This is more of a question of curiosity -- we have a search that collects data and calculates the mean and the "mrbar" (a statistical value) then uses these values to calculate the upper and lower limits of this data; essentially the Nth percentile range. Since this is used in a rather large data set, I thought it would be faster to use the value of the lower calculated limit (lcl) rather than reuse the formula for that calculation. BUT, running a (single) test with the search coded either way showed that using the calculation in the "if" was 4 seconds faster (nearly 9%) than using the calculated variable. Here is a sample of this part of the search:
{search to pull data} | eval week=tonumber(strftime(_time,"%U")) | stats count by week | delta count as B | eval B=coalesce(B,0) | eval B = abs(B) | eventstats mean(B) mean(count) | rename mean(count) as Mean mean(B) as mrbar | eval ucl = (mrbar2.66)+Mean | eval lcl=Mean-(2.66mrbar) | eval lcl=if(lcl<0,0,Mean-(2.66*mrbar)) | table week Mean count ucl lcl | rename ucl as "Upper Control Limit", lcl as "Lower Control Limit"
"eval lcl=if(lcl<0,0,Mean-(2.66*mrbar))" is the part of the search about which I am asking. If I change this eval to be "eval lcl=if(lcl<0,0,lcl)" it runs slower than having the value of lcl recalculated. This just seems odd to me and I am wondering how this would be. It goes against my old Java, C, C++ & C# coding experiences. Any ideas what is going on in Splunk to make this so? Curious minds want to know! (8->)
Maybe Maverick in the Plano, TX office -- a search wizard -- might know? You out there Mav?