Thanks. Couldn't find that via Mr. Google....
So, next stupid question - the doc doesn't indicate that Hunk is required to search this data after it's archived. Is that accurate? I can query my data in hadoop without requiring Hunk?
i think that is accurate.
You can search archived buckets as you normally search, simply include the archive virtual index in your searches. See Search archived index data (http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Archivesearchtips) for information about search commands that work with indexes stored in Hadoop.
You can for example, create one search that searches Splunk for:
Data in a Splunk Enterprise index.
Archived data copied into HDFS or S3.
Yeah... you have paid for the data to be indexed in Splunk Enterprise...
You don't have to pay for the archived data again.
If you ingest data directly into HDFS (using Flume e.g.) you haven't paid in Splunk land... you'll need a license for Splunk Analytics for Hadoop, formerly known as HUNK :-).
Does it make sense?