Add or edit a virtual index in Splunk Web
You can also add HDFS providers and virtual indexes by editing. See Set up a virtual index in the configuration file for instructions on setting up virtual indexes in the configuration file.
1. Select Settings > Virtual Indexes.
2. Click the Virtual Indexes tab and click New Virtual Index or click the name of the index you want to edit. The New/Edit Virtual Index page appears:
3. In the Name field, provide a name for your virtual index.
4. Select a Provider. To add a new provider, see Add an HDFS provider.
5. Provide the following path information:
- Path to data in HDFS: This is the path to the data that Splunk Analytics for Hadoop will be accessing and reporting on. For example:
- Recursively process the directory: Check this if you want to (recursively) include the content of sub directories.
- Whitelist: Provide a regex that matches the file path. You can specify regular expressions to filter in/out files (based on the full path) that should/not be considered part of the virtual index. A common use case for using it is to ignore temporary files, or files that are currently being written to. Keep in mind that ignore takes precedence over accept. For example:
6. Check Customize timestamp format to open the controls that allow you to customize how data is collected based on timestamp information. Use simple date format to optionally customize the following:
- Time capturing Regex: Provide a regex that determines the earliest date/time that will be collected and processed based on timestamp. For example:
- Time Format: For the earliest time above, provide a time format that describes how to interpret the extracted time string. For example:
- Time Adjustment: Amount of time, in seconds, to add to the earliest time. Example (+7hrs): 25200
- Time Range: Provide a time range for which the index should collect data.
- Time Zone: Select your time zone.
Add or edit an HDFS provider in Splunk Web
Configure Kerberos authentication
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1