Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

script to convert the bucket name to the time range of the data

yannK
Splunk Employee
Splunk Employee
‎01-17-2013 10:26 AM

I have plenty of frozen buckets, and I want to thawed some of them.
How do figure the timerange of each bucket from the folder name with a script.

example on linux :



ls -l /splunk/myindex/frozendb/

drwx--x--x  13 yannk  staff  442 Dec 25 12:04 db_1356465674_1356465287_0

drwx--x--x  13 yannk  staff  442 Jan  7 00:48 db_1356465863_1356465863_1

PS: for the hot/warm/cold I use the splunk command "|dbinspect index=myindex"

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-17-2013 12:16 PM

🙂

$ ls -l | fgrep db_ | sed -r s/.*\(db_\(.+\)_\(.+\)_.*\)/\\1\\n\\2\\n\\3/ | gawk '/^db/ {print $0} /^1/ {print "   " strftime("%c", $0)}'

Produces this for your example:

db_1356465674_1356465287_0
   Tue Dec 25 21:01:14 2012
   Tue Dec 25 20:54:47 2012
db_1356465863_1356465863_1
   Tue Dec 25 21:04:23 2012
   Tue Dec 25 21:04:23 2012

Will break once we roll over 2000000000...

View solution in original post

Reply
Solved! Jump to solution

rabbidroid
Path Finder
‎05-04-2015 12:11 PM

This one is a little faster when dealing with lots of buckets, and it's also more accurate when working with clustered data.

Also, I switched the fields so the start time is before the end time.

ls -d1 db_*  | gawk -F'_' '{print $0} {print "   " strftime("%c", $3)} {print "   " strftime("%c", $2)}'
Reply
Solved! Jump to solution

hsesterhenn
Path Finder
‎07-26-2013 07:53 AM

Hi,

great stuff. Had some problems to run this on a Mac PB using OSX 10.7 🙂

Here is my version:

lf=$'\n' ; ls -ld db_* rb_* | sed -E s/.*\(db_\(.+\)_\(.+\)_.*\)/\\1"\\$lf"\\2"\\$lf"\\3/ | awk '/^db/ {print " "$0" "} /^1/ {cmd="date -r " $0; printf "     "; system(cmd) }'

Explanation: sed on MacOS X does not support "\n" and awk does not support strftime()...

Feel free to add some optimizations.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-17-2013 12:16 PM

🙂

$ ls -l | fgrep db_ | sed -r s/.*\(db_\(.+\)_\(.+\)_.*\)/\\1\\n\\2\\n\\3/ | gawk '/^db/ {print $0} /^1/ {print "   " strftime("%c", $0)}'

Produces this for your example:

db_1356465674_1356465287_0
   Tue Dec 25 21:01:14 2012
   Tue Dec 25 20:54:47 2012
db_1356465863_1356465863_1
   Tue Dec 25 21:04:23 2012
   Tue Dec 25 21:04:23 2012

Will break once we roll over 2000000000...

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-17-2013 12:57 PM

If you want to swap the dates you can just swap the 2 and 3 in the sed command.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-17-2013 12:53 PM

reminder the format of the buckets is
db_(recentevent)(oldestevent)(id)

or for the hot buckets
hot_v1_(id)

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-17-2013 12:49 PM

thank you very much, I was trying to do the same , but a oneliner is much better.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...