Types of Splunk Commands

types of splunk commands
types of splunk commands

In this blog we are going to go through the different types of splunk commands which are most commonly used in splunk, keep reading for detailed info.

There are almost six types of splunk commands and are are categorized as below:

  • distributable streaming
  • centralized streaming
  • transforming
  • generating
  • orchestrating
  • dataset processing

Streaming and non-streaming splunk commands

The streaming command applies to the event returned by the search. Basically, one event occurs and one (or no) event occurs.

For example, the eval command is able to create a new field full_name that contains a concatenation of the value which is in the first_name field and a space, and the value in the last_name field.

| eval full_name = first_name." ".last_name

The eval command evaluates each event without considering other events.

types of splunk commands

Non-streaming commands require events from all indexers before the command processes the entire set of events. Many conversion commands are non-streaming commands. There are also several which are not transforming commands but also are non-streaming. These non-transforming and non-streaming commands are sometimes referred to as event-based non-flow commands.

For example, the sort command must receive the entire set of events before the sort command begins sorting the events. Other examples of non-streaming commands are dedup command, stats and top commands.

The following table shows the processing differences between several types of splunk commands:

Distributable streaming
Centralized streaming
Data processing (non-streaming)
Can run on indexersYNNN
Can output before final input
Outputs events if inputs are events

Detailed explanation on all the six types of splunk commands:

1. Distributable streaming

The streaming command is executed for all events returned by the search. The order of the events has nothing to do with the streaming that can be delivered. Distributed streaming commands are commands that can be executed by the indexer to improve processing time. The other commands in the request determine if the streaming command sent is running on the indexer.

All of these types of splunk commands on the indexer can be executed before the streaming distributable command, the streaming distributable command will be executed on the indexer.

If you need to run some of the Search head commands before the distributable streaming commands, you need to run the rest of the search commands on the Search head. Once the search process has moved to the search head, it cannot be moved to the indexer again. Distributable streaming commands can be used in parallel for a subset of indexed data.

For example, stream Rex. Extracts the field during the search and applies it to the event. The most common streaming commands are eval, fields, makemv, rename, regex.

2. Centralized streaming

For integrated streaming commands, the order of the events is important. Centralized streaming commands ensure that the transformations returned by the search are applied. However, in contrast to distributed streaming commands, centralized streaming commands only work at the beginning of a search. You can also use the term “stateful streaming” to describe these orders.

3. Transforming

The transforming command adds the search results in to a data table. These commands “transform” the cell value specified for each event into a number for statistical analysis.

The transforming command is not streamed. You also need transforming commands to transform your search result data into the data structures you need for visualization, such as columns, bars, lines, areas, and pie diagrams.

Transforming commands include chart, timechart, stats, top, rare, and addtotals.

4. Generating

The generate command gets the information from the index without the need for conversion. Command generation is either event generation (distributable or centralized) or report generation. Most report commands are also centralized. The result is returned as a list or table, depending on the type of command.

Command generation does not anticipate or require input. Command generation is usually called using the first pipe at the beginning of the search.

This means that the search cannot be sent to the generate command. The exception to this is the search command.This is implicit at the beginning of the search and does not need to be called.

Examples of command generation are dbinspect, datamodel, inputcsv, metadata, pivot, search, and tstats.

5. Orchestrating

Orchestration commands are commands that control several aspects of the search process. It does not directly affect the final result set of the search. For example, you can apply orchestration commands to your search to enable or disable search optimization, which speeds up the entire search.

Examples of orchestration commands are redistribute, noop, and localop. Lookup commands can also be orchestration commands when used with the local = t argument.

6. Dataset processing

There are several commands to get the entire dataset before running the command. These commands are called dataset processing commands. These commands are not converted and cannot be distributed, streamed, or coordinated. Some of these types of splunk commands fit other types in certain situations or when certain arguments are used.

Examples of data processing commands are sort, eventstats, and several modes: cluster, dedup, and fillnull.

For more detailed information regarding types of splunk commands and more click here.

If you are still facing issue regarding types of splunk commands, Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking>.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

create splunk datamodel

Create Splunk Data Model

appencols command in splunk

Appendcols Command in Splunk