Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Hunk support SPL?

mohitab
Path Finder
‎04-07-2015 05:21 AM

This could be a premature question and a bit hypothetical too.

I have a visual analytics based webapp based on Splunk Enterprise 6 which hosts small csv data of a few MB. The visualizations are produced by querying and processing data which is a bit complex. The use case my project has no real intention of using data records as events. My queries are not designed to run on 'recent' data. All data is used.

I was wondering if I could port my data to Hunk and use the same queries. Does Hunk support SPL completely? Does all SPL commands gets spawned into map/reduce tasks?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎04-07-2015 03:48 PM

From: http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/Searchavirtualindex

Since events are not sorted, any search command which depends on implicit time order will not work exactly the way you'd expect. (For example: head, delta, or transaction.) This means that a few search commands operate differently when used on virtual indexes, mostly because of the way Hadoop reports timestamps. You can still use these commands, and may particularly want to when creating a single report for local and virtual indexes, but you should be aware of how they operate and return data differently.

So the answer is, kind of. All your searches may not work as you'd expect, but most of them work just as you'd expect by spawning efficient map/reduce jobs.

View solution in original post

Reply
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎04-07-2015 03:48 PM

From: http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/Searchavirtualindex

Since events are not sorted, any search command which depends on implicit time order will not work exactly the way you'd expect. (For example: head, delta, or transaction.) This means that a few search commands operate differently when used on virtual indexes, mostly because of the way Hadoop reports timestamps. You can still use these commands, and may particularly want to when creating a single report for local and virtual indexes, but you should be aware of how they operate and return data differently.

So the answer is, kind of. All your searches may not work as you'd expect, but most of them work just as you'd expect by spawning efficient map/reduce jobs.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎04-07-2015 01:39 PM

yes, Hunk supports SPL. there's a lot of good documentation for this here:

http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/MeetHunk

i recommend you try out the tutorial:
http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunktutorial/Tutorialoverview

Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...