How to search multiple virtual indexes with Splunk...

EricLloyd79 · ‎01-29-2018

Hello, we currently have two virtual indexes with data in them retrieving data from Hadoop Distributed File System.
We want to run one query to search over both indexes.
I hoped that:
index=abc OR index=xyz "keyword"
would work correctly but it only returns values from index=abc.
Anyone got any idea on how to search multiple indexes?

rdagan_splunk · ‎01-29-2018

I just tried it without any issues.
I tried both index=xyz OR index=abc somekeyword as well as (index=abc somekey=somevalue) OR (index="xyz" somekey=somevalue)

EricLloyd79 · ‎01-29-2018

Weird, I wonder why my version isn't working. thanks.

burwell · ‎02-01-2018

Hi Eric. What version of Splunk are you running?

So I saw a similar issue: https://answers.splunk.com/answers/536338/hunk-searching-two-different-virtual-indexes-using.html

I've upgraded all our Splunk instances to Splunk 6.6 and I cannot reproduce this error.

somesoni2 · ‎01-29-2018

Does the index=xyz "keyword" returns result when run separately?

EricLloyd79 · ‎01-29-2018

Yes each one returns individual results.

How to search multiple virtual indexes with Splunk Analytics for Hadoop?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation