Types of Command in Splunk
We all are familiar with the SPL in Splunk. In the search head when we perform any query, we use many commands. So all the commands are categorized as per their usage. Also this is the most common interview question asked by the interviewer.
There are 6 major categories for all the search commands.
- Distributed Streaming Command
- Centralized Streaming Command
- Transforming Command
- Generating Command
- Orchestrating Command
- Dataset Processing Command
Some commands fits into one category and some commands fits into more than one category. Before going to the explanation of all the categories you have to know about Streaming Commands and Non-Streaming commands.
Streaming Commands and Non-Streaming commands
Streaming Command operates upon each event and returned by a search. One event in and one event out.
Example : eval , rex etc.
The eval command evaluates each event without considering the other events.
Non-Streaming Command requires events from all of the indexer before command can operate on the entire set of events.
Example : dedup , stats , top etc.
The dedup command needs entire set of data before it performs.
Distributed Streaming Command :
Distributed streaming command runs on the indexer or the search head, depending on where in the search the command is used. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner.
Example : fields, eval, multikv, makemv, mvexpand etc.
Centralized Streaming Command:
Centralized streaming command applies to each event returned by a search. Unlike distributed streaming commands, a centralized streaming command only works on the search head.
Example : head, streamstats etc.
Generating Command :
Generating commands generates events or reports from one or multiple indexes without transforming any events. Generating commands start with a leading pipe
Example : inputlookup, makeresults, search etc.
Transforming Command :
Transforming command orders result into result set. The command “transforms” specified cell values for each event into numerical values for statistical analysis.
Example : stats, chart, top, rare, timechart etc.
Orchestrating Command :
Orchestrating command controls some aspect of how a search is processed. They do no affect on the final result of the search. Orchestrating commands help us to enable or disable search optimization the helps to run the query faster.
Example : localop, lookup, redistribute etc.
lookup command only works as an orchestrating command when local=t
Dataset Processing Command :
Dataset processing command requires the entire dataset before the command can run. Some of these command fits into other command types in some special cases or when specific arguments are used with these commands.
Example : append, dedup, join, sort, fillnull etc.
Hope you have got a brief idea in : Types of Command in Splunk
Happy Splunking !!