Splunk Search

Hunk: Searching two different virtual indexes using OR: should work?

burwell
SplunkTrust
SplunkTrust

In regular Splunk I can easily search for

index=index1 OR index=index2 <search term> | stats count by index

Then I get results from either index.

When I setup a virtual index in Hunk 6.5.3 searching ORC files and I do a similar query I seem to only get results from one index.
Is there something inherently different in the way Hunk searches that this wouldn't work?

Tags (1)
1 Solution

rdagan_splunk
Splunk Employee
Splunk Employee

It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index

View solution in original post

rdagan_splunk
Splunk Employee
Splunk Employee

It should work in Hunk.
Can I assume that these two queries work without a problem?
index=index1 a=term | stats count by index
index=index2 a=term | stats count by index
but this one does not?
index=index1 OR index=index2 a=term | stats count by index

burwell
SplunkTrust
SplunkTrust

Hi Raanan. Your query above is exactly what I was experimenting with.

So I did some more experiments.

  1. If my virtual indexes points to 2 Hive databases, then the query with OR works fine. I get results from two different indexes.
  2. If my virtual indexes point to 2 ORC files, I can only get the results for one.

I will file a support ticket. Thanks for confirming the expected results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...