You can go into Manager -> Indexes.
Earliest and latest times are listed on a per-index level. No difference between hot/warm and cold.
Otherwise I think you'll need to go into each db directory to find the newest cold bucket and the newest and oldest warm bucket. Please not that the modtime is not the relevant piece of information - it's all in the name of the buckets; db_XXXXXXX_YYYYYYYYY_ZZZ
, where X & Y are newest and oldest timestamps for events in that particular bucket. ZZZ is just a unique bucket number. Thus you'll have to find max(X) and min(Y) for all buckets in a directory (i.e. the hot/warm and cold paths of an index). This can be scripted if you have the time/skill for it.
For hot buckets I don't think that you can determine oldest/newest - although it's a fairly safe bet that the newest event is pretty close to now().
Hope this helps,
K
You'll want dbinspect. It shows you each bucket within the index, the state, and the earliest and latest times. Note that dbinspect is not a distributed search command. It'll require queries directly to your indexers themselves, rather than from a distributed search head.
Example: | dbinspect index=main
The results are bounded by the time in your time range picker, so to see the state of the whole index, you'll probably want to run this over all time.
Real Soon Now (RSN) there'll be a Splunk app to help you out; stay tuned!
And in version 6, the 'dbinspect' command is now distributed.
I should point out that the app I mentioned is now available on Splunkbase. There are versions for Splunks prior to version 6, as well as one specifically tuned for Splunk 6. Search for "Fire Brigade" on the Splunkbase apps site.
You can go into Manager -> Indexes.
Earliest and latest times are listed on a per-index level. No difference between hot/warm and cold.
Otherwise I think you'll need to go into each db directory to find the newest cold bucket and the newest and oldest warm bucket. Please not that the modtime is not the relevant piece of information - it's all in the name of the buckets; db_XXXXXXX_YYYYYYYYY_ZZZ
, where X & Y are newest and oldest timestamps for events in that particular bucket. ZZZ is just a unique bucket number. Thus you'll have to find max(X) and min(Y) for all buckets in a directory (i.e. the hot/warm and cold paths of an index). This can be scripted if you have the time/skill for it.
For hot buckets I don't think that you can determine oldest/newest - although it's a fairly safe bet that the newest event is pretty close to now().
Hope this helps,
K
dbinspect can get you visibility into the bucket state without traversing directory paths.
Thanks! This was very helpful.
I knew about going to each directory and finding out the oldest and newest timestamp.
I was trying to figure out a way to do this at the search prompt so that I could provide the command to all the users in the organization so that they can help themselves.