1️⃣ Streaming Commands
Streaming commands process events as they flow through the search pipeline, working on one event at a time.
Types of Streaming Commands:
1.Distributable Streaming:
- Run on indexers for better performance.
- Examples:
eval, fields, where, regex. - Key Use: Parallel processing of events without worrying about order.
2.Centralized Streaming:
- Run on the search head because event order matters.
- Examples:
head, streamstats, dedup (specific modes). - Key Use: When the sequence of events impacts the result.
2️⃣ Non-Streaming Commands
Non-streaming commands don’t process events one by one; they often require all events or influence how the search runs.
Categories of Non-Streaming Commands:
1.Transforming Commands:
- Turn raw data into tables and statistics for reports and visualizations.
- Examples:
stats, chart, timechart. - Key Use: Creating summary reports, trends, and charts.
2.Generating Commands:
- Start a search or create data without prior input.
- Examples:
makeresults, inputlookup, datamodel. - Key Use: Generate initial data or enrich searches with additional information.
3.Orchestrating Commands:
- Control how a search is executed rather than the results.
- Examples:
redistribute, noop, localop. - Key Use: Optimize performance or manage search behavior.
4.Dataset Processing Commands:
- Work on the entire dataset, requiring full data visibility.
- Examples:
sort, eventstats, fillnull. - Key Use: Process or manipulate data globally for accuracy.
Top comments (0)