How to match the _bkt values from a search to the ...

louieb3 · ‎09-04-2014

I am trying to troubleshoot event issues and am trying to trace particular events into the buckets where they reside. I ran a search based on _bkt but the values for this field are something like:

indexName~1~6B6A510F-0324-452D-AE2C-D61027E2216C

bucket names are db_123456789_123456789_1234

Does anyone know how to match the _bkt values to the bucket names?

mgaraventa_splu · ‎08-06-2015

If I understand your question correctly, what you need is the dbinspect command. There you can correlate bucketIds (for instance indexName~1~6B6A510F-0324-452D-AE2C-D61027E2216C) with the bucket folder name (for instance db_123456789_123456789_1234).

If for instance you would like to inspect the complete index, you could do:

|dbinspect index=indexName

otherwise you can filter down either to the bucketId:

|dbinspect index=indexName
| where bucketId ="indexName~1~6B6A510F-0324-452D-AE2C-D61027E2216C"

or to the specific bucket folder name:

|dbinspect index=indexName
| where path = "/Applications/splunks/splunk6.2.4/var/lib/splunk/indexName/db/db_123456789_123456789_1234"

Hope this helps.

How to match the _bkt values from a search to the bucket names/directories?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How to match the _bkt values from a search to the bucket names/directories?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey