I've been trying to evaluate and control the space being used in our hot/warm vol. I am trying to run searches that will show me the oldest warm data per indexer by index as well as a separate search to count my my warm buckets per indexer by index.
warm bucket count per indexer by index search.
|dbinspect state=warm index=* | stats count by splunk_server index
This is not returning a true count of the buckets stored in our hot/warm vol. For instance this search is returning a count of 2 for our webapp index on indexer idx01 but if I manually go to the bucket location we have almost 300. I need some help understanding this discrepency and hopefully getting a better query...Maybe I need to manually roll some buckets...
The search I am using to try to get an estimate of our oldest hot/warm data by index is this.
index=internal sourcetype=splunkd bucketmover warm_to_cold: | rex field=bucket "db(?\d+)\d+" | sort time_cron |convert ctime(time_cron) | dedup idx splunk_server| table splunk_server idx time_cron
Is this a decent way to do this, is there a better way?
hello there,
the dbinspect
command takes the time specified in time picker.
thy and run this at all time
| dbinspect index=*
| search state=warm
| stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server
| eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
Hi @saulverde
you can also find the bucket for the indexes in introspection index.
try this search and replace index in data.name=_internal with your index
index="_introspection" sourcetype="splunk_disk_objects" component=indexes data.name=_internal
you will find info event count, size, bucket count for all hot/warm, cold, thawed for the index
Thanks
Check out the Fire Brigade
series of apps:
hello there,
the dbinspect
command takes the time specified in time picker.
thy and run this at all time
| dbinspect index=*
| search state=warm
| stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server
| eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
Thanks I'm testing that out now. If I don't specify index=* I noticed that it only returns information for the main index. So I added that to your search. It's running now, I'll let you know if it works. Thanks again.
yes you re right, forgot to add it.
modifying the answer
another option is to use | rest /services/data/indexes-extended
and stats
or table
relevant fields as you desire for more robust reporting