Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does Hunk support SPL?

mohitab
Path Finder
‎04-07-2015 05:21 AM

This could be a premature question and a bit hypothetical too.

I have a visual analytics based webapp based on Splunk Enterprise 6 which hosts small csv data of a few MB. The visualizations are produced by querying and processing data which is a bit complex. The use case my project has no real intention of using data records as events. My queries are not designed to run on 'recent' data. All data is used.

I was wondering if I could port my data to Hunk and use the same queries. Does Hunk support SPL completely? Does all SPL commands gets spawned into map/reduce tasks?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎04-07-2015 03:48 PM

From: http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/Searchavirtualindex

Since events are not sorted, any search command which depends on implicit time order will not work exactly the way you'd expect. (For example: head, delta, or transaction.) This means that a few search commands operate differently when used on virtual indexes, mostly because of the way Hadoop reports timestamps. You can still use these commands, and may particularly want to when creating a single report for local and virtual indexes, but you should be aware of how they operate and return data differently.

So the answer is, kind of. All your searches may not work as you'd expect, but most of them work just as you'd expect by spawning efficient map/reduce jobs.

View solution in original post

Reply
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎04-07-2015 03:48 PM

From: http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/Searchavirtualindex

Since events are not sorted, any search command which depends on implicit time order will not work exactly the way you'd expect. (For example: head, delta, or transaction.) This means that a few search commands operate differently when used on virtual indexes, mostly because of the way Hadoop reports timestamps. You can still use these commands, and may particularly want to when creating a single report for local and virtual indexes, but you should be aware of how they operate and return data differently.

So the answer is, kind of. All your searches may not work as you'd expect, but most of them work just as you'd expect by spawning efficient map/reduce jobs.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎04-07-2015 01:39 PM

yes, Hunk supports SPL. there's a lot of good documentation for this here:

http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/MeetHunk

i recommend you try out the tutorial:
http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunktutorial/Tutorialoverview

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...