I am running 2 search: | rest splunk_server=* /services/data/indexes-extended | search title = _internal | stats max(bucket_dirs.home.warm_bucket_count) by title | dbinspect index=_...
...'d like to be able to run it from CLI:
| dbinspect index=_internal
| fields state,id,rawSize,sizeOnDiskMB
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
| eval rawTotalinMB=(r...
Hello splunkers,
This is probably some kind of expected behavior but I would still like to confirm. I noticed that dbinspect shows endEpoch time well into the future (some 12h into the future), w...
...I also tried this:
|dbinspect index=x
|eval date=strftime(startEpoch,"%F")
|chart sum(rawSize) over date
|rename sum(*) -> *
The results are different, dbinspect reporting lower values t...
So, when I try to do a straight |dbinspect , I only get results for main instead of for all indexes. This is the same on the search head as it is on the index directly. Any thoughts on where I n...
...o ignore the indexes
| dbinspect index=* NOT index=_internals NOT index=_introspection NOT index=collectd NOT index=splunkforwarders NOT index=_audit| search state=hot | eval diff=now()-e...
Hi Forum,
I trying to determine when a bucket rolled from hot to warm.
For me it looks like modTime value is updated when a bucket is rolled from hot to warm but not when it's moved from warm ...
When I try to run dbinspect, it returns no results:
| dbinspect index=_internal span=1d
I have a single search head (where I'm running this), distributing search to 2 indexers.
This seems weird. My index clusters (dev, qa, and production environments) seem to be completely ignoring my indexes configuration.
The sizeOnDiskMB value for indexes in /opt/splunk shows values ...