- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to Count warm buckets per indexer per index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been trying to evaluate and control the space being used in our hot/warm vol. I am trying to run searches that will show me the oldest warm data per indexer by index as well as a separate search to count my my warm buckets per indexer by index.
warm bucket count per indexer by index search.
|dbinspect state=warm index=* | stats count by splunk_server index
This is not returning a true count of the buckets stored in our hot/warm vol. For instance this search is returning a count of 2 for our webapp index on indexer idx01 but if I manually go to the bucket location we have almost 300. I need some help understanding this discrepency and hopefully getting a better query...Maybe I need to manually roll some buckets...
The search I am using to try to get an estimate of our oldest hot/warm data by index is this.
index=internal sourcetype=splunkd bucketmover warm_to_cold: | rex field=bucket "db(?\d+)\d+" | sort time_cron |convert ctime(time_cron) | dedup idx splunk_server| table splunk_server idx time_cron
Is this a decent way to do this, is there a better way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the dbinspect command takes the time specified in time picker.
thy and run this at all time
| dbinspect index=*
| search state=warm
| stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server
| eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @saulverde
you can also find the bucket for the indexes in introspection index.
try this search and replace index in data.name=_internal with your index
index="_introspection" sourcetype="splunk_disk_objects" component=indexes data.name=_internal
you will find info event count, size, bucket count for all hot/warm, cold, thawed for the index
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the Fire Brigade series of apps:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the dbinspect command takes the time specified in time picker.
thy and run this at all time
| dbinspect index=*
| search state=warm
| stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server
| eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I'm testing that out now. If I don't specify index=* I noticed that it only returns information for the main index. So I added that to your search. It's running now, I'll let you know if it works. Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you re right, forgot to add it.
modifying the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
another option is to use | rest /services/data/indexes-extended and stats or table relevant fields as you desire for more robust reporting
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
