Splunk® Enterprise

Search Reference

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Command types

There are six broad types for all of the search commands: distributable streaming, centralized streaming, transforming, generating, orchestrating and dataset processing. These types are not mutually exclusive. A command might be streaming or transforming, and also generating.

The following tables list the commands that fit into each of these types. For detailed explanations about each of the types, see Types of commands in the Search Manual.

To find out how the types of commands used in searches can affect performance, see Write better searches in the Search Manual.

Streaming commands

A streaming command operates on each event as the event is returned by a search.

  • A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked. Any distributable streaming command that comes after a non-streaming command in the search is processed on the search head.
  • A centralized streaming command applies a transformation to each event returned by a search. Unlike distributable streaming commands, a centralized streaming command only works on the search head.


Command Notes
addinfo Distributable streaming
addtotals Distributable streaming. A transforming command when used to calculate column totals (not row totals).
arules Some of the work is distributable streaming running on the indexer or the search head. The rest of the work is centralized streaming running on the search head.
autoregress Centralized streaming.
bin Streaming if specified with the span argument. Otherwise a dataset processing command.
bucketdir Distributable streaming by default, but centralized streaming if the local setting specified for the command in the commands.conf file is set to true.
cluster Streaming in some modes.
convert Distributable streaming.
dedup Distributable streaming in a prededup phase. Centralized streaming after the individual indexers perform their own dedup and the results are returned to the search head from each indexer.

Using the sortby argument or specifying keepevents=true makes the dedup command a dataset processing command.

eval Distributable streaming.
extract Distributable streaming.
fieldformat Distributable streaming.
fields Distributable streaming.
fillnull Distributable streaming when a field-list is specified. A dataset processing command when no field-list is specified.
head Centralized streaming.
highlight Distributable streaming.
iconify Distributable streaming.
iplocation Distributable streaming.
join Centralized streaming, if there is a defined set of fields to join to. A dataset processing command when no field-list is specified.
lookup Distributable streaming when specified with local=false, which is the default. An orchestrating command when local=true.
makemv Distributable streaming.
multikv Distributable streaming.
mvexpand Distributable streaming.
nomv Distributable streaming.
rangemap Distributable streaming.
regex Distributable streaming.
reltime Distributable streaming.
rename Distributable streaming.
replace Distributable streaming.
rex Distributable streaming.
search Distributable streaming if used further down the search pipeline. A generating command when it is the first command in the search.
spath Distributable streaming.
strcat Distributable streaming.
streamstats Centralized streaming.
tags Distributable streaming.
transaction Centralized streaming.
typer Distributable streaming.
where Distributable streaming.
untable Distributable streaming.
xmlkv Distributable streaming.
xmlunescape Distributable streaming by default, but centralized streaming if the local setting specified for the command in the commands.conf file is set to true.
xpath Distributable streaming.
xyseries Distributable streaming if the argument grouped=false is specified, which is the default. Otherwise a transforming command.

Generating commands

A generating command either returns information or generates results. Some generating commands can return information from an index, a data model, a lookup, or a CSV file without any transformations to the information. Other generating commands generate results, usually for testing purposes.

Command Notes
datamodel Report-generating
dbinspect Report-generating.
eventcount Report-generating.
from Can be either report-generating or event-generating depending on the search or knowledge object that is referenced by the command.
gentimes Event-generating.
inputcsv Event-generating (centralized).
Inputlookup Event-generating (centralized) when append=false, which is the default.
loadjob Event-generating (centralized).
makeresults Report-generating.
metadata Report-generating. Although metadata fetches data from all peers, any command run after it runs only on the search head.
metasearch Event-generating.
mstats Report-generating, except when append=true is specified.
multisearch Event-generating.
pivot Report-generating.
rest
search Event-generating (distributable) when the first command in the search, which is the default. A streaming (distributable) command if used later in the search pipeline.
searchtxn Event-generating.
set Event-generating.
tstats Report-generating (distributable), except when prestats=true. When prestats=true, the tstats command is event-generating.

Transforming commands

A transforming command orders the results into a data table. The command "transforms" the specified cell values for each event into numerical values for statistical purposes.

In earlier versions of Splunk software, transforming commands were called reporting commands.

Command Notes
addtotals Transforming when used to calculate column totals (not row totals). A distributable streaming command when used to calculate row totals, which is the default.
anomalydetection
append
associate
chart
cofilter
contingency
history
makecontinuous
mvcombine
rare
stats
table
timechart
top
xyseries Transforming if grouped=true. A streaming (distributable) command when grouped=false, which is the default setting.

Orchestrating commands

Orchestrating commands control some aspect of how a search is processed. They do not directly affect the final result set of the search. For example, you might apply an orchestrating command to a search to enable or disable a search optimization that helps the overall search complete faster.

Command Notes
localop
lookup Only becomes an orchestrating command when local=true. This forces the lookup command to run on the search head and not on any remote peers. A streaming (distributable) command when local=false, which is the default setting.
noop
redistribute
require

Dataset processing commands

A dataset processing command is a command that requires the entire dataset before the command can run. Some of these commands fit into other command types in specific situations or when specific arguments are used.

Command Notes
anomalousvalue Some modes
anomalydetection Some modes
append Some modes
appendcols
appendpipe
bin Some modes. A streaming command if the span argument is specified.
cluster Some modes
concurrency
datamodel
dedup Using the sortby argument or specifying keepevents=true makes the dedup command a dataset processing command. Otherwise, dedup is a distributable streaming command in a prededup phase. Centralized streaming after the individual indexers perform their own dedup and the results are returned to the search head from each indexer.
eventstats
fieldsummary
fillnull When no field-list is specified, a dataset processing command. If a field-list is specified fillnull is a distributable streaming command.
from Some modes
join Some modes. A centralized streaming command when there is a defined set of fields to join to.
map
outlier
reverse
sort
tail
transaction Some modes
union Some modes
Last modified on 01 August, 2024
Commands by category   Splunk SPL for SQL users

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters