Splunk Search

In Hunk, verbose mode vs smart mode for VIX (virtual indexes) documentation, please?

haneoword
Explorer

In Hunk, where is the documentation for verbose mode vs smart mode for virtual indexes (VIX)s??

Afaict, verbose mode just "drops down to" HDFS and doesn't invoke a MapReduce Job.

Whereas as long as your search has "distributable search commands" (see link below) and can aggregate (e.g. timechart / chart / stats / etc), the map reduce job is invoked if and only if the search is executed in smart mode (not verbose mode).

However I cannot seem to find this in the documentation. Can someone confirm / deny this or better yet just point me to the rtfm link ?

Thanks!

Distributable vs NonDistributable Search commands
http://docs.splunk.com/Documentation/Hunk/latest/Hunk/distributableandnondistributablesearchcommands

Tags (2)
1 Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee

That is correct, in verbose mode Hunk does not start an MR job - the reason for that is that in verbose mode you're also interested in all the events as well as any report that you might be running and the benefits of MR in that case are minimal and in some cases negative.

Maybe you've already seen this, but you can find more info about the search modes and how they affect search in general here

Unless you're troubleshooting something, you should always leave the search mode in "smart mode" - I'm interested to see why you had to change it to verbose mode?

View solution in original post

Ledion_Bitincka
Splunk Employee
Splunk Employee

That is correct, in verbose mode Hunk does not start an MR job - the reason for that is that in verbose mode you're also interested in all the events as well as any report that you might be running and the benefits of MR in that case are minimal and in some cases negative.

Maybe you've already seen this, but you can find more info about the search modes and how they affect search in general here

Unless you're troubleshooting something, you should always leave the search mode in "smart mode" - I'm interested to see why you had to change it to verbose mode?

haneoword
Explorer

> Maybe you've already seen this, but you can find more info about the search modes and how they affect search in general here

That's splunk enterprise in general, but for hunk its slightly different. E.g. Verbose mode means "don't run mapreduce, ever", but I can't find that in the Hunk documentation anywhere.

0 Karma

haneoword
Explorer

Thanks Ledion, for the fast confirmation.

Since you asked, why was I even futz-ing with "verbose mode" to begin with?

That's a separate question. ;-).

A developer had defined/declared a field extraction that works at the "raw HDFS" level or when you don't have stats/chart/timechart in the search. But the moment we add stats/chart/timechart the field extraction 'stops working', unless:
- A) We are in Verbose Mode (which avoids map-reduce: sad trombone) , OR
- B) We specify the field extraction inline via | rex ... <---- preferred workaround

We plan to follow up on this as a separate issue with splunk support as it is unknown if this is related to Hunk or to a config issue / deployment issue on our side. @Ledion, if you prefer to address that here in answers, let me know and I'll start a separate question thread and reference that here.

Again thanks for your quick response!

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

Please do ask a separate question here, as what you describe is supposed to work no matter what the search mode is - ie we should always extract the required (referenced in the search) fields. Please remember to include details about how the field extraction is defined (props/transforms.conf)

0 Karma

haneoword
Explorer
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...