Q. Can you search Splunk indexes and Hadoop in the same query?
A. Yes! Install Hunk and add two licenses: one for Hunk and one for Splunk Enterprise.
Q. Are all the new Splunk Enterprise 6.1 reporting tools and functions available when searching Hadoop?
A. Yes, with a few exceptions. A few commands (transaction and localize) that rely on event time order do not work. For information about search command behavior specific to Hunk, see Search a virtual index.
Q. What is the overhead on the Hadoop infrastructure to deploy from Hunk?
A. Minimal! You need enough local disk to store the Hunk deployment and temporary disk usage needs. 5GB of local storage more than meets your needs. Hunk executes processes on Hadoop only as part of the MapReduce job and leaves no running processes.
Q. What happens to the virtual index after a report is complete?
A. Nothing. The virtual index waits, retaining the settings and information as you configured it, ready for the next report you run.
Q. Does summary indexing work with Hunk?
A. Yes, traditional summary indexing and
tscollect are supported in Hunk.
Q. Is there a limit to the number of results that can be returned from an HDFS directory?
Q. How does this affect ingest rates for licensing purposes?
A. It doesn't. Hunk processes data that is already in Hadoop, so you are not processing data in Splunk. Hunk pricing is not based on data the way it is in Splunk Enterprise. For more information about pricing and licensing, see your sales representative.
Q. Where does the reduce phase/function execute?
A. In the search head.
Q. Which Hadoop distributions work with Hunk?
A. All Apache Hadoop-based distributions, including Amazon Web Services Elastic MapReduce, Cloudera, Hortonworks and IBM, as well as MapR. For information about system requirements for Hunk, see System and software requirements.
Q. Do you need a Splunk Enterprise license to run Hunk?
A. Hunk is a separate product and has its own license. You'll need a Splunk Enterprise license only to run searches against Splunk Enterprise indexers.
Q. I'd like to try Hunk out, how can I get a copy to play with?
A: Hunk downloads come with a "Trial" license, which lets you use Hunk features for 60 days. After that, if you still want to use it, contact a sales representative and purchase the full license.
Q. Why would I move data from Hadoop to Splunk Enterprise?
A. Most likely, you would not. Moving data is an expensive proposition, which is why we developed Hunk. The only reason you might move data in an HDFS directory into a local Splunk Enterprise index is if you need to do needle-in-haystack type searches.
Q. Can you analyze data when some data is in Splunk Enterprise and some in Hadoop?
A. Yes. You can analyze and correlate data that resides in different Hadoop clusters. You need both licenses: Hunk and Splunk Enterprise.
Q. Can I configure a Splunk Enterprise search head to connect to Hadoop/Hunk?
A. No. You need a license/build for Hunk and a search head configured to work with virtual indexes.
How Splunk returns reports on Hadoop data
Learn more and get help
This documentation applies to the following versions of Hunk®(Legacy): 6.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11