Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get bucket IDs corresponding to events

Marklar
Splunk Employee
Splunk Employee
‎01-01-2011 02:59 AM

How can I find the corresponding bucket IDs for specific events in an index?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Marklar
Splunk Employee
Splunk Employee
‎01-01-2011 03:03 AM

You can use the _cd field, which contains "bucket_id:event_offset" for that particular event.

I used the following search to find which buckets my events were going into:

index=myindex | eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

Remember that bucket IDs only have meaning within that index, not across them. You could easily do things like filter by timerange:

index=myindex _time>=1234567890 _time<=1234567899| eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

View solution in original post

Reply
Solved! Jump to solution

bandit
Motivator
‎03-24-2015 02:08 PM

Thanks. I ended up with a search like this:

my search here | eval bucket_event_id=_cd | rex field=bucket_event_id "(?<bucket_id>[^:]+):" | stats count by index sourcetype splunk_server bucket_id | sort splunk_server bucket_id
Reply
Solved! Jump to solution

bbialek
Path Finder
‎06-22-2016 12:49 PM

On Splunk 6.4, _cd doesn't seem to be a field... Does anyone know how to identify which bucket an even is in on the newer versions?

0 Karma
Reply
Solved! Jump to solution
Solution

Marklar
Splunk Employee
Splunk Employee
‎01-01-2011 03:03 AM

You can use the _cd field, which contains "bucket_id:event_offset" for that particular event.

I used the following search to find which buckets my events were going into:

index=myindex | eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

Remember that bucket IDs only have meaning within that index, not across them. You could easily do things like filter by timerange:

index=myindex _time>=1234567890 _time<=1234567899| eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID

Reply
Solved! Jump to solution

marcoscala
Builder
‎10-20-2014 08:07 AM

Take care! the rex in the "replace" commando is wrong because the backslash before "d+" and before "1" is truncated by this editor!!!

Il should be
index=myindex | eval BID = replace(_cd, "('backslash'd+):'backslash'd+", "'backslash'1") | top BID

Marco

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...