Splunk Search

Hunk: Searching two different virtual indexes using OR: should work?

burwell
SplunkTrust
SplunkTrust

In regular Splunk I can easily search for

index=index1 OR index=index2 <search term> | stats count by index

Then I get results from either index.

When I setup a virtual index in Hunk 6.5.3 searching ORC files and I do a similar query I seem to only get results from one index.
Is there something inherently different in the way Hunk searches that this wouldn't work?

Tags (1)
1 Solution

rdagan_splunk
Splunk Employee
Splunk Employee

It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index

View solution in original post

rdagan_splunk
Splunk Employee
Splunk Employee

It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index

burwell
SplunkTrust
SplunkTrust

Hi Raanan. Your query above is exactly what I was experimenting with.

So I did some more experiments.

  1. If my virtual indexes points to 2 Hive databases, then the query with OR works fine. I get results from two different indexes.
  2. If my virtual indexes point to 2 ORC files, I can only get the results for one.

I will file a support ticket. Thanks for confirming the expected results.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...