Splunk® Enterprise

Splunk Analytics for Hadoop

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

How distributable and non-distributable commands work in Splunk Analytics for Hadoop (and what works best)

Splunk Analytics for Hadoop reaches End of Life on January 31, 2025.

Distributable search commands are the most effective commands in Splunk Analytics for Hadoop reports because they can be distributed to search heads and virtual indexes. Generally, non-distributable commands only work on local indexes and are not as effective on virtual indexes.

You can create searches across different index types that use both distributable and non-distributable commands as long as you keep in mind that these such a search returns all data from the local indexes but limited data from the virtual indexes.

This topic discusses the types of commands that work best with Splunk Analytics for Hadoop and commands that should be reserved for use with the Splunk Enterprise local directories.

Smart mode searches

Search modes control the amount or type of data that the search returns.

Smart mode is the default and recommended setting for VIX searches. It maintains search behavior based on whether your search contains transforming commands. When searching virtual indexes we recommend that you search in smart mode, as it is more efficient.

If you use verbose mode to search a VIX, note that Splunk Analytics for Hadoop does not start a MapReduce job for that search. This is because verbose mode searches search for all events as well as any reports that you might be running. The benefits of MapReduce jobs in that case are minimal and in some cases can have a negative impact on your searches.

To learn more about Splunk Enterprise search modes, see In the Search Manual:

Distributable commands

Distributable commands are commands that can be run on a local indexer but can also be distributed to search heads and virtual indexes. They run on the indexer in Enterprise and the DataNode/TaskTracker.

Commands that work best with virtual indexes are:

  • Distributable generating commands: Event-generating commands that are distributable return an events list or a table of results. Generating commands are usually invoked at the beginning of the search and with a leading pipe. There cannot be a search piped into a generating command. (The exception is the search command, because it is implicit at the start of a search and does not need to be invoked.) Distributable event-generating commands include:

Non-distributable commands

Non-distributable commands (also referred to as non-streaming commands) require all data to come back to the local indexer. They are not particularly effective commands for searching virtual indexes.

Non-streaming commands are best reserved for when part of your searching involves local indexes in some capacity. Searches run across local and virtual indexes that use non-streaming commands will be applied to local indexes but not the virtual indexes included in the search.

Types of non-distributable or non-streaming commands are:

  • Centralized streaming commands: These commands are sometimes referred to as "stateful streaming" commands and include:


  • Non-distributable Generating commands: Generating commands that are either centralized event-generating or report-generating do not work on virtual indexes. You cannot export data from any searches that contain a reporting command.

Other commands

There are a handful of commands that do not fit into these categories. These commands are non-reporting, not distributable, and not streaming: sort, eventstats, some modes of dedup, and some modes of cluster.

Last modified on 30 October, 2023
Configure your HDFS source   Header extractions to avoid when working with virtual indexes

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters