In general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.
B.
As a streaming command, streamstats performs better than stats since stats is just a reporting command.
C.
When trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.
D.
Formatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.
The correct statement is that in general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search. This is because distributed commands can leverage the parallel processing power of the search peers, which reduces the load on the search head and improves the search performance. Distributed commands are also known as streaming commands, which operate on each event individually and can be run on remote indexes. Some examples of distributed commands are eval, fields, rename, and where. References:
[Splunk Certification Exam Study Guide], page 25
[Splunk Documentation: About optimizing search performance]
[Splunk Documentation: About streaming and transforming commands]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit