The reason you're seeing count and perf differences is because | from and | datamodel are running in "mixed mode" searching by default (and is the only option in 7.1). There were plans to add summariesonly option to | datamodel ; however, it appears that hasn't been added ( allow_old_summaries does look like it was added in 7.2). You're likely to see a count difference between tstats summariesonly=t and | (from|datamodel) searches due to this (since the latter will search the hot buckets for new events that have yet to be summarized). To get an apples-to-apples comparison on performance, try |from datamodel Web|search user=dmerritt| noop directive.read_summary=f against |from datamodel Web|search user=dmerritt . That noop command should disable Schema Accelerated Event Search. As for only datamodel-defined fields appearing in these searches. This was the original design of the | datamodel command; however, somewhere along the way, this broke and all fields were being returned. In order for us to implement Schema Accelerated Event Search, we had to fix this bug since only the fields defined within the data model are stored within the accelerated index and leaving this bug hanging around broke the implementation. ... View more