Documentation > Splunk > Search Reference > dbinspect

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

dbinspect

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

dbinspect

Synopsis

Returns information about the Splunk index.

Syntax

dbinspect [index=<string>] [<span>|<timeformat>]

Optional arguments

index
Syntax: index=<string>
Description: Specify the name of the index to inspect.
<span>
Syntax: span=<int>|<int><timescale>
Description: Specify the span length of the bucket. If using a timescale unit (sec, min, hr, day, month, or subseconds), this is used as a time range. If not, this is an absolute bucket "length".
<timeformat>
Syntax: timeformat=<string>
Description: Set the time format. Defaults to timeformat=%m/%d/%Y:%H:%M:%S.

Time scale units

These are options for specifying a timescale as the bucket span.

<timescale>
Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
Description: Time scale units.
<sec>
Syntax: s | sec | secs | second | seconds
Description: Time scale in seconds.
<min>
Syntax: m | min | mins | minute | minutes
Description: Time scale in minutes.
<hr>
Syntax: h | hr | hrs | hour | hours
Description: Time scale in hours.
<day>
Syntax: d | day | days
Description: Time scale in days.
<month>
Syntax: mon | month | months
Description: Time scale in months.
<subseconds>
Syntax: us | ms | cs | ds
Description: Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds).

Description

The dbinspect command returns information about the Splunk index that you specify.

When you invoke the dbinspect command with a bucket span, Splunk returns a chartable representation of the spans of each bucket.

When you invoke the dbinspect command without a bucket span, Splunk returns the following information about the given index's buckets:

Field name Description
earliestTime The timestamp for the first event in the bucket.
eventCount The number of events in the bucket.
hostCount The number of unique hosts in the bucket.
id The local ID number of the bucket, generated on the indexer on which the bucket originated.
latestTime The timestamp for the last event in the bucket.
modTime The timestamp for the last time the bucket was modified or updated.
path The location to the bucket. The naming convention for the bucket path varies slightly, depending on whether the bucket rolled to warm while its indexer was functioning as a cluster peer:
  • For non-clustered buckets: db_<newest_time>_<oldest_time>_<localid>
  • For clustered original bucket copies: db_<newest_time>_<oldest_time>_<localid>_<guid>
  • For clustered replicated bucket copies: rb_<newest_time>_<oldest_time>_<localid>_<guid>
rawSizeMB The size of the bucket in MB.
sizeOnDiskMB The amount of memory it takes up in MB.
sourceCount The number of unique sources in the bucket.
sourceTypeCount The number of unique sourcetypes in the bucket.
state Whether the bucket is warm, hot, cold, frozen.

Examples

Example 1: Display a chart with the span size of 1 day, using the CLI.

myLaptop $ splunk search "| dbinspect index=_internal span=1d" 

           _time            hot-3 warm-1 warm-2
--------------------------- ----- ------ ------
2013-01-17 00:00:00.000 PST            0       
2013-01-17 14:56:39.000 PST            0       
2013-02-19 00:00:00.000 PST            0      1
2013-02-20 00:00:00.000 PST     2             1


Example 2: Default dbinspect output for a local _internal index, using the CLI.

myLaptop $ splunk search "| dbinspect index=_internal" 

   earliestTime     eventCount hostCount id     latestTime            modTime                                           path                                       rawSize  sizeOnDiskMB sourceCount sourceTypeCount state
------------------- ---------- --------- -- ------------------- ------------------- ----------------------------------------------------------------------------- --------- ------------ ----------- --------------- -----
01/17/2013:14:56:39     955834         1  1 02/19/2013:12:29:27 02/27/2013:12:28:15 /Applications/splunk/var/lib/splunk/_internaldb/db/db_1361305767_1358463399_1 166532330    54.582031           9               5 warm
02/19/2013:12:29:28      67681         1  2 02/20/2013:11:24:27 02/27/2013:12:28:30 /Applications/splunk/var/lib/splunk/_internaldb/db/db_1361388267_1361305768_2  15557200     6.617188           7               4 warm
02/20/2013:11:24:48       9474         1  3 02/27/2013:14:03:07 02/27/2013:14:03:09 /Applications/splunk/var/lib/splunk/_internaldb/db/hot_v1_3                     1604708     0.828125           7               5 hot

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dbinspect command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Dbinspect"

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


Comments

I found the answer to my prior comment here:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes

Perhaps this manual can link there as appropriate?

Sowings
February 25, 2013

I notice that the 'path' field of dbinspect output changes when a clustered index (v5.0+) is in play. Can we can an example of that output, and perhaps a decoder ring?

Sowings
February 25, 2013

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!