I've been trying to evaluate and control the space being used in our hot/warm vol. I am trying to run searches that will show me the oldest warm data per indexer by index as well as a separate search to count my my warm buckets per indexer by index.
warm bucket count per indexer by index search.
|dbinspect state=warm index=* | stats count by splunk_server index
This is not returning a true count of the buckets stored in our hot/warm vol. For instance this search is returning a count of 2 for our webapp index on indexer idx01 but if I manually go to the bucket location we have almost 300. I need some help understanding this discrepency and hopefully getting a better query...Maybe I need to manually roll some buckets...
The search I am using to try to get an estimate of our oldest hot/warm data by index is this.
index=internal sourcetype=splunkd bucketmover warm_to_cold: | rex field=bucket "db(?\d+)\d+" | sort time_cron |convert ctime(time_cron) | dedup idx splunk_server| table splunk_server idx time_cron
Is this a decent way to do this, is there a better way?
you can also find the bucket for the indexes in introspection index.
try this search and replace index in data.name=_internal with your index
index="_introspection" sourcetype="splunk_disk_objects" component=indexes data.name=_internal
you will find info event count, size, bucket count for all hot/warm, cold, thawed for the index
dbinspect command takes the time specified in time picker.
thy and run this at
| dbinspect index=* | search state=warm | stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server | eval earliest_event_human = strftime(earliest_event, "%c")
hope it helps
Thanks I'm testing that out now. If I don't specify index=* I noticed that it only returns information for the main index. So I added that to your search. It's running now, I'll let you know if it works. Thanks again.