Splunk® Hadoop Connect

Deploy and Use Splunk Hadoop Connect

Download manual as PDF

Download topic as PDF

Use search commands in Hadoop Connect

Distributable search commands are more effective in Hadoop Connect, because they can be distributed to search heads and virtual indexes.

This topic discusses the types of commands that work best with Hadoop Connect and commands that should be reserved for use with the Splunk Enterprise local directories.

Distributable commands

Distributable commands are commands that can be run on a local indexer but can also be distributed to search heads and virtual indexes.

  • Distributable generating commands: Event-generating commands that are distributable return an events list or a table of results. Generating commands are invoked at the beginning of the search and with a leading pipe. A search cannot be piped into a generating command. The exception is the search command, because it is implicit at the start of a search and does not need to be invoked. Distributable event-generating commands include:

Non-distributable commands

Non-distributable commands, which are also referred to as non-streaming commands, require all data to come back to the local indexer.

Reserve non-streaming commands for when part of your searching involves local indexes in some capacity. Types of non-distributable or non-streaming commands are:

  • Centralized streaming commands: These commands are sometimes referred to as "stateful streaming" commands and include:


  • Non-distributable Generating commands: Generating commands that are either centralized event-generating or report-generating do not work with Hadoop Connect.

Hadoop Connect cannot export searches that contain any report-generating commands.

Other commands

There are a handful of commands that do not fit into these categories. These commands are non-reporting, not distributable, and not streaming: sort, eventstats, some modes of dedup, and some modes of cluster.

PREVIOUS
Import from HDFS
  NEXT
Use the Troubleshoot menu

This documentation applies to the following versions of Splunk® Hadoop Connect: 1.0, 1.1, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters