Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get the count of events in a bucket on a particular indexer?

stevennoble
Explorer
‎09-02-2014 03:12 PM

I'd like to be able to get a count of the number of events in a bucket on a particular indexer. Is there a binary for this?

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎09-02-2014 05:45 PM

You could run this search:

| dbinspect index=yourindexname 
| where splunk_server="name of indexer"

There are a bunch of fields that are returned - the one you want is eventCount.

You might also want to use some of the other fields in the where command to limit the results.

I don't know of a binary that you could run.

0 Karma
Reply

lguinn2
Legend
‎09-03-2014 01:45 PM

Once you have the bucket id (using @yannK's great suggestion), you can do this

| dbinspect index=yourindexname
| where splunk_server="name of indexer" bucketId="bucket id"

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-03-2014 08:46 AM

or on the file system, look in the hidden bucketManifest in the index.

example in $SPLUNK_HOME/var/lib/splunk/defautldb/db/.bucketManifest

id,path,"raw_size","event_count","host_count","source_count","sourcetype_count","size_on_disk",modtime,"frozen_in_cluster","origin_site"
"_internal~1~7A23D5BD-1F4C-49B2-A9E7-A20F2C3E460F","db_1408586228_1408560993_1",15352541,69039,1,10,8,11612160,1408667375,0,""

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-03-2014 08:41 AM

if you are trying to identify in which bucket an event is :

<my event> | eval bkt=_bkt | table bkt index splunk_server

will tell you the index, the bucket and the indexer.
the you can do the |dbinspect on this indexer.

0 Karma
Reply

stevennoble
Explorer
‎09-02-2014 06:55 PM

do you know if I can narrow this down to a single bucket? (this is pretty helpful though)

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...