Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to Count warm buckets per indexer per inde...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been trying to evaluate and control the space being used in our hot/warm vol. I am trying to run searches that will show me the oldest warm data per indexer by index as well as a separate search to count my my warm buckets per indexer by index.
warm bucket count per indexer by index search.
|dbinspect state=warm index=* | stats count by splunk_server index
This is not returning a true count of the buckets stored in our hot/warm vol. For instance this search is returning a count of 2 for our webapp index on indexer idx01 but if I manually go to the bucket location we have almost 300. I need some help understanding this discrepency and hopefully getting a better query...Maybe I need to manually roll some buckets...
The search I am using to try to get an estimate of our oldest hot/warm data by index is this.
index=internal sourcetype=splunkd bucketmover warm_to_cold: | rex field=bucket "db(?\d+)\d+" | sort time_cron |convert ctime(time_cron) | dedup idx splunk_server| table splunk_server idx time_cron
Is this a decent way to do this, is there a better way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the dbinspect command takes the time specified in time picker.
thy and run this at all time
| dbinspect index=*
| search state=warm
| stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server
| eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @saulverde
you can also find the bucket for the indexes in introspection index.
try this search and replace index in data.name=_internal with your index
index="_introspection" sourcetype="splunk_disk_objects" component=indexes data.name=_internal
you will find info event count, size, bucket count for all hot/warm, cold, thawed for the index
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the Fire Brigade series of apps:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the dbinspect command takes the time specified in time picker.
thy and run this at all time
| dbinspect index=*
| search state=warm
| stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server
| eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I'm testing that out now. If I don't specify index=* I noticed that it only returns information for the main index. So I added that to your search. It's running now, I'll let you know if it works. Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you re right, forgot to add it.
modifying the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
another option is to use | rest /services/data/indexes-extended and stats or table relevant fields as you desire for more robust reporting
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
