Solved: Is it possible to saved data returned from a virtu...

aaron_harris · ‎06-06-2016

Is it possible to save data returned from a virtual index into another virtual index using the collect command in Splunk?

Currently, if I set up a new Virtual Index to point to a blank area in HDFS with read/write permissions and use this as the target of a search with the collect statement such as index=syslog date_hour=12 | collect index=collect_test, no data is written to the virtual index when I search just this virtual index.

The above works when using a physical index as the target of the collect command, but not when using a virtual index.

rdagan_splunk · ‎06-06-2016

Writing to HDFS using the Collect command and Virtual Indexing will not work. However, you can use the Collect command to write to a normal Splunk summary index and then use the Hadoop Connect App to Export the data back to HDFS.

View solution in original post

rdagan_splunk · ‎06-06-2016

Writing to HDFS using the Collect command and Virtual Indexing will not work. However, you can use the Collect command to write to a normal Splunk summary index and then use the Hadoop Connect App to Export the data back to HDFS.

Is it possible to saved data returned from a virtual index into another virtual index using the collect command?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation