Hello Splunkers,
I was wondering if there is a Splunk documentation or an article about how certain search commands behave in a distributed environment. (i.e. mainly the usage of Join, Stats, Lookup, Sub Searches, Map, Transaction, Tstats etc.)
Descriptions could include about which Splunk node the command first runs, if it goes back and forth between Search Head and Indexer for example or does it only run in one of either. I know how these commands shape and filter certain logs, I just have not fully grasped how Commands are run in the background.
All help and comments are appreciated,
Thanks,
Regards,
... View more