Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Command types

There are four broad types for all of the search commands: distributable streaming, centralized streaming, transforming, generating.

The following tables list the commands that fit into each of these types. For detailed explanations about each of the types, see Types of commands in the Search Manual.

Streaming commands

A streaming command operates on each event as the event is returned by a search.

  • A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner.
  • A centralized streaming command applies a transformation to each event returned by a search. Unlike distributable streaming commands, a centralized streaming command only works on the search head.


Command Notes
addinfo Distributable streaming
anomalydetection
append
arules
autoregress Centralized streaming.
bin Streaming if specified with the span argument.
bucketdir
cluster Streaming in some modes.
convert Distributable streaming.
dedup Streaming in some modes.
eval Distributable streaming.
extract Distributable streaming.
fieldformat Distributable streaming.
fields Distributable streaming.
fillnull Streaming with specific arguments.
head Centralized streaming.
highlight Distributable streaming.
iconify Distributable streaming.
iplocation Distributable streaming.
join Centralized streaming, as long as there is a defined set of fields to join to.
lookup Distributable streaming when specified with local=false
makemv Distributable streaming.
multikv Distributable streaming.
mvexpand Distributable streaming.
nomv Distributable streaming.
rangemap Distributable streaming.
regex Distributable streaming.
reltime Distributable streaming.
rename Distributable streaming.
replace Distributed streaming.
rex Distributable streaming.
search Distributable streaming if used further down the search pipeline. Generating when the first command in the search.
spath Distributable streaming.
strcat Distributable streaming.
streamstats Centralized streaming.
tags Distributable streaming.
transaction Centralized streaming.
typer Distributable streaming.
where Distributable streaming.
untable Distributable streaming.
xmlkv Distributable streaming.
xmlunescape
xpath Distributable streaming.
xyseries Distributable streaming if the argument grouped=false>, otherwise Transforming

Generating commands

A generating command generates events or reports from one or more indexes without transforming the events.

Command Notes
crawl Report-generating.
datamodel Report-generating
dbinspect Report-generating.
eventcount Report-generating.
gentimes
inputcsv Event-generating (centralized).
Inputlookup Event-generating (centralized) when append=false, which is the default.
loadjob Event-generating (centralized).
makeresults Report-generating.
metadata Report-generating. Although metadata fetches data from all peers, any command run after it runs only on the search head.
multisearch Event-generating.
pivot Report-generating.
search Event-generating (distributable) when the first command in the search, which is the default. Distributable streaming if used as a subsearch.
searchtxn Event-generating.
set Event-generating.
tstats Report-generating.

Transforming commands

A transforming command orders the results into a data table. The command "transforms" the specified cell values for each event into numerical values for statistical purposes.

Note: In earlier versions of Splunk software, transforming commands were referred to as "reporting commands."

Command Notes
addtotals Transforming when used to calculate column totals (not row totals).
chart
cofilter
contingency
history
makecontinuous
mvcombine
rare
stats
table
timechart
top
xyseries Transforming if grouped=true, otherwise distributable streaming.
PREVIOUS
Commands by category
  NEXT
Splunk SPL for SQL users

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Comments

Jkat54

Thank you for your comments. The table command is really a basic transforming command.
I appreciate you finding the grammar issue. I have corrected that. As for “distributable”, I checked Merriam-Webster and it is indeed a valid adjective. I will investigate further about where each command executes. It is most relevant for the streaming commands, which is why we put the emphasis there.

Lstewart splunk, Splunker
October 31, 2016

Woodcock
The eventstats command is like the sort command, it does not really fit into any of these categories. This is actually mentioned in the Search Manual here: http://docs.splunk.com/Documentation/Splunk/latest/Search/Typesofcommands

Lstewart splunk, Splunker
October 31, 2016

Hi,

Table doesnt appear in this list. I think it should be under streaming command as "centralized".

Also found a grammar issue here:
A distributable streaming command *are run* (should be "is ran" or "executes") on the indexer or the search head, depending on where in the search the command is invoked. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner

Also distributable is not a word.

Finally, it seems like each type of command should mention where it executes. I see distributable and centralized are noted on some generating and transforming commands, but you have way more details about what each do under the first type, Streaming... Perhaps we should have bullets for each type of command that explains the whole distributable/centralized aspects OR maybe just one "this applies to all commands" bullet list at the top of the page...

TIA!

Jkat54
October 19, 2016

The `eventstats` command does not appear on this page anywhere (and surely other, even more-recently-added commands, too). A full command audit should be performed and this page updated accordingly.

Woodcock
May 22, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters