Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I search specific buckets?

oreoshake
Communicator
‎03-02-2010 06:09 PM

We are having bucket performance issues and it looks like the cause is a host that is sending data "from the past" consistently. I know which bucket is causing the issue so is it possible to search by bucket?

search bucket=hot_v1_431

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oreoshake
Communicator
‎03-02-2010 06:19 PM

Answered my own question...

Just go to $SPLUNK_HOME/var/lib/splunk/<index>/db/<bucket> and view the Hosts.data file

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎03-17-2013 11:02 AM

Yes, you can.

The _bkt field is available (though sadly, not as a search term in the first part of a search before the first |, but you can search on it). You'll need to know the index name, the bucket ID, and the GUID of the server itself. In 4.x instances, this is the guid parameter in the [general] stanza of server.conf. In 5.x, it's stored in $SPLUNK_HOME/etc/instance.cfg.

I was able to run this search for bucket ID 22 of the summary index:


index=summary | where _bkt="summary~22~4F582768-7B38-4768-95EA-EC3D491A8A23"

Reply
Solved! Jump to solution

ephemeric
Contributor
‎05-15-2013 04:04 PM

Brilliant! I have been looking for how long to do this. Thank you.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎04-23-2010 10:51 PM

An easy way to find the timestamps for events, is to use the metadata command in combination with a stats operator. You can use any type of metadata, but your final query might look like:

| metadata type=hosts | stats min(recentTime) as last_event by host | sort +last_event

The above search finds the timestamp of the last event sent to splunk by a specific host, sorted by the the UTC timestamp. You can also do the same for sources and sourcetypes.

To make this humanly readable:

| metadata type=hosts | stats min(recentTime) as last_utc by host | convert ctime(last_utc) as 
last_event
0 Karma
Reply
Solved! Jump to solution
Solution

oreoshake
Communicator
‎03-02-2010 06:19 PM

Answered my own question...

Just go to $SPLUNK_HOME/var/lib/splunk/<index>/db/<bucket> and view the Hosts.data file

0 Karma
Reply
Solved! Jump to solution

oreoshake
Communicator
‎03-09-2010 09:30 PM

Yes, I would be interested in this. Thanks!

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎03-05-2010 10:45 PM

Hosts.data will certainly show you the set of hosts that were on events which contributed to the bucket. With a bit of work you can also parse the time ranges yourself (the fields there, on a per host basis). There isn't really an exposed way to search on specific buckets, however. There's an internal field which represents the source bucket, so it is possible, but the names used are not the filesystem names. If this seems genuinely useful, I can go rediscover it. I'm not sure that this machinery is intended to be used, or possibly useful outside of troubleshooting cases.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...