Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hive partitions and timepicker

pierre_corbel
Engager
‎09-02-2016 01:16 AM

Hello,

I got a partitionned Hive table by field dt (in the YYYYMMDD format)

Example :

/mywarehouse/my.db/foo/dt=20160207/part-m-00000

I got a Hunk Index on top of that :

[foo]
vix.provider = my_hive_provider
vix.input.1.path = /mywarehouse/my.db/foo/...
vix.input.1.splitter.hive.dbname = my
vix.input.1.splitter.hive.tablename = foo
vix.input.1.splitter.hive.fileformat = orc

The problem is, when I select a date from the timepicker, I would like Hunk to go directly to the dt partition (because now it makes a full scan of the DB)

I try to modify the following:

vix.input.1.path = /mywarehouse/my.db/foo/${dt}/...

and to add in props.conf :

[foo]
TIME_PREFIX="dt":
TIME_FORMAT = %Y%m%d

[source::.../mywarehouse/my.db/foo/*/*]
sourcetype = foo

But none of it matter...

Could someone lend me a hand on that?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pierre_corbel
Engager
‎09-05-2016 12:07 AM

I finally did like with HDFS Indexes, i.e. add in indexes.conf

vix.input.1.et.format = yyyyMMdd
vix.input.1.et.regex = /mywarehouse/my.db/foo/dt=(\d+)
vix.input.1.lt.format = yyyyMMdd
vix.input.1.lt.offset = 86400
vix.input.1.lt.regex = /mywarehouse/my.db/foo/dt=(\d+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pierre_corbel
Engager
‎09-05-2016 12:07 AM

I finally did like with HDFS Indexes, i.e. add in indexes.conf

vix.input.1.et.format = yyyyMMdd
vix.input.1.et.regex = /mywarehouse/my.db/foo/dt=(\d+)
vix.input.1.lt.format = yyyyMMdd
vix.input.1.lt.offset = 86400
vix.input.1.lt.regex = /mywarehouse/my.db/foo/dt=(\d+)

0 Karma
Reply
Solved! Jump to solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎09-02-2016 07:54 AM

Instead of vix.input.1.path = /mywarehouse/my.db/foo/${dt}/...
try
In the VIX UI, select the option to customize timestamp format
See this document: http://docs.splunk.com/Documentation/Hunk/latest/Hunk/Addavirtualindex

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...