Great app! I already see bucket counts, bucket, size, etc. I'd like to see an events per bucket metric, especially since this factors into whether or not buckets qualify for report acceleration.
Thanks,
Rob
How about the "eventCount" field from | dbinspect
?
FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/
If you have any questions, ping the developer of the app @sowings
Cheers!
Something like:
index=myindex | eval bucket_event_id=_cd | rex field=bucket_event_id "(?<bucket_id>[^:]+):" | stats count by index sourcetype splunk_server bucket_id | sort splunk_server bucket_id