I just found this to absolutely be the case, and was able to use this method to tune a bunch of my queries in one of my dashboards.  My use-case is that I'm looking for a unique list of hosts reporting to a given index within a timeframe.  Here's a small example of the efficiency gain I'm seeing: Using "dedup host" : scanned 5.4 million events in 171.24 seconds Using "stats max(_time) by host" : scanned 5.4 million events in 22.672 seconds I was so impressed by the improvement that I searched for a deeper rationale and found this post instead.  I'm sure there's a sophisticated internal answer for this significantly improved execution path, but for now I'll just be happy that it works as well as it does. ... View more