Splunk® Enterprise

Splunk Analytics for Hadoop

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Add or edit a virtual index in Splunk Web

Splunk Analytics for Hadoop reaches End of Life on January 31, 2025.

You can also add HDFS providers and virtual indexes by editing. See Set up a virtual index in the configuration file for instructions on setting up virtual indexes in the configuration file.

1. Select Settings > Virtual Indexes.

2. Click the Virtual Indexes tab and click New Virtual Index or click the name of the index you want to edit. The New/Edit Virtual Index page appears:

3. In the Name field, provide a name for your virtual index.

4. Select a Provider. To add a new provider, see Add an HDFS provider.

5. Provide the following path information:

  • Path to data in HDFS: This is the path to the data that Splunk Analytics for Hadoop will be accessing and reporting on. For example:

/home/data/apache/logs/

  • Recursively process the directory: Check this if you want to (recursively) include the content of sub directories.
  • Whitelist: Provide a regex that matches the file path. You can specify regular expressions to filter in/out files (based on the full path) that should/not be considered part of the virtual index. A common use case for using it is to ignore temporary files, or files that are currently being written to. Keep in mind that ignore takes precedence over accept. For example: \.gz$

6. Check Customize timestamp format to open the controls that allow you to customize how data is collected based on timestamp information. Use simple date format to optionally customize the following:

  • Time capturing Regex: Provide a regex that determines the earliest date/time that will be collected and processed based on timestamp. For example: /home/data/(\d+)/(\d+)/
  • Time Format: For the earliest time above, provide a time format that describes how to interpret the extracted time string. For example: yyyyMMddHH
  • Time Adjustment: Amount of time, in seconds, to add to the earliest time. Example (+7hrs): 25200
  • Time Range: Provide a time range for which the index should collect data.
  • Time Zone: Select your time zone.
Last modified on 30 October, 2023
PREVIOUS
Add or edit an HDFS provider in Splunk Web
  NEXT
Configure Kerberos authentication

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters