Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I see which directories the splunk query is searching through while its running?

EricLloyd79
Builder
‎07-12-2018 12:27 PM

Is there a way to view the directories that a Splunk Query is searching through as it hunts through events? I recall someone mentioning turning on DEBUG mode which I did but didnt see anything in the logs defining which directories were looked through.

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎07-12-2018 02:27 PM

Why would you ever care?

0 Karma
Reply

MuS
Legend
‎07-12-2018 01:38 PM

Hi EricLloyd79,

yes and no, you can see the bucket ID but not the path. Try this run everywhere SPL which facilitates the Splunk internal field _cd ( that represents the bucket id and an address that provides the exact location of the event within its bucket) :

index=* earliest=-24h@h
| rex field=_cd "(?<bucketID>\d+)" 
| eval idx_bucketID=index .":". bucketID 
| stats count by idx_bucketID

This will give you a list of all buckets searched for each index, and since bucket ID's are uniq and are located in a known directory you can easily find them.

Hope this helps ...

cheers, MuS

UPDATE:
You could also use the _bkt field, but this will also not provide the full path. See more here http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields#_bkt

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...