Related Answers
Download topic as PDF
Command types
There are four broad types for all of the search commands: distributable streaming, centralized streaming, transforming, generating.
The following tables list the commands that fit into each of these types. For detailed explanations about each of the types, see Types of commands in the Search Manual.
Streaming commands
A streaming command operates on each event as the event is returned by a search.
- A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner.
- A centralized streaming command applies a transformation to each event returned by a search. Unlike distributable streaming commands, a centralized streaming command only works on the search head.
| Command | Notes |
|---|---|
| addinfo | Distributable streaming |
| anomalydetection | |
| append | |
| arules | |
| autoregress | Centralized streaming. |
| bin | Streaming if specified with the span argument.
|
| bucketdir | |
| cluster | Streaming in some modes. |
| convert | Distributable streaming. |
| dedup | Streaming in some modes. |
| eval | Distributable streaming. |
| extract | Distributable streaming. |
| fieldformat | Distributable streaming. |
| fields | Distributable streaming. |
| fillnull | Streaming with specific arguments. |
| head | Centralized streaming. |
| highlight | Distributable streaming. |
| iconify | Distributable streaming. |
| iplocation | Distributable streaming. |
| join | Centralized streaming, as long as there is a defined set of fields to join to. |
| lookup | Distributable streaming when specified with local=false
|
| makemv | Distributable streaming. |
| multikv | Distributable streaming. |
| mvexpand | Distributable streaming. |
| nomv | Distributable streaming. |
| rangemap | Distributable streaming. |
| regex | Distributable streaming. |
| reltime | Distributable streaming. |
| rename | Distributable streaming. |
| replace | Distributed streaming. |
| rex | Distributable streaming. |
| search | Distributable streaming if used further down the search pipeline. Generating when the first command in the search. |
| spath | Distributable streaming. |
| strcat | Distributable streaming. |
| streamstats | Centralized streaming. |
| tags | Distributable streaming. |
| transaction | Centralized streaming. |
| typer | Distributable streaming. |
| where | Distributable streaming. |
| untable | Distributable streaming. |
| xmlkv | Distributable streaming. |
| xmlunescape | |
| xpath | Distributable streaming. |
| xyseries | Distributable streaming if the argument grouped=false>, otherwise Transforming
|
Generating commands
A generating command generates events or reports from one or more indexes without transforming the events.
| Command | Notes |
|---|---|
| crawl | Report-generating. |
| datamodel | Report-generating |
| dbinspect | Report-generating. |
| eventcount | Report-generating. |
| gentimes | |
| inputcsv | Event-generating (centralized). |
| Inputlookup | Event-generating (centralized) when append=false, which is the default.
|
| loadjob | Event-generating (centralized). |
| makeresults | Report-generating. |
| metadata | Report-generating. Although metadata fetches data from all peers, any command run after it runs only on the search head. |
| multisearch | Event-generating. |
| pivot | Report-generating. |
| search | Event-generating (distributable) when the first command in the search, which is the default. Distributable streaming if used as a subsearch. |
| searchtxn | Event-generating. |
| set | Event-generating. |
| tstats | Report-generating. |
Transforming commands
A transforming command orders the results into a data table. The command "transforms" the specified cell values for each event into numerical values for statistical purposes.
Note: In earlier versions of Splunk software, transforming commands were referred to as "reporting commands."
| Command | Notes |
|---|---|
| addtotals | Transforming when used to calculate column totals (not row totals). |
| chart | |
| cofilter | |
| contingency | |
| history | |
| makecontinuous | |
| mvcombine | |
| rare | |
| stats | |
| table | |
| timechart | |
| top | |
| xyseries | Transforming if grouped=true, otherwise distributable streaming.
|
|
PREVIOUS Commands by category |
NEXT Splunk SPL for SQL users |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Comments
Woodcock
The eventstats command is like the sort command, it does not really fit into any of these categories. This is actually mentioned in the Search Manual here: http://docs.splunk.com/Documentation/Splunk/latest/Search/Typesofcommands
Hi,
Table doesnt appear in this list. I think it should be under streaming command as "centralized".
Also found a grammar issue here:
A distributable streaming command *are run* (should be "is ran" or "executes") on the indexer or the search head, depending on where in the search the command is invoked. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner
Also distributable is not a word.
Finally, it seems like each type of command should mention where it executes. I see distributable and centralized are noted on some generating and transforming commands, but you have way more details about what each do under the first type, Streaming... Perhaps we should have bullets for each type of command that explains the whole distributable/centralized aspects OR maybe just one "this applies to all commands" bullet list at the top of the page...
TIA!
The `eventstats` command does not appear on this page anywhere (and surely other, even more-recently-added commands, too). A full command audit should be performed and this page updated accordingly.
Jkat54
Thank you for your comments. The table command is really a basic transforming command.
I appreciate you finding the grammar issue. I have corrected that. As for “distributable”, I checked Merriam-Webster and it is indeed a valid adjective. I will investigate further about where each command executes. It is most relevant for the streaming commands, which is why we put the emphasis there.