https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608033#M211412 <P>Hello Splunkers,</P> <P>I was wondering if there is a Splunk documentation or an article about how certain search commands behave in a distributed environment.&nbsp; (i.e. mainly the usage of Join, Stats, Lookup, Sub Searches, Map, Transaction, Tstats etc.)</P> <P>Descriptions could include about which Splunk node the command first runs, if it goes back and forth between Search Head and Indexer for example or does it only run in one of either. I know how these commands shape and filter certain logs, I just have not fully grasped how Commands are run in the background.</P> <P>All help and comments are appreciated,</P> <P>Thanks,</P> <P>Regards,</P> Wed, 03 Aug 2022 14:57:20 GMT NightShark 2022-08-03T14:57:20Z https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608033#M211412 <P>Hello Splunkers,</P> <P>I was wondering if there is a Splunk documentation or an article about how certain search commands behave in a distributed environment.&nbsp; (i.e. mainly the usage of Join, Stats, Lookup, Sub Searches, Map, Transaction, Tstats etc.)</P> <P>Descriptions could include about which Splunk node the command first runs, if it goes back and forth between Search Head and Indexer for example or does it only run in one of either. I know how these commands shape and filter certain logs, I just have not fully grasped how Commands are run in the background.</P> <P>All help and comments are appreciated,</P> <P>Thanks,</P> <P>Regards,</P> Wed, 03 Aug 2022 14:57:20 GMT https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608033#M211412 NightShark 2022-08-03T14:57:20Z https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608036#M211414 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239089">@NightShark</a>,</P><P>always remember that the only problem on Splunk documentation is that it's usually too much!</P><P>Use Google search to find documentation, so you can find many docs, e.g. this&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Whatisdistributedsearch" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Whatisdistributedsearch</A></P><P>If instead you want to better know Splunk Commands I hint to use the Splunk Search Tutorial&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial</A>&nbsp;that describes how command works.</P><P>In few words:</P><P>searches are executed on Search Heads that send requests to Indexers.</P><P>Indexers give baks results to SH that take the useful ones (if you have a cluster with replicated data) and display them.</P><P>Filters are inserted in the search criteria in SH and applied in IDXs</P><P>Ciao.</P><P>Giuseppe</P> Wed, 03 Aug 2022 08:32:59 GMT https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608036#M211414 gcusello 2022-08-03T08:32:59Z https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608041#M211415 <P>Hello&nbsp;<SPAN>Giuseppe,</SPAN></P><P>Thank you for the valuable information, however I was actually looking more towards the following article which I have finally found, than an overview on how search queries were actually run in a distributed enviroment:</P><P><A href="https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Search/Typesofcommands" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Search/Typesofcommands</A></P><P>Apologies for the misunderstanding,</P><P>Regards,</P> Wed, 03 Aug 2022 09:01:25 GMT https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608041#M211415 NightShark 2022-08-03T09:01:25Z https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608043#M211417 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239089">@NightShark</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 03 Aug 2022 09:06:39 GMT https://community.splunk.com/t5/Splunk-Search/How-SPL-queries-work-in-a-distributed-environment/m-p/608043#M211417 gcusello 2022-08-03T09:06:39Z