How to determine age of events in frozen buckets?

wmedeiros · ‎11-23-2017

Hi!
I configured my deployment to store frozen buckets. But, now i have only 15% empty in my partition.
I need to delete some buckets. I want to know how to determine age of events in frozen buckets for resolves this problem.

niketn · ‎11-23-2017

@wmedeiros, you can use dbinspect command to perform this analysis on volume/age by buckets:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lycollicott · ‎11-23-2017

db_<newest_time>_<oldest_time>_<localid>_<guid>

The times are in UTC epoch.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/HowSplunkstoresindexes

wmedeiros · ‎11-24-2017

Thanks.
I have this bucket "db_1467575622_1467543210_820". I understood that the newest_time=1467575622 and oldest_time=1 467 543 210.
This time are in seconds, but how to transform this time in Date?

1 day has 87400 seconds (24*60*60).
1 year has 31536000 seconds (87400*365)
1467575622 seconds are 46.53 years (1467575622/31536000)

How to determine the age of these events ?

lycollicott · ‎11-24-2017

https://www.epochconverter.com/

harsmarvania57 · ‎11-24-2017

Those are epoch time, please use https://www.epochconverter.com/ to convert epoch time to human readable format.

How to determine age of events in frozen buckets?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor