Deployment Architecture

Figuring out the earliest time in various buckets

Explorer

Hello,

I am trying to figure out the earliest time and the latest time in the HOT, WARM, COLD buckets for each index (I have 47 indexes in Prod). Is there a command that will help me determine this?

0 Karma
1 Solution

Ultra Champion

You can go into Manager -> Indexes.

Earliest and latest times are listed on a per-index level. No difference between hot/warm and cold.

Otherwise I think you'll need to go into each db directory to find the newest cold bucket and the newest and oldest warm bucket. Please not that the modtime is not the relevant piece of information - it's all in the name of the buckets; db_XXXXXXX_YYYYYYYYY_ZZZ, where X & Y are newest and oldest timestamps for events in that particular bucket. ZZZ is just a unique bucket number. Thus you'll have to find max(X) and min(Y) for all buckets in a directory (i.e. the hot/warm and cold paths of an index). This can be scripted if you have the time/skill for it.

For hot buckets I don't think that you can determine oldest/newest - although it's a fairly safe bet that the newest event is pretty close to now().

Hope this helps,

K

View solution in original post

Splunk Employee
Splunk Employee

You'll want dbinspect. It shows you each bucket within the index, the state, and the earliest and latest times. Note that dbinspect is not a distributed search command. It'll require queries directly to your indexers themselves, rather than from a distributed search head.

Example: | dbinspect index=main

The results are bounded by the time in your time range picker, so to see the state of the whole index, you'll probably want to run this over all time.

Real Soon Now (RSN) there'll be a Splunk app to help you out; stay tuned!

Splunk Employee
Splunk Employee

And in version 6, the 'dbinspect' command is now distributed.

0 Karma

Splunk Employee
Splunk Employee

I should point out that the app I mentioned is now available on Splunkbase. There are versions for Splunks prior to version 6, as well as one specifically tuned for Splunk 6. Search for "Fire Brigade" on the Splunkbase apps site.

0 Karma

Ultra Champion

You can go into Manager -> Indexes.

Earliest and latest times are listed on a per-index level. No difference between hot/warm and cold.

Otherwise I think you'll need to go into each db directory to find the newest cold bucket and the newest and oldest warm bucket. Please not that the modtime is not the relevant piece of information - it's all in the name of the buckets; db_XXXXXXX_YYYYYYYYY_ZZZ, where X & Y are newest and oldest timestamps for events in that particular bucket. ZZZ is just a unique bucket number. Thus you'll have to find max(X) and min(Y) for all buckets in a directory (i.e. the hot/warm and cold paths of an index). This can be scripted if you have the time/skill for it.

For hot buckets I don't think that you can determine oldest/newest - although it's a fairly safe bet that the newest event is pretty close to now().

Hope this helps,

K

View solution in original post

Splunk Employee
Splunk Employee

dbinspect can get you visibility into the bucket state without traversing directory paths.

Explorer

Thanks! This was very helpful.

I knew about going to each directory and finding out the oldest and newest timestamp.

I was trying to figure out a way to do this at the search prompt so that I could provide the command to all the users in the organization so that they can help themselves.

0 Karma