Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- dbinspect query help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbinspect query help
mschlapfer
Explorer
10-30-2018
08:41 AM
I'm trying to write a dbinspect query to calculate the # of days of data that is stored in our hot/warm storage partition and our cold storage partition, for each index. So for example trying to get results like this:
Index, Hot/Warm Days, Cold Days
_internal, 10, 80
os, 12, 78
etc.
OR
Index, Hot/Warm Earliest Time, Cold Earliest Time
_internal, %Y %m %d, %H:%M:%S, %Y %m %d, %H:%M:%S
os, %Y %m %d, %H:%M:%S, %Y %m %d, %H:%M:%S
etc.
Can anyone help me figure out how to do this with dbinspect?
thanks,
Marcel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mschlapfer
Explorer
05-13-2019
07:59 AM
Thanks @Bselberg! This is great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bselberg
Explorer
05-01-2019
08:46 AM
This query is going to be super slow going about it from a DB inspect way.
Make sure to set the time for this greater than your cold storage typical data age.
It's a 3 step join to make the table look nice. This would be something to put as a report.
| dbinspect index=* timeformat=%s
| search state=hot
| stats max(modTime) as recentHot min(modTime) as oldestHot count as hotbuckets max(endEpoch) as hotearliestEvent min(startEpoch) as hotoldestEvent by index
| join index
[| dbinspect index=* timeformat=%s
| search state=warm
| stats max(modTime) as recentwarm min(modTime) as oldestwarm count as warmbuckets max(endEpoch) as warmearliestEvent min(startEpoch) as warmoldestEvent by index ]
| join index
[| dbinspect index=* timeformat=%s
| search state=cold
| stats max(modTime) as recentcold min(modTime) as oldestcold count as coldbuckets max(endEpoch) as coldearliestEvent min(startEpoch) as coldoldestEvent by index ]
| eval maxAgeHot=tostring((recentHot-oldestHot), "duration")
| eval maxAgeWarm=tostring((recentwarm-oldestwarm), "duration")
| eval maxIndexedEventAgeHot=tostring((hotearliestEvent-hotoldestEvent), "duration")
| eval maxIndexedEventAgeWarm=tostring((warmearliestEvent-warmoldestEvent), "duration")
| convert ctime(hotoldestEvent)
| convert ctime(hotearliestEvent)
| convert ctime(warmearliestEvent)
| convert ctime(warmoldestEvent)
| convert ctime(oldestcold)
| convert ctime(recentcold)
| convert ctime(recentwarm)
| convert ctime(oldestwarm)
| convert ctime(recentHot)
| convert ctime(oldestHot)
| sort -index
| table index,hotbuckets,warmbuckets,coldbuckets,maxIndexedEventAgeHot,maxIndexedEventAgeWarm, maxAgeHot,maxAgeWarm,recentHot ,oldestHot ,oldestwarm ,recentwarm recentcold ,oldestcold,hotoldestEvent,hotearliestEvent,warmearliestEvent,warmoldestEvent
Get Updates on the Splunk Community!
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...
