Assuming you want to connect to Hadoop, Hunk with Kerberos is supported. http://docs.splunk.com/Documentation/Hunk/6.2.1/Hunk/ConfigureKerberosauthentication ... View more

I took this JSON file = Hunkdata.json Before Splunk Indexing: 671 MB After Splunk Indexing (raw data + Index data): 463 MB = About 70% of original file After Archiving it into HDFS (raw data + few metadata files): 157 MB = About 33% of Splunk indexer ... View more

If you use the Hadoop Connect app you might be able to get a picture of how much space the raw data uses. Hadoop Connect includes the hdfs command, so you can use | hdfs lsr to calculate the space files are consuming in HDFS. In this blog: http://blogs.splunk.com/2012/12/20/connecting-splunk-and-hadoop/ the last example might give you a guideline one how to create such a search. ... View more

It looks like there is an updated version of the App that fixed the above issues ... View more

It looks like you will first need to setup MongoDB Client PEM based on these steps: http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/ Then from a Hunk configuration point of view add these two flags: vix.mongodb.auth.mechanism = X509 vix.mongodb.auth.username = [username] MongoDB allows to specify 4 types of authentication mechanism, namely Plain, Kerberos, CR(Challenge-Response) and X509; for verfying user and database access. ... View more

Have you tried Hunk with a direct connection to Hive? Similar to this configuration here: http://docs.splunk.com/Documentation/Hunk/latest/Hunk/ConfigureHivepreprocessor ... View more

If you have access to the Metastore URI, it should look similar to this example In the Provider add these two flags: vix.splunk.search.splitter = HiveSplitGenerator vix.hive.metastore.uris = thrift://sandbox:9083 (you can find the value in hive-site.xml) In the Virtual Index you will need to point to the actual ORC file, DB Name, Table Name: [employee_orc] vix.input.1.path = /apps/hive/warehouse/employees_orc vix.provider = HiveHDPProvider vix.input.1.splitter.hive.dbname = default vix.input.1.splitter.hive.tablename = employees_rc ... View more

In addition to the above I also tried to rename the App directory, and that seems to work. 1) Extract the hunk-app-for-mongodb_104.zip into /hunk/etc/apps 
The full path should look like this /hunk/etc/apps/hunk-app-for-mongodb_104 2) run the command mv /hunk/etc/apps/hunk-app-for-mongodb_104 /hunk/etc/apps/MongoDBApp 3) Restart Hunk /hunk/bin/splunk restart ... View more

The name of the dashboard should be Documentation. However, if you cannot find it from within the UI, try and find the file Documentation.xml from the command line. /hunk-app-for-mongodb_104/default/data/ui/views/Documentation.xml If you modify that file from the command line, you may need to restart hunk ... View more

1) Extract the hunk-app-for-mongodb_104.zip into /hunk/etc/apps The full path should look like this /hunk/etc/apps/hunk-app-for-mongodb_104 2) Restart Hunk /hunk/bin/splunk restart 3) From within the Hunk UI go to Settings » User interface » Views Change the App context to MongoDB App Select the Documentation dashboard Modify the iframe path and save the dashboard Before: iframe src="/static/app/MongoDBApp/MongoDBApp.html" After: iframe /static/app/hunk-app-for-mongodb_104/MongoDBApp.html ... View more

A part of Splunk Enterprise Security app requires real time searches. Hunk does not support that mode of searches. Therefore, currently this App is not supported on Hunk. However, you can use Hunk to bring in HDFS data that can help as part of a larger security use case. ... View more

Currently naming the Hunk VIX with the same name as Splunk Index is not allowed. There are few options that will allow you to combine these two data sets. For example you can create a Search that looks like index=splunk_xyz OR index=hunk_xyz. Another option is to create a single dashboard that includes some panels from Splunk and some from Hunk. ... View more

If you need additional help you may want to look at this video - Hunk by the Hour: http://aws.amazon.com/elasticmapreduce/hunk/ ... View more

Hadoop Home = Yes. Change it to your actual Hadoop Home on the client (Hunk Node) Working Dir = Yes. Change it to something like /user/ Job Queue = No. The default is good enough unless you have a Multi User environment in Hadoop ... View more

Hunk supports the following Schema options: hive schema, Structure files (Parquet, Json, Avro, ORC, RC, Seq, TSV, CSV, etc ..), and Many different type of log files (just call one of the known sourcetypes) ... View more

When you download Hunk you will get all of Splunk software + few jars under /hunk/bin/jars (basically Hunk is a search head of Splunk + ability to connect to Hadoop). Also, you will get a temp hunk license that will enable you to see the link to the virtual index (under settings). Assuming that after the install you applied your existing Splunk Enterprise license, and that you are able to see all of your indexes under ' settings -> indexes' + Configure distributed search, that part should be the same as any other splunk search head. ... View more

It looks like your description is correct. You can find the side by side in this PDF file: http://www.splunk.com/web_assets/pdfs/secure/Hunk_Product_Data_Sheet.pdf ... View more

Try this option - in props.conf use the source:: and HDFS location : Go to /hunk/etc/apps/search/local -> Create props.conf [source::/user/xyz/ciscologfiles/...] sourcetype = cisco_syslog [source::/user/xyz/iislogfiles/...] sourcetype = iis ... View more

Hunk converts the search into Hadoop MR Job. With virtual indexes, Hunk can access subset of the data. Hunk leverages the MapReduce framework to execute report-generating searches and Indexing on Hadoop nodes. Data does not need to be pre-processed before it is accessed because Hunk lets you run analytics searches against the data where it rests in Hadoop. In addition, Data Preview for Exploration is done by allowing Hunk to look at subset of the data after each phase of the MR Job. ... View more

if you want we can do a webex session and see if we can find the core of the problem (my email rdagan@splunk.com ) ... View more

I suspect that Cannot consume data with unset stream_type means that you either have a wrong value for the DB (activity) or wrong value for the Collection (event). Can you validate that you can Open a MongoDB shell -> type ' use activity ' -> type ' db.event.find() ' ... View more