Splunk® Enterprise

Splunk Analytics for Hadoop

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Virtual index configuration variables

Splunk Analytics for Hadoop reaches End of Life on January 31, 2025.

When you configure a virtual index, Splunk Analytics for Hadoop automatically sets a number of configuration variables. You can use the preset variables, or you can modify them as needed by editing the index.

Setting: Use it to:
vix.input.[N].path Provide a path in HDFS that contains wildcards and/or ends with ... which specifies the data for this index. Paths ending with "..." will recursively check directories in the path for data.
vix.input.[N].accept Determine the regex that files/paths should match.
vix.input.[N].ignore Determines the regex that excludes files/paths. These values take precedence over vix.input.[N].accept values.

Variables for extracting earliest/latest timebounds based from the path (earliest time):

Setting: Use it to:
vix.input.[N].et.regex Determine a regex to extract time components. All capturing groups are concatenated and interpreted using format provided in the next row.
vix.input.[N].et.format Provide the date/time format to use when interpreting the string built with the above regex. This value can be set to "epoch" to interpret the time as seconds. For more information on the format, see here
vix.input.[N].et.value epoch time in milliseconds:
  • Sets the earliest time for this virtual index.
  • Can be used instead of extracting times from the path via vix.input.x.et.regex
  • When set to "mtime", uses the file modification time as the earliest time.
vix.input.[N].et.offset Set the amount of time (in seconds) to add to the resulting time.
vix.input.[N].et.timezone Determine the timezone in which to interpret the extracted time. E.g. "America/Los_Angeles" or "GMT-8:00" more info


Variables for extracting earliest/latest timebounds based from the path (latest time):

Setting: Use it to:
vix.input.[N].lt.regex Determine the regex to extract time components. All capturing groups are concatenated and interpreted using format:
vix.input.[N].lt.format Determine the date/time format for interpreting the string built with the above regex. Can be set to "epoch" to interpret the time as seconds. For more info on the format see here
vix.input.[N].lt.value epoch time in milliseconds:
  • Sets the latest time for this virtual index.
  • Can be used instead of extracting times from the path via vix.input.x.et.regex
  • When set to "mtime", uses the file modification time as the latest time.
vix.input.[N].lt.offset Set the amount of time (in seconds) to add to the resulting time.
vix.input.[N].lt.timezone To set the timezone in which to interpret the extracted time. E.g. "America/Los_Angeles" or "GMT-8:00" more info
Last modified on 30 October, 2023
Provider Configuration Variables   Virtual archive index configuration variables

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters