Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Hunk support SPL?

mohitab
Path Finder
‎04-07-2015 05:21 AM

This could be a premature question and a bit hypothetical too.

I have a visual analytics based webapp based on Splunk Enterprise 6 which hosts small csv data of a few MB. The visualizations are produced by querying and processing data which is a bit complex. The use case my project has no real intention of using data records as events. My queries are not designed to run on 'recent' data. All data is used.

I was wondering if I could port my data to Hunk and use the same queries. Does Hunk support SPL completely? Does all SPL commands gets spawned into map/reduce tasks?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎04-07-2015 03:48 PM

From: http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/Searchavirtualindex

Since events are not sorted, any search command which depends on implicit time order will not work exactly the way you'd expect. (For example: head, delta, or transaction.) This means that a few search commands operate differently when used on virtual indexes, mostly because of the way Hadoop reports timestamps. You can still use these commands, and may particularly want to when creating a single report for local and virtual indexes, but you should be aware of how they operate and return data differently.

So the answer is, kind of. All your searches may not work as you'd expect, but most of them work just as you'd expect by spawning efficient map/reduce jobs.

View solution in original post

Reply
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎04-07-2015 03:48 PM

From: http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/Searchavirtualindex

Since events are not sorted, any search command which depends on implicit time order will not work exactly the way you'd expect. (For example: head, delta, or transaction.) This means that a few search commands operate differently when used on virtual indexes, mostly because of the way Hadoop reports timestamps. You can still use these commands, and may particularly want to when creating a single report for local and virtual indexes, but you should be aware of how they operate and return data differently.

So the answer is, kind of. All your searches may not work as you'd expect, but most of them work just as you'd expect by spawning efficient map/reduce jobs.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎04-07-2015 01:39 PM

yes, Hunk supports SPL. there's a lot of good documentation for this here:

http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunk/MeetHunk

i recommend you try out the tutorial:
http://docs.splunk.com/Documentation/Hunk/6.2.2/Hunktutorial/Tutorialoverview

Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...