Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

dbinspect

Synopsis

Returns information about the Splunk index.

Syntax

dbinspect [index=<string>] [<span>|<timeformat>]

Optional arguments

index
Syntax: index=<string>
Description: Specify the name of the index to inspect.
<span>
Syntax: span=<int>|<int><timescale>
Description: Specify the span length of the bucket. If using a timescale unit (sec, min, hr, day, month, or subseconds), this is used as a time range. If not, this is an absolute bucket "length".
<timeformat>
Syntax: timeformat=<string>
Description: Set the time format. Defaults to timeformat=%m/%d/%Y:%H:%M:%S.

Time scale units

These are options for specifying a timescale as the bucket span.

<timescale>
Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
Description: Time scale units.
<sec>
Syntax: s | sec | secs | second | seconds
Description: Time scale in seconds.
<min>
Syntax: m | min | mins | minute | minutes
Description: Time scale in minutes.
<hr>
Syntax: h | hr | hrs | hour | hours
Description: Time scale in hours.
<day>
Syntax: d | day | days
Description: Time scale in days.
<month>
Syntax: mon | month | months
Description: Time scale in months.
<subseconds>
Syntax: us | ms | cs | ds
Description: Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds).

Description

The dbinspect command returns information about the Splunk index that you specify.

When you invoke the dbinspect command with a bucket span, Splunk returns a chartable representation of the spans of each bucket.

When you invoke the dbinspect command without a bucket span, Splunk returns the following information about the given index's buckets:

Field name Description
earliestTime The timestamp for the first event in the bucket.
eventCount The number of events in the bucket.
hostCount The number of unique hosts in the bucket.
id The local ID number of the bucket, generated on the indexer on which the bucket originated.
latestTime The timestamp for the last event in the bucket.
modTime The timestamp for the last time the bucket was modified or updated.
path The location to the bucket. The naming convention for the bucket path varies slightly, depending on whether the bucket rolled to warm while its indexer was functioning as a cluster peer:
  • For non-clustered buckets: db_<newest_time>_<oldest_time>_<localid>
  • For clustered original bucket copies: db_<newest_time>_<oldest_time>_<localid>_<guid>
  • For clustered replicated bucket copies: rb_<newest_time>_<oldest_time>_<localid>_<guid>
rawSizeMB The size of the bucket in MB.
sizeOnDiskMB The amount of memory it takes up in MB.
sourceCount The number of unique sources in the bucket.
sourceTypeCount The number of unique sourcetypes in the bucket.
state Whether the bucket is warm, hot, cold, frozen.

Examples

Example 1: Display a chart with the span size of 1 day, using the CLI.

myLaptop $ splunk search "| dbinspect index=_internal span=1d"

           _time            hot-3 warm-1 warm-2
--------------------------- ----- ------ ------
2013-01-17 00:00:00.000 PST            0       
2013-01-17 14:56:39.000 PST            0       
2013-02-19 00:00:00.000 PST            0      1
2013-02-20 00:00:00.000 PST     2             1


Example 2: Default dbinspect output for a local _internal index, using the CLI.

myLaptop $ splunk search "| dbinspect index=_internal"

   earliestTime     eventCount hostCount id     latestTime            modTime                                           path                                       rawSize  sizeOnDiskMB sourceCount sourceTypeCount state
------------------- ---------- --------- -- ------------------- ------------------- ----------------------------------------------------------------------------- --------- ------------ ----------- --------------- -----
01/17/2013:14:56:39     955834         1  1 02/19/2013:12:29:27 02/27/2013:12:28:15 /Applications/splunk/var/lib/splunk/_internaldb/db/db_1361305767_1358463399_1 166532330    54.582031           9               5 warm
02/19/2013:12:29:28      67681         1  2 02/20/2013:11:24:27 02/27/2013:12:28:30 /Applications/splunk/var/lib/splunk/_internaldb/db/db_1361388267_1361305768_2  15557200     6.617188           7               4 warm
02/20/2013:11:24:48       9474         1  3 02/27/2013:14:03:07 02/27/2013:14:03:09 /Applications/splunk/var/lib/splunk/_internaldb/db/hot_v1_3                     1604708     0.828125           7               5 hot

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dbinspect command.

PREVIOUS
ctable
  NEXT
dedup

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

I found the answer to my prior comment here:<br /><br />http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes<br /><br />Perhaps this manual can link there as appropriate?

Sowings
February 25, 2013

I notice that the 'path' field of dbinspect output changes when a clustered index (v5.0+) is in play. Can we can an example of that output, and perhaps a decoder ring?

Sowings
February 25, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters