Solved: Hunk: Searching two different virtual indexes usin...

burwell · ‎05-20-2017

In regular Splunk I can easily search for

index=index1 OR index=index2 <search term> | stats count by index

Then I get results from either index.

When I setup a virtual index in Hunk 6.5.3 searching ORC files and I do a similar query I seem to only get results from one index.
Is there something inherently different in the way Hunk searches that this wouldn't work?

rdagan_splunk · ‎05-20-2017

It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index

View solution in original post

rdagan_splunk · ‎05-20-2017

It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index

burwell · ‎05-22-2017

Hi Raanan. Your query above is exactly what I was experimenting with.

So I did some more experiments.

If my virtual indexes points to 2 Hive databases, then the query with OR works fine. I get results from two different indexes.
If my virtual indexes point to 2 ORC files, I can only get the results for one.

I will file a support ticket. Thanks for confirming the expected results.

Hunk: Searching two different virtual indexes using OR: should work?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?