- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In regular Splunk I can easily search for
index=index1 OR index=index2 <search term> | stats count by index
Then I get results from either index.
When I setup a virtual index in Hunk 6.5.3 searching ORC files and I do a similar query I seem to only get results from one index.
Is there something inherently different in the way Hunk searches that this wouldn't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Raanan. Your query above is exactly what I was experimenting with.
So I did some more experiments.
- If my virtual indexes points to 2 Hive databases, then the query with OR works fine. I get results from two different indexes.
- If my virtual indexes point to 2 ORC files, I can only get the results for one.
I will file a support ticket. Thanks for confirming the expected results.