I am using the following search ,and it seems to works with hot buckets but not when changed to cold. I need to have the output from cold buckets for a billing purpose. Been working on this forever it seems. If you could assist me, that would be great!

SEARCH:

| tstats summariesonly=true sum(everything.rawlen) as rawBytes from datamodel=storage_billing by splunk_server,index,everything.bucketId,host
| rename everything.* as * | eval rawMBytes=rawBytes/1024/1024 
| join splunk_server, bucketId [ dbinspect index=* | eval rawSizeMB=rawSize/1024/1024 | fields splunk_server, bucketId, path, state, startEpoch, endEpoch, modTime, sizeOnDiskMB,rawSizeMB ] 
| eval compression=sizeOnDiskMB/rawSizeMB, newRawMBytes = rawMBytes * compression 
| eventstats sum(rawMBytes), sum(newRawMBytes) by splunk_server, bucketId  
| eval margin_of_error=  round( ( sizeOnDiskMB - 'sum(newRawMBytes)' ) / sizeOnDiskMB,4) 
| stats sum(newRawMBytes) as MBytes_Used, count(bucketId) as Bucket_Count by splunk_server,index,state,host
| search state=cold | eval GBytes_Used=round(MBytes_Used/1024,2)
| rename host as "Volume Name" | dedup host
| rename MBytes_Used as Space
| eval "Copy Type"="Primary"
| eval F4="Copy"
| fields "Volume Name", Space, "Copy Type", F4 | outputcsv Logging_tsm