Archive
Highlighted

how to simulate flow data like real time search for hunk?

Contributor

hi i know that hunk doesn't support real time searching for hadoop data.

how can i do if i will refresh or restart a search on background and print the result on dashboard like real time search.
it's just to simulate a reading flow data like real time search, just for watching result on dashboard without complexe request.

i think it's possible to use cron to reload the search request but the problem is the time betwen the end of search request and the next realoading.

thx

Tags (2)
0 Karma
Highlighted

Re: how to simulate flow data like real time search for hunk?

Splunk Employee
Splunk Employee

You are right, since Hunk does not support real-time, you will have a gap between the end of the search and the start of the next search.

0 Karma
Highlighted

Re: how to simulate flow data like real time search for hunk?

Contributor

but how can i do to simulate searching like real time ?

0 Karma
Highlighted

Re: how to simulate flow data like real time search for hunk?

Splunk Employee
Splunk Employee

You can save a Hunk search as a report, and schedule it to run with any frequency you like. However, you still won't be doing a true real-time search, for a couple reasons. One is that processes which write data to HDFS usually have some latency, i.e. the data does not show up quickly enough to be considered "real-time". Secondly, map-reduce jobs are typically high throughput but high latency, so the job itself may introduce a large delay. Also, please consider that if you schedule a search to be very frequent, it may take up considerable resources that will then not be available for other activity on your cluster. You should consider instead using Report Acceleration:
https://docs.splunk.com/Documentation/Hunk/6.4.3/Hunk/Workwithreportacceleration

If you truly need real-time searches, consider first ingesting your data into a regular Splunk index, and then archiving the data to HDFS:
http://docs.splunk.com/Documentation/Hunk/6.4.3/Hunk/ArchivingSplunkindexes

0 Karma