Kinds of Command available in Splunk – Splunk Visualization Commands

Kinds of Command available in Splunk – Splunk Visualization Commands

In the search head when performing a query, we use numerous commands. So every command is categorized with its usage. Moreover, this is among the most common interview questions which are asked by the interviewers.

All search commands are categorized into six. They include

  • Centralized Streaming Command
  • Distributed Streaming Command
  • Transforming Command
  • Orchestrating Command
  • Generating Command
  • Dataset Processing Command

Some of the commands fit into a single category while other commands fit into several categories.

Non-streaming commands and Streaming Commands

  1. Streaming Command functions upon every event & returned by a search. One event in & another event out.

Examples include rex, eval, etc.

  1. Eval command evaluates every event minus considering other events. Non-Streaming Command needs events from every indexer before command would operate on a full set of events.

Examples: stats, dedup, top, etc.

  1. Dedup command requires a whole set of information before it executes.
  2. Distributed Streaming Command

The distributed streaming command operates on an indexer or search head, relying on where you will use the command in search. Moreover, these distributable streaming commands are applied to a subset of indexed information in a parallel manner.

Examples include eval, fields, multikv, mvexpand, makemv, etc.

Centralized Streaming Command

With centralized streaming command, it applies to every event given back by a search. Different from distributed streaming commands, the centralized streaming command just works on the search head.

Examples include stream stats, head, etc.

Generating Command

These commands generate reports or events from a single or more index minus transforming events. Remember that generating commands begins with a leading pipe.

Some of the examples include input lookup, search, and make results, etc.

Splunk Visualization Commands or Transforming Command

This command orders result – result set. Moreover, the command “changes” stated cell values for every event to numerical values aimed at statistical analysis. This is also known as “Splunk Visualization Commands” because it is used to visualize the data into graphical format.

Examples are time charts, stats, top, chart, rare, etc.

Orchestrating Command

Orchestrating command allows one to controls aspects of the way a search is handled. They do not affect the ending result of a search. Orchestrating commands help one to disable or enable search optimization as it helps to operate the query quicker.

Examples include: lookup, localop, redistribute, etc.

Note that the lookup command just operates as an orchestrating command when local=t.

Dataset Processing Command:

This command needs the whole dataset before the command can operate. Some of the commands fit into additional command kinds in some special cases or the time precise arguments are utilized with the commands.

Examples include append, join, dedup, fill-null, sort, etc.

Splunk Use Case – Dubai Airport
Difference between User and Power User in Splunk
Steps on how to Install Splunk on Linux Server
Service Now Splunk Integration
Splunk Enterprise Security Suite Installation

Leave a Comment