10m   | eval  indexer_guid=i   | addinfo  type=count label=prereport_events  | fields  keepcolorder=t "_time" "b" "indexer_guid" "prestats_reserved_*" "psrsvd_*"  | prestats  sum(b) by _time indexer_guid

In the search.log file I see my stats command has been translated to prestats. Why is this?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

I'm fairly certain that's related to running as much as possible on the indexers during the map phase, and hence sending as little as possible to the searchhead for the reduce phase. This should not affect your searching... other than through blazing speed of course.

View solution in original post

SplunkTrust
SplunkTrust

I'm fairly certain that's related to running as much as possible on the indexers during the map phase, and hence sending as little as possible to the searchhead for the reduce phase. This should not affect your searching... other than through blazing speed of course.

View solution in original post

Splunk Employee
Splunk Employee
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!