Types of Command in Splunk – Splunk Visualization Commands
We all are familiar with the SPL in Splunk. In the search head when we perform any query, we use many commands. So all the commands are categorized as per their usage. Also this is the most common interview question asked by the interviewer.
There are 6 major categories for all the search commands.
- Distributed Streaming Command
- Centralized Streaming Command
- Transforming Command
- Generating Command
- Orchestrating Command
- Dataset Processing Command
Some commands fits into one category and some commands fits into more than one category. Before going to the explanation of all the categories you have to know about Streaming Commands and Non-Streaming commands.
Streaming Commands and Non-Streaming commands
Streaming Command operates upon each event and returned by a search. One event in and one event out.
Example : eval , rex etc.
The eval command evaluates each event without considering the other events.
Non-Streaming Command requires events from all of the indexer before command can operate on the entire set of events.
Example : dedup , stats , top etc.
The dedup command needs entire set of data before it performs.
Distributed Streaming Command :
Distributed streaming command runs on the indexer or the search head, depending on where in the search the command is used. Distributable streaming commands can be applied to subsets of indexed data in a parallel manner.
Example : fields, eval, multikv, makemv, mvexpand etc.
Centralized Streaming Command:
Centralized streaming command applies to each event returned by a search. Unlike distributed streaming commands, a centralized streaming command only works on the search head.
Example : head, streamstats etc.
Generating Command :
Generating commands generates events or reports from one or multiple indexes without transforming any events. Generating commands start with a leading pipe
Example : inputlookup, makeresults, search etc.
Transforming Command OR Splunk Visualization Commands :
Transforming command orders result into result set. The command “transforms” specified cell values for each event into numerical values for statistical analysis. This is also known as “Splunk Visualization Commands” because it is used to visualise the data in the graphical format.
Example : stats, chart, top, rare, timechart etc.
Orchestrating Command :
Orchestrating command controls some aspect of how a search is processed. They do no affect on the final result of the search. Orchestrating commands help us to enable or disable search optimization the helps to run the query faster.
Example : localop, lookup, redistribute etc.
lookup command only works as an orchestrating command when local=t
Dataset Processing Command :
Dataset processing command requires the entire dataset before the command can run. Some of these command fits into other command types in some special cases or when specific arguments are used with these commands.
Example : append, dedup, join, sort, fillnull etc.
Hope you have got a brief idea in : Types of Command in Splunk
Happy Splunking !!
[…] Only depicts search results as tables or visualizations when you run a transforming/reporting search. (see, Types of commands in Splunk) […]
[…] command which must start with a leading pipe (please clock on the link to know more about types of commands in splunk. The savedsearch command always runs a new […]
[…] Definition: 1) A subsearch is a search that is used to reduce the set of events from your result set. 2) The result of the subsearch is used as an argument to the primary or outer search. 3) Subsearches must be enclosed in square brackets and must start with a Generating command (eg: search, makeresults etc.).If you want to know more about generating commands, click here. […]