I installed HUNK to work with local hadoop cluster (hadoop 2.3.0 YARN). The following error happened when running search command "index=virtual_index_name". [smllog] Error while running external process, return_code=126. See search.log for more info I checked the content of search.log and found no error. The following is something may be related. 11-19-2014 09:48:13.787 INFO UserManager - Done setting user context: NULL -> hadoop_user_name 11-19-2014 09:48:13.787 INFO UserManager - Unwound user context: hadoop_user_name -> NULL 11-19-2014 09:48:13.787 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='1416358093.13', username='hadoop_user_name') 11-19-2014 09:48:13.788 INFO UserManager - Unwound user context: hadoop_user_name -> NULL 11-19-2014 09:48:13.789 INFO ShutdownHandler - Shutting down splunkd 11-19-2014 09:48:13.789 INFO ShutdownHandler - shutting down level "ShutdownLevel_Begin" How could I found the detail of HUNK error? ... View more

I'm importing tab-delimited files formatted as the following. The space is tab. "field1 field2 field3 field4" The files are imported with command "splunk add oneshot " and parsed with the following definition in transforms.conf. DELIMS = "\t" FIELDS = "field_name1","field_name2","field_name3","field_name4" It works fine but for some line the value goes into wrong field name. It took me a lot of time to find the reason. I found that if a field ends with '\', it will be combined with its next field. For example, "field1 field2\ field3 field4" will be parsed as field_name1=field1 field_name2=field2\ field3 field_name3=field4 field_name4= If I remove all ending '\' it will work fine. But I have to import the original data as is. Is there any way to import field end with '\'? ... View more