Add or edit a virtual index in Splunk Web
Splunk Analytics for Hadoop reaches End of Life on January 31, 2025.
You can also add HDFS providers and virtual indexes by editing. See Set up a virtual index in the configuration file for instructions on setting up virtual indexes in the configuration file.
1. Select Settings > Virtual Indexes.
2. Click the Virtual Indexes tab and click New Virtual Index or click the name of the index you want to edit. The New/Edit Virtual Index page appears:
3. In the Name field, provide a name for your virtual index.
4. Select a Provider. To add a new provider, see Add an HDFS provider.
5. Provide the following path information:
- Path to data in HDFS: This is the path to the data that Splunk Analytics for Hadoop will be accessing and reporting on. For example:
/home/data/apache/logs/
- Recursively process the directory: Check this if you want to (recursively) include the content of sub directories.
- Whitelist: Provide a regex that matches the file path. You can specify regular expressions to filter in/out files (based on the full path) that should/not be considered part of the virtual index. A common use case for using it is to ignore temporary files, or files that are currently being written to. Keep in mind that ignore takes precedence over accept. For example:
\.gz$
6. Check Customize timestamp format to open the controls that allow you to customize how data is collected based on timestamp information. Use simple date format to optionally customize the following:
- Time capturing Regex: Provide a regex that determines the earliest date/time that will be collected and processed based on timestamp. For example:
/home/data/(\d+)/(\d+)/
- Time Format: For the earliest time above, provide a time format that describes how to interpret the extracted time string. For example:
yyyyMMddHH
- Time Adjustment: Amount of time, in seconds, to add to the earliest time. Example (+7hrs): 25200
- Time Range: Provide a time range for which the index should collect data.
- Time Zone: Select your time zone.
Add or edit an HDFS provider in Splunk Web | Configure Kerberos authentication |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!