Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

dbinspect

The Splunk index is the repository for Splunk data. As Splunk indexes, or transforms incoming data into events, it creates files of rawdata and metadata (index files). The files reside in sets of directories organized by age. These directories are called buckets.

For more information, read "Indexes, indexers, and clusters" and "How Splunk stores indexes" in Managing Indexers and Clusters Manual.

Synopsis

Returns information about the state of the buckets in the Splunk index that you specify.

Syntax

dbinspect [index=<string>] [<span>|<timeformat>]

Optional arguments

index
Syntax: index=<string>
Description: Specify the name of the index to inspect.
<span>
Syntax: span=<int>|<int><timescale>
Description: Specify the span length of the bucket. If using a timescale unit (sec, min, hr, day, month, or subseconds), this is used as a time range. If not, this is an absolute bucket "length".
<timeformat>
Syntax: timeformat=<string>
Description: Set the time format. Defaults to timeformat=%m/%d/%Y:%H:%M:%S.

Time scale units

These are options for specifying a timescale as the bucket span.

<timescale>
Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
Description: Time scale units.
<sec>
Syntax: s | sec | secs | second | seconds
Description: Time scale in seconds.
<min>
Syntax: m | min | mins | minute | minutes
Description: Time scale in minutes.
<hr>
Syntax: h | hr | hrs | hour | hours
Description: Time scale in hours.
<day>
Syntax: d | day | days
Description: Time scale in days.
<month>
Syntax: mon | month | months
Description: Time scale in months.
<subseconds>
Syntax: us | ms | cs | ds
Description: Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds).

Description

When you invoke the dbinspect command with a bucket span, Splunk returns a table of the spans of each bucket.

When you invoke the dbinspect command without a bucket span, Splunk returns the following information about the given index's buckets:

Field name Description
earliestTime The timestamp for the first event in the bucket.
eventCount The number of events in the bucket.
hostCount The number of unique hosts in the bucket.
id The local ID number of the bucket, generated on the indexer on which the bucket originated.
latestTime The timestamp for the last event in the bucket.
modTime The timestamp for the last time the bucket was modified or updated.
path The location to the bucket. The naming convention for the bucket path varies slightly, depending on whether the bucket rolled to warm while its indexer was functioning as a cluster peer:
  • For non-clustered buckets: db_<newest_time>_<oldest_time>_<localid>
  • For clustered original bucket copies: db_<newest_time>_<oldest_time>_<localid>_<guid>
  • For clustered replicated bucket copies: rb_<newest_time>_<oldest_time>_<localid>_<guid>

For more information, read "How Splunk stores indexes" and "Basic cluster architecture" in the Managing Indexers and Clusters Manual.

rawSize The volume in bytes of the raw data files in each bucket. This value represents the volume before compression and the addition of index files.
sizeOnDiskMB The size in MB of memory the bucket takes up. This value represents the volume of the compressed raw data files and the index files.
sourceCount The number of unique sources in the bucket.
sourceTypeCount The number of unique sourcetypes in the bucket.
state Whether the bucket is warm, hot, cold.

Examples

Example 1: Display a chart with the span size of 1 day, using the CLI.

myLaptop $ splunk search "| dbinspect index=_internal span=1d"

           _time            hot-3 warm-1 warm-2
--------------------------- ----- ------ ------
2013-01-17 00:00:00.000 PST            0       
2013-01-17 14:56:39.000 PST            0       
2013-02-19 00:00:00.000 PST            0      1
2013-02-20 00:00:00.000 PST     2             1


Example 2: Default dbinspect output for a local _internal index, using the CLI.

myLaptop $ splunk search "| dbinspect index=_internal"

   earliestTime     eventCount hostCount id     latestTime            modTime                                           path                                       rawSize  sizeOnDiskMB sourceCount sourceTypeCount state
------------------- ---------- --------- -- ------------------- ------------------- ----------------------------------------------------------------------------- --------- ------------ ----------- --------------- -----
01/17/2013:14:56:39     955834         1  1 02/19/2013:12:29:27 02/27/2013:12:28:15 /Applications/splunk/var/lib/splunk/_internaldb/db/db_1361305767_1358463399_1 166532330    54.582031           9               5 warm
02/19/2013:12:29:28      67681         1  2 02/20/2013:11:24:27 02/27/2013:12:28:30 /Applications/splunk/var/lib/splunk/_internaldb/db/db_1361388267_1361305768_2  15557200     6.617188           7               4 warm
02/20/2013:11:24:48       9474         1  3 02/27/2013:14:03:07 02/27/2013:14:03:09 /Applications/splunk/var/lib/splunk/_internaldb/db/hot_v1_3                     1604708     0.828125           7               5 hot

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dbinspect command.

PREVIOUS
ctable
  NEXT
dedup

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

I've updated the topic. Thanks for catching it!

Sophy, Splunker
March 27, 2013

I believe there is a typo in this document: As of now, it says:<br /> rawSize The size in MB of the raw data files in each bucket.<br /><br />However, it appears that rawSize is actually the volume of data raw data that was indexed in *bytes* (not megabytes), prior to compression and the addition of index files.<br /><br />sizeOnDiskMB represents the compressed raw data + index files.

Dbylertbg
March 27, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters