Related Answers
Download topic as PDF
Command types
There are four broad types for all of the search commands: distributable streaming, centralized streaming, transforming, generating.
The following tables list the commands that fit into each of these types. For detailed explanations about each of the types, see Types of commands in the Search Manual.
Streaming commands
A streaming command operates on each event as the event is returned by a search.
- A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner.
- A centralized streaming command applies a transformation to each event returned by a search. Unlike distributable streaming commands, a centralized streaming command only works on the search head.
| Command | Notes |
|---|---|
| addinfo | Distributable streaming |
| anomalydetection | |
| append | |
| arules | |
| autoregress | Centralized streaming. |
| bin | Streaming if specified with the span argument.
|
| bucketdir | |
| cluster | Streaming in some modes. |
| convert | Distributable streaming. |
| dedup | Streaming in some modes. |
| eval | Distributable streaming. |
| extract | Distributable streaming. |
| fieldformat | Distributable streaming. |
| fields | Distributable streaming. |
| fillnull | Streaming with specific arguments. |
| head | Centralized streaming. |
| highlight | Distributable streaming. |
| iconify | Distributable streaming. |
| iplocation | Distributable streaming. |
| join | Centralized streaming, as long as there is a defined set of fields to join to. |
| lookup | Distributable streaming when specified with local=false
|
| makemv | Distributable streaming. |
| multikv | Distributable streaming. |
| mvexpand | Distributable streaming. |
| nomv | Distributable streaming. |
| rangemap | Distributable streaming. |
| regex | Distributable streaming. |
| reltime | Distributable streaming. |
| rename | Distributable streaming. |
| replace | Distributed streaming. |
| rex | Distributable streaming. |
| search | Distributable streaming if used further down the search pipeline. Generating when the first command in the search. |
| spath | Distributable streaming. |
| strcat | Distributable streaming. |
| streamstats | Centralized streaming. |
| tags | Distributable streaming. |
| transaction | Centralized streaming. |
| typer | Distributable streaming. |
| where | Distributable streaming. |
| untable | Distributable streaming. |
| xmlkv | Distributable streaming. |
| xmlunescape | |
| xpath | Distributable streaming. |
| xyseries | Distributable streaming if the argument grouped=false>, otherwise Transforming
|
Generating commands
A generating command generates events or reports from one or more indexes without transforming the events.
| Command | Notes |
|---|---|
| crawl | Report-generating. |
| datamodel | Report-generating |
| dbinspect | Report-generating. |
| eventcount | Report-generating. |
| gentimes | |
| inputcsv | Event-generating (centralized). |
| Inputlookup | Event-generating (centralized) when append=false, which is the default.
|
| loadjob | Event-generating (centralized). |
| makeresults | Report-generating. |
| metadata | Report-generating. Although metadata fetches data from all peers, any command run after it runs only on the search head. |
| multisearch | Event-generating. |
| pivot | Report-generating. |
| search | Event-generating (distributable) when the first command in the search, which is the default. Distributable streaming if used as a subsearch. |
| searchtxn | Event-generating. |
| set | Event-generating. |
| tstats | Report-generating. |
Transforming commands
A transforming command orders the results into a data table. The command "transforms" the specified cell values for each event into numerical values for statistical purposes.
Note: In earlier versions of Splunk software, transforming commands were referred to as "reporting commands."
| Command | Notes |
|---|---|
| addtotals | Transforming when used to calculate column totals (not row totals). |
| chart | |
| cofilter | |
| contingency | |
| history | |
| makecontinuous | |
| mvcombine | |
| rare | |
| stats | |
| table | |
| timechart | |
| top | |
| xyseries | Transforming if grouped=true, otherwise distributable streaming.
|
|
PREVIOUS Commands by category |
NEXT Splunk SPL for SQL users |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!