I am trying to troubleshoot event issues and am trying to trace particular events into the buckets where they reside. I ran a search based on _bkt but the values for this field are something like:
indexName~1~6B6A510F-0324-452D-AE2C-D61027E2216C
bucket names are db_123456789_123456789_1234
Does anyone know how to match the _bkt values to the bucket names?
If I understand your question correctly, what you need is the dbinspect command. There you can correlate bucketIds (for instance indexName~1~6B6A510F-0324-452D-AE2C-D61027E2216C) with the bucket folder name (for instance db_123456789_123456789_1234).
If for instance you would like to inspect the complete index, you could do:
|dbinspect index=indexName
otherwise you can filter down either to the bucketId:
|dbinspect index=indexName
| where bucketId ="indexName~1~6B6A510F-0324-452D-AE2C-D61027E2216C"
or to the specific bucket folder name:
|dbinspect index=indexName
| where path = "/Applications/splunks/splunk6.2.4/var/lib/splunk/indexName/db/db_123456789_123456789_1234"
Hope this helps.