Can we export indexed data from Splunk to Hadoop v...

splunkn · ‎01-24-2016

Are we able to export indexed data from Splunk to Hadoop without running searches via Splunk Hadoop Connect?

I know we could use Hunk for the same. But how far we could utilise Hadoop Connect in our environment to export the indexed data directly?

Thanks in advance.

hsesterhenn_spl · ‎02-02-2017

Well,

old question but worth to answer... introduced with V6.5 there is now the "old" Hadoop archiving feature available in Splunk Enterprise core without the need for an additional "Splunk Analytics for Hadoop" license.

The feature is called "Hadoop Data Roll".

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/ArchivingindexestoHadoop

No need for Hadoop Connect anymore if you want to archive buckets instead of search results (which are different use cases, obviously 🙂

HTH,

Holger

dart · ‎01-25-2016

I'm not sure what you mean by directly here? Hadoop Connect is designed to allow the export of search results. Hunk's archiving is designed to allow archiving. What are you trying to do?

splunkn · ‎01-25-2016

Thanks Dart. We have not touched both practically. I have just gone through the docs and came to know this. Our requirement is to get archive the indexed data from Splunk to Hadoop. What i am trying to do is can we export the indexed data (buckets) without exporting the search results through any other means without Hunk? Is this possible in Hadoop Connect?

s2_splunk · ‎01-25-2016

You cannot archive buckets using Hadoop Connect, but you can export events as documented here

Can we export indexed data from Splunk to Hadoop via SplunkHadoopConnect?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk