Solved: Is it possible to saved data returned from a virtu...

aaron_harris · ‎06-06-2016

Is it possible to save data returned from a virtual index into another virtual index using the collect command in Splunk?

Currently, if I set up a new Virtual Index to point to a blank area in HDFS with read/write permissions and use this as the target of a search with the collect statement such as index=syslog date_hour=12 | collect index=collect_test, no data is written to the virtual index when I search just this virtual index.

The above works when using a physical index as the target of the collect command, but not when using a virtual index.

rdagan_splunk · ‎06-06-2016

Writing to HDFS using the Collect command and Virtual Indexing will not work. However, you can use the Collect command to write to a normal Splunk summary index and then use the Hadoop Connect App to Export the data back to HDFS.

View solution in original post

rdagan_splunk · ‎06-06-2016

Writing to HDFS using the Collect command and Virtual Indexing will not work. However, you can use the Collect command to write to a normal Splunk summary index and then use the Hadoop Connect App to Export the data back to HDFS.

Is it possible to saved data returned from a virtual index into another virtual index using the collect command?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All