What is tstats and why is so much faster than stats?

tstats is faster than stats since tstats only looks at the indexed metadata (the .tsidx files in the buckets on the indexers) whereas stats is working off the data (in this case the raw events) before that command.Since tstats can only look at the indexed metadata it can only search fields that are in the metadata. By default, this only includes index-time fields such as sourcetype, host, source, _time, etc.You can do this:| tstats count by index sourcetype sourceBut you can't do this:| tstats count where status>200 by usernameSince status and username are not index-time fields (they are search-time).tstats can run on the index-time fields from the following methods:An accelerated data modelsA namespace created by the tscollect search commandIndex-time fields manually via fields.conf, props.conf, and transforms.confINDEXED_EXTRACTIONS in props.conf for structured data like CSVGenerally, I recommend using accelerated data models.References:http://docs.splunk.com/Documentation/Splunk/lat...