In this blog we are going to learn what is dbinspect command in splunk and why it is important to know about it. Let’s begin, we know that in Splunk data are stored in bucket and rolled from one bucket to another at specified conditions. We can use dbinspect command from Splunk GUI to know more about these buckets such as – state ( hot, cold, warm) of the bucket, size, path, etc.
Syntax: | dbinspect index =
Let’s break down the result when we run command: |dbinspect index= *, as shown below.
We get the following fields in our result:
bucketid, endEpoch, Eventcount, guid, hostcount, id, index, modtime, path, rawsize, sizeOnDiskMB, splunk_server, etc.
Using this we can get a lot of information about our storage, for example:
- If we want to know the size of hot+warm buckets of all indexes but not cold, we can write:
| dbinspect index=* | search NOT state="cold" | stats sum(sizeOnDiskMB) by index
2. To know total number of indexers, we can write:
| dbinspect index=* | stats count by splunk_server
3. If we want to know about only corrupt buckets, we can write:
| dbinspect index=* corruptonly=true
and much more information we can get from dbinspect command. So, go ahead and try some of them.