Getting Data In

Get bucket IDs corresponding to events

Marklar
Splunk Employee
Splunk Employee

How can I find the corresponding bucket IDs for specific events in an index?

Tags (2)
1 Solution

Marklar
Splunk Employee
Splunk Employee

You can use the _cd field, which contains "bucket_id:event_offset" for that particular event.

I used the following search to find which buckets my events were going into:

index=myindex | eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

Remember that bucket IDs only have meaning within that index, not across them. You could easily do things like filter by timerange:

index=myindex _time>=1234567890 _time<=1234567899| eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

View solution in original post

bandit
Motivator

Thanks. I ended up with a search like this:

my search here | eval bucket_event_id=_cd | rex field=bucket_event_id "(?<bucket_id>[^:]+):" | stats count by index sourcetype splunk_server bucket_id | sort splunk_server bucket_id

bbialek
Path Finder

On Splunk 6.4, _cd doesn't seem to be a field... Does anyone know how to identify which bucket an even is in on the newer versions?

0 Karma

Marklar
Splunk Employee
Splunk Employee

You can use the _cd field, which contains "bucket_id:event_offset" for that particular event.

I used the following search to find which buckets my events were going into:

index=myindex | eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

Remember that bucket IDs only have meaning within that index, not across them. You could easily do things like filter by timerange:

index=myindex _time>=1234567890 _time<=1234567899| eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

marcoscala
Builder

Take care! the rex in the "replace" commando is wrong because the backslash before "d+" and before "1" is truncated by this editor!!!

Il should be
index=myindex | eval BID = replace(_cd, "('backslash'd+):'backslash'd+", "'backslash'1") | top BID

Marco

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...