How to get the count of events in a bucket on a pa...

stevennoble · ‎09-02-2014

I'd like to be able to get a count of the number of events in a bucket on a particular indexer. Is there a binary for this?

lguinn2 · ‎09-02-2014

You could run this search:

| dbinspect index=yourindexname 
| where splunk_server="name of indexer"

There are a bunch of fields that are returned - the one you want is eventCount.

You might also want to use some of the other fields in the where command to limit the results.

I don't know of a binary that you could run.

lguinn2 · ‎09-03-2014

Once you have the bucket id (using @yannK's great suggestion), you can do this

| dbinspect index=yourindexname | where splunk_server="name of indexer" bucketId="bucket id"

yannK · ‎09-03-2014

or on the file system, look in the hidden bucketManifest in the index.

example in $SPLUNK_HOME/var/lib/splunk/defautldb/db/.bucketManifest

id,path,"raw_size","event_count","host_count","source_count","sourcetype_count","size_on_disk",modtime,"frozen_in_cluster","origin_site"
"_internal~1~7A23D5BD-1F4C-49B2-A9E7-A20F2C3E460F","db_1408586228_1408560993_1",15352541,69039,1,10,8,11612160,1408667375,0,""

yannK · ‎09-03-2014

if you are trying to identify in which bucket an event is :

<my event> | eval bkt=_bkt | table bkt index splunk_server

will tell you the index, the bucket and the indexer.
the you can do the |dbinspect on this indexer.

stevennoble · ‎09-02-2014

do you know if I can narrow this down to a single bucket? (this is pretty helpful though)

How to get the count of events in a bucket on a particular indexer?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases