Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Command types

There are six broad types for all of the search commands: distributable streaming, centralized streaming, transforming, generating, orchestrating and dataset processing. These types are not mutually exclusive. A command might be streaming or transforming, and also generating.

The following tables list the commands that fit into each of these types. For detailed explanations about each of the types, see Types of commands in the Search Manual.

Streaming commands

A streaming command operates on each event as the event is returned by a search.

  • A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner.
  • A centralized streaming command applies a transformation to each event returned by a search. Unlike distributable streaming commands, a centralized streaming command only works on the search head.


Command Notes
addinfo Distributable streaming
addtotals Distributable streaming. A transforming command when used to calculate column totals (not row totals).
anomalydetection
append
arules
autoregress Centralized streaming.
bin Streaming if specified with the span argument.
bucketdir
cluster Streaming in some modes.
convert Distributable streaming.
dedup Streaming by default. Using the sortby argument or specifying keepevents=true makes the dedup command a dataset processing command.
eval Distributable streaming.
extract Distributable streaming.
fieldformat Distributable streaming.
fields Distributable streaming.
fillnull Distributable streaming when a field-list is specified. A dataset processing command when no field-list is specified.
head Centralized streaming.
highlight Distributable streaming.
iconify Distributable streaming.
iplocation Distributable streaming.
join Centralized streaming, if there is a defined set of fields to join to. A dataset processing command when no field-list is specified.
lookup Distributable streaming when specified with local=false, which is the default. An orchestrating command when local=true.
makemv Distributable streaming.
multikv Distributable streaming.
mvexpand Distributable streaming.
nomv Distributable streaming.
rangemap Distributable streaming.
regex Distributable streaming.
reltime Distributable streaming.
rename Distributable streaming.
replace Distributable streaming.
rex Distributable streaming.
search Distributable streaming if used further down the search pipeline. A generating command when it is the first command in the search.
spath Distributable streaming.
strcat Distributable streaming.
streamstats Centralized streaming.
tags Distributable streaming.
transaction Centralized streaming.
typer Distributable streaming.
where Distributable streaming.
untable Distributable streaming.
xmlkv Distributable streaming.
xmlunescape
xpath Distributable streaming.
xyseries Distributable streaming if the argument grouped=false is specified, which is the default. Otherwise a transforming command.

Generating commands

A generating command generates events or reports from one or more indexes without transforming the events.

Command Notes
datamodel Report-generating
dbinspect Report-generating.
eventcount Report-generating.
from Can be either report-generating or event-generating depending on the search or knowledge object that is referenced by the command.
gentimes Event-generating.
inputcsv Event-generating (centralized).
Inputlookup Event-generating (centralized) when append=false, which is the default.
loadjob Event-generating (centralized).
makeresults Report-generating.
metadata Report-generating. Although metadata fetches data from all peers, any command run after it runs only on the search head.
metasearch Event-generating.
mstats Report-generating, except when append=true is specified.
multisearch Event-generating.
pivot Report-generating.
rest
search Event-generating (distributable) when the first command in the search, which is the default. A streaming (distributable) command if used later in the search pipeline.
searchtxn Event-generating.
set Event-generating.
tstats Report-generating (distributable) when prestats=true. When prestats=false, tstats is event-generating.

Transforming commands

A transforming command orders the results into a data table. The command "transforms" the specified cell values for each event into numerical values for statistical purposes.

In earlier versions of Splunk software, transforming commands were referred to as reporting commands.

Command Notes
addtotals Transforming when used to calculate column totals (not row totals). A distributable streaming command when used to calculate row totals, which is the default.
chart
cofilter
contingency
history
makecontinuous
mvcombine
rare
stats
table
timechart
top
xyseries Transforming if grouped=true. A streaming (distributable) command when grouped=false, which is the default setting.

Orchestrating commands

Orchestrating commands control some aspect of how a search is processed. They do not directly affect the final result set of the search. For example, you might apply an orchestrating command to a search to enable or disable a search optimization that helps the overall search complete faster.

Command Notes
localop
lookup Only becomes an orchestrating command when local=true. This forces the lookup command to run on the search head and not on any remote peers. A streaming (distributable) command when local=false, which is the default setting.
noop
redistribute

Dataset processing commands

A dataset processing command is a command that requires the entire dataset before the command can run. Some of these commands fit into other command types in specific situations or when specific arguments are used.

Command Notes
anomalousvalue Some modes
anomalydetection Some modes
append Some modes
bin Some modes. A streaming command if the span argument is specified.
cluster Some modes
concurrency
datamodel
dedup Using the sortby argument or specifying keepevents=true makes the dedup command a dataset processing command. Otherwise, dedup is a streaming command.
eventstats
fieldsummary Some modes
fillnull Some modes
from Some modes
join Some modes
map
outlier
pivot Some modes
reverse
sort
tail
transaction Some modes
union Some modes
Last modified on 27 July, 2020
Commands by category   Splunk SPL for SQL users

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters