https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343151#M41454 <P>Hi BUrch,</P> <P>The goal is to move the data from Splunk to Hadoop/S3 for longer data retention. Currently we store data in Splunk only for two months.<BR /> We want to send data to Hadoop and the analytics team wants to further analyse this HIVE , etc<BR /> I understand<BR /> 1) We can simply forward data to another system as it arrives at Splunk <BR /> or<BR /> 2) we can export data after it has been cooked by Splunk.<BR /> However not sure how to achieve first part.<BR /> Hadoop connect allows data export to Hadoop but it doesnt seem to be supported in a clustered architecture. Thus looking out for options.</P> <P>I believe Hadoop Data Roll is used when I want to use Splunk again for archived data analytics, which is not needed for us. This archived index will follow the same two month retention period right? -- Please correct me if Im wrong.</P> Fri, 22 Sep 2017 12:20:41 GMT saranya_fmr 2017-09-22T12:20:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343149#M41452 <P>Goal is to set export Data from Splunk Indexes to Hadoop.</P> <P>We have a clustered Search head cluster. The doc doesn't mention about deploying the Splunk Hadoop Connector app in a cluster.</P> <P>The below page says its not supported in a clustered SH.<BR /> <A href="https://answers.splunk.com/answers/368847/is-hadoop-connect-supported-in-a-splunk-search-hea.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev">https://answers.splunk.com/answers/368847/is-hadoop-connect-supported-in-a-splunk-search-hea.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev</A></P> <P>So my Question is:</P> <OL> <LI>Is it supported in a Search Head Cluster? If no , what are the other options to send Splunk Index data into Hadoop ?</LI> </OL> Wed, 20 Sep 2017 10:19:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343149#M41452 saranya_fmr 2017-09-20T10:19:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343150#M41453 <P>If you want to get data export to indexers, how about <A href="http://docs.splunk.com/Documentation/Splunk/latest/Indexer/ArchivingindexestoHadoop">Hadoop Data Roll</A>?</P> <P>Brief answer cause I wasn't positive why and the specifics about getting the data to Hadoop. Knowing more about that would help provide alternative solutions for this. Cool?</P> Wed, 20 Sep 2017 19:13:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343150#M41453 sloshburch 2017-09-20T19:13:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343151#M41454 <P>Hi BUrch,</P> <P>The goal is to move the data from Splunk to Hadoop/S3 for longer data retention. Currently we store data in Splunk only for two months.<BR /> We want to send data to Hadoop and the analytics team wants to further analyse this HIVE , etc<BR /> I understand<BR /> 1) We can simply forward data to another system as it arrives at Splunk <BR /> or<BR /> 2) we can export data after it has been cooked by Splunk.<BR /> However not sure how to achieve first part.<BR /> Hadoop connect allows data export to Hadoop but it doesnt seem to be supported in a clustered architecture. Thus looking out for options.</P> <P>I believe Hadoop Data Roll is used when I want to use Splunk again for archived data analytics, which is not needed for us. This archived index will follow the same two month retention period right? -- Please correct me if Im wrong.</P> Fri, 22 Sep 2017 12:20:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343151#M41454 saranya_fmr 2017-09-22T12:20:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343152#M41455 <P>Thanks for the extra detail. It sounds like Hadoop Data Roll is exactly what you want. It's the ideal way to roll data from Splunk to Hadoop. Yes it will allow you to search it still but you don't have to do that AND it will have DIFFERENT retention than the index did in Splunk. Read through the documentation and I'm confident you'll agree that it's 100% exactly what you want to use.</P> Fri, 22 Sep 2017 12:34:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343152#M41455 sloshburch 2017-09-22T12:34:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343153#M41456 <P>Thakyou for the notes. I will go through the documentation and get back incase of further queries.</P> Fri, 22 Sep 2017 13:51:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343153#M41456 saranya_fmr 2017-09-22T13:51:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343154#M41457 <P>Hi @SloshBurch ,</P> <P>I did go through the documentation and had few queries - I have posted these queries at the below link as well:</P> <P><A href="https://answers.splunk.com/answers/577310/difference-between-data-format-for-the-data-sent-t.html?minQuestionBodyLength=80">https://answers.splunk.com/answers/577310/difference-between-data-format-for-the-data-sent-t.html?minQuestionBodyLength=80</A></P> <OL> <LI>Firstly what is the difference between the data format of data that is sent via Hadoop Connect Export and Hadoop Data Roll? I believe Hadoop Connect exports search results and Hadoop Data Roll send the raw data journal.gz</LI> <LI><P>Can I use Hadoop Techniques like Hive, Pig..etc for analytics on the archived data sent to Hadoop via <STRONG>Hadoop Data Roll</STRONG>?<BR /> AND<BR /> Can I use Hadoop Techniques like Hive, Pig..etc for analytics on the archived data sent to Hadoop via <STRONG>Splunk Hadoop Connect Export</STRONG>?</P></LI> <LI><P>I came across Splunk Archive Bucket Reader - an additional app is required to analyze the archived data via Hadoop's applications like Pig , Hive , Spark.<BR /> Is this a mandatory app required If I want to analyse the Hadoop data?</P></LI> <LI><P>Is <STRONG>Splunk Analytics for Hadoop license</STRONG> license required for sending archived data to Hadoop?</P></LI> </OL> Tue, 26 Sep 2017 11:16:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343154#M41457 saranya_fmr 2017-09-26T11:16:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343155#M41458 <P>Thanks @saranya_fmr. I was at .conf2017 and then another work trip hence the delayed response. I will respond in the new thread you created. Thanks for starting that.</P> <P>Also, if we answered your initial question, please make sure to accept that answer so others know if its worth exploring this thread or not.</P> Fri, 06 Oct 2017 21:45:12 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-Splunk-Hadoop-Connect-app-supported-in-a-clustered-Search/m-p/343155#M41458 sloshburch 2017-10-06T21:45:12Z