A.
In general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.
B.
As a streaming command, streamstats performs better than stats since stats is just a reporting command.
C.
When trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.
D.
Formatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.
A is correct. B is incorrect because stats is a streaming command. C is incorrect because the dc command exists. D is incorrect because you want to do formatting as late as possible in a search.
A is correct. D is incorrect because it is to appear as LATE as possible in the search. https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Fieldformat
"Because commands that come later in the search pipeline cannot modify the formatted results, use the fieldformat command as late in the search pipeline as possible."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Giodada
Highly Voted 3 years agoSplunkStreamer
Most Recent 2 months, 2 weeks agoStevieRayB
9 months, 1 week agoRedtonyeah
1 year, 7 months ago