hi
say we have an index called as "my_network". the rollover period is 1 month to cold index. This needs to be tested by Testing team.
How can they test if a particular event/bucket is existing in cold or warm/hot? Is there a more granular way to interrogate within an _index using Search?
Look at the dbinspect command. @ http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Dbinspect
You can view the various states of the events in the index, what stage in the lifecycle of the bucket they are (hot/warm/cold/frozen) along with the metadata for the events in the buckets.
| dbinspect index=* splunk_server=*
| search state="*"
| convert ctime(endEpoch) ctime(startEpoch)
| table bucketId state path startEpoch endEpoch
That should get you in the general direction of where you want to go..
You could use dbinspect but it's a non-streaming command and therefore not easy to join against streaming searches.
If you are just looking to verify this for very few events then the following should work fine:
index=main earliest=-30d latest=-29d
| head 1
| stats max(_raw) as myraw by _time
| eval mytime = _time
| map search="
| dbinspect index=main
| table endEpoch, startEpoch, state
| eval time = $mytime$
| eval _raw = $myraw$
| where $mytime$ >= startEpoch AND $mytime$ <= endEpoch
"
Unless somebody else comes back with an easier approach of course.
Thanks,
Javier
Look at the dbinspect command. @ http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Dbinspect
You can view the various states of the events in the index, what stage in the lifecycle of the bucket they are (hot/warm/cold/frozen) along with the metadata for the events in the buckets.
| dbinspect index=* splunk_server=*
| search state="*"
| convert ctime(endEpoch) ctime(startEpoch)
| table bucketId state path startEpoch endEpoch
That should get you in the general direction of where you want to go..
thanks mate. it worked