Solved: Given a bucket name of db_1274129994_1273525194_0 ...

the_wolverine · ‎05-17-2010

I have the following bucket: $SPLUNK_HOME/var/lib/splunk/defaultdb/db/db_1274129994_1273525194_0

Is there someway to calculate the date span of the events in this bucket?

the_wolverine · ‎05-17-2010

You can use a site like http://www.epochconverter.com/ to convert epochtimes to "human readable" format.

There are 3 parts to the bucket name:

db_latesttime_earliesttime_idnum

For a bucket named db_1274129994_1273525194_0 you can plug-in the latesttime and earliesttime values to figure out the date/time range of the events within that bucket.

The events in this bucket fall between Mon, 10 May 2010 20:59:54 GMT and Mon, 17 May 2010 20:59:54 GMT.

View solution in original post

the_wolverine · ‎05-17-2010

You can use a site like http://www.epochconverter.com/ to convert epochtimes to "human readable" format.

There are 3 parts to the bucket name:

db_latesttime_earliesttime_idnum

For a bucket named db_1274129994_1273525194_0 you can plug-in the latesttime and earliesttime values to figure out the date/time range of the events within that bucket.

The events in this bucket fall between Mon, 10 May 2010 20:59:54 GMT and Mon, 17 May 2010 20:59:54 GMT.

smisplunk · ‎04-01-2011

Rather than taking the time to navigate to a site, this command line perl snippet will translate epoch time to your local time zone: "perl -e 'print scalar localtime '".

Given a bucket name of db_1274129994_1273525194_0 what is the span of the events within this bucket?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases