Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What is a "status bucket"?

yvonnec
New Member
‎08-16-2019 12:18 PM

In the POST search/jobs endpoint, there's an option to specify a number of status buckets.

It seems that certain information about the search job is only available when this value is greater than 0
(ie search/jobs/{search_id}/summary, search/jobs/{search_id}/timeline),
but it's not clear to mean what exactly is a "status bucket"- and how to determine an appropriate number of status buckets?

0 Karma
Reply

somesoni2
Revered Legend
‎08-16-2019 02:22 PM

Read the accepted answer from following post:
https://answers.splunk.com/answers/128761/programmatically-setting-search-mode-to-fast.html

0 Karma
Reply

yvonnec
New Member
‎08-16-2019 02:39 PM

Thank you, that helps somewhat. Just to make sure my understanding is now correct:

status_buckets is an integer that tells Splunk how many timebuckets it should keep for summary statistics about the extracted fields

Looking through docs, it seems that "time buckets" refers to a number of buckets that each span some time interval, used with certain timeline related commands (ie tstats). Is that the same definition of timebuckets as the one in the quoted portion?

It then proceeds to keep 2 buckets of summary statistics, for all the fields referenced in the search, plus the field "username".

So if status_buckets had been set to 1, or even 10, how would that have affected this output? Based on the above definition of time buckets, I understand that this means the granularity of summary statistics would have been broken down into multiple intervals (ie if status_buckets was 10 and the search time range was 10 hours, there would be 10 hour-long buckets generated)?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...