In your provider-family stanza, could you try adding this parameter (as specified in https://www.cloudera.com/documentation/enterprise/5-5-x/topics/cdh_sg_hbase_authentication.html) [provider-family:hbase_family] vix.mode = stream vix.command = java vix.command.arg.1 = -Xmx512m vix.command.arg.2 = -classpath vix.command.arg.3 = $SPLUNK_HOME/bin/jars/SplunkMR-h1.jar:$SPLUNK_HOME/etc/apps/${project.artifactId}/bin/${project.artifactId}-${project.version}.jar:$SPLUNK_HOME/etc/apps/${project.artifactId}/bin/lib/* vix.command.arg.4 = -Djava.security.auth.login.config=/etc/hbase/conf/zk-jaas.conf vix.command.arg.5 = com.splunk.erp.hbase.HBaseERP where /etc/hbase/conf/zk-jaas.conf contains the following: Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false keyTab="/etc/hbase/conf/hbase.keytab" principal="hbase/fully.qualified.domain.name@<YOUR-REALM>"; }; ... View more

Sorry I meant indexes.conf (that should contain your HBase connection settings) ... View more

Hi, Could you share your inputs.conf? Also, does your secure cluster look like this: http://www.cloudera.com/documentation/enterprise/5-5-x/topics/cdh_sg_hbase_authentication.html Thanks, Julien ... View more

Yes this should work. Here is a link to the HBase version compatibility matrix: https://hbase.apache.org/book.html#hbase.versioning The line of interest here is the "Client-Server wire Compatibility", which indicates that a 1.1.2 client (the Hunk App for HBase) can talk to a 1.1.1.2 server. ... View more

Yes a tutorial video is in the works and should be available very soon. In the mean time, would you be able to share your search.log ? ... View more

You could probably go with the stats command as the answer above explains, but for this kind of things I like to use the transaction command. Try something like this: transaction DeviceName maxevents=2 startswith=(DeviceValue=100) endswith=(DeviceValue=0) | stats sum(duration) as TotalTimeHome ... View more