Splunk - Types of Command
In this section, we are going to learn about the types of command that are present in the Splunk searches. The commands that we are going to cover are, streaming and non-streaming command, distributable streaming command, centralized streaming command, transforming command, generating command, orchestrating command, dataset processing command.
Types of commands
When we learn about the Splunk SPL, we may hear the words used to define the types of search commands that stream, create, transform, orchestrate, and process data. Each section lists the commands that fall into each category and discusses what such words mean.
There are Six search commands basically:
In Splunk web app, such categorizations are not unique to one another. Some commands only fall into one group. The stats command is an example of a command that only fits into the categorization of transformers. Certain commands may fit into multiple categories. A command can stream and also generate, for example.
Streaming and non-streaming commands
On every event, a streaming command operates as it is returned from a scan. Essentially one participant in a participant and one (or no) out.
For example, the eval command will create a new field, full name, that will contain the value concatenation in the first name field, space, and the last name value.
The eval command tests every event without taking into consideration other events.
A non-streaming command allows all indexers to have the events before the command can run on the entire set of events. Some commands that transform are non-streaming commands. There are also several commands which do not transform commands but are non-streaming commands.
Those non-transforming, non-streaming commands are often called non-streaming commands based on events.
For example, the entire set of events must be received by the sort command, before the sort command can start sorting the events. Certain non-streaming command examples include the dedup (in some modes), data, and top.
Non-streaming commands push the search head toward the whole series of events. That needs a lot of data transfer and parallel loss.
The table below outlines the variations in the processing of certain command types.
When a command is executed, it either produces events or results based on the command type. When we execute the sort command, for example, the input is events, and the output is events in the sort order we choose. Transforming instructions, however, do not emit events. Transforming results in the processing of commands. For instance, the command stats output a table of measured results.
The activities that were used to measure such outcomes no longer exist. We can't run a command that uses events as input after we execute a transforming order.
Commands for processing data are non-streaming commands that allow the whole dataset before the command can run. Such commands do not transform, are not distributable, do not stream, and do not orchestrate. The Sort command is an example of a command to process data.
On every event returned by a search, a streaming command operates. The order of the events doesn't matter for distributable streaming. A streaming command that can be distributed is a command that can be run on the indexer, which improves the processing time. The other commands in a request decide whether the streaming command to be transmitted is running on the indexer:
The order of events counts for unified streaming commands. A centralized streaming command applies a transformation to any case that a search returns. But unlike distributed streaming commands, a centralized streaming command works only on the head of the search. We may also use the word "stateful streaming" to explain these orders.
Centralized streaming commands include: head, streamstats, and some cluster modes.
A transforming command commands the results of the search to a table of data. Such commands "transform" the specified cell values for each event into numerical values, which can be used for statistical purposes by Splunk software. Don't stream commands to convert. Transforming commands are also necessary to transform the search result data into the data structures required for visualizations such as column, bar, line, area, and pie charts.
When used to measure column totals (not row totals), transforming commands include: map, timecart, details, top, uncommon and addtotals.
A command generation gets information from the indexes, without any transformations. Generating commands either generate events (distributable or centralized) or generate reports. Most commands producing information are centralised as well. The results are returned in a list or table, depending on what form the order is.
Don't expect or require an input to generate commands. Generating commands are usually invoked with a leading pipe at the search start. That is, the quest piped into a generating command cannot be performed. The exception to this is the search instruction, since it is implied at the beginning of a search, and need not be invoked.
Types of Command Generation include:dbinspect, datamodel, inputcsv, metadata, pivot, search, and tstats
An orchestration command controls some part of the processing of the quest. It does not have any effect on the search's final result collection. For example, we may add an orchestrating command to a search to allow or disable a search optimization that helps to complete the overall search more quickly.
Types of commands in orchestration include redistribute, noop, and localop. If we use it with the local = t statement, the lookup command often becomes an orchestrating function.
There are a handful of commands requiring the entire dataset before it can run. These commands are called the commands for the processing of data sets. Such commands do not transform, are not distributable, do not stream, and do not orchestrate. In specific cases, some of these commands fit into certain forms or where particular arguments are used.