Returns information about the buckets in the specified index. If you are using Splunk Enterprise, this command helps you understand where your data resides so you can optimize disk usage as required.
The Splunk index is the repository for data ingested by Splunk software. As incoming data is indexed and transformed into events, Splunk software creates files of rawdata and metadata (index files). The files reside in sets of directories organized by age. These directories are called buckets.
| dbinspect [index=<wc-string>]... [<span> | <timeformat>]
- Syntax: index=<wc-string>...
- Description: Specifies the name of an index to inspect. This option can be repeated for more indexes, and accepts wildcards such as asterisk ( * ) for all non-internal indexes.
- Default: The default index, which is typically main.
- Syntax: span=<int> | span=<int><timescale>
- Description: Specifies the span length of the bucket. If using a timescale unit (sec, min, hr, day, month, or subseconds), this is used as a time range. If not, this is an absolute bucket length.
- When you invoke the
dbinspectcommand with a bucket span, a table of the spans of each bucket is returned. When
spanis not specified, information about the buckets in the index is returned. See the table below for detailed descriptions for the information returned when no bucket span is specified.
- Syntax: timeformat=<string>
- Description: Sets the time format for the
Time scale units
These are options for specifying a timescale as the bucket span.
- Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
- Description: Time scale units.
Time scale Syntax Description <sec> s | sec | secs | second | seconds Time scale in seconds. <min> m | min | mins | minute | minutes Time scale in minutes. <hr> h | hr | hrs | hour | hours Time scale in hours. <day> d | day | days Time scale in days. <month> mon | month | months Time scale in months. <subseconds> us | ms | cs | ds Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)
Information returned when no span is specified
When you invoke the
dbinspect command without the
span argument, the following information about the buckets in the index is returned.
|| A string comprised of |
||The timestamp for the last event in the bucket, which is the time-edge of the bucket furthest towards the future. Specify the timestamp in the number of seconds from the UNIX epoch.|
||The number of events in the bucket.|
||The globally unique identifier (GUID) of the server that hosts the index. This is relevant for index replication.|
||The number of unique hosts in the bucket.|
||The local ID number of the bucket, generated on the indexer on which the bucket originated.|
|| The name of the index specified in your search. You can specify |
|| The timestamp for the last time the bucket was modified or updated, in a format specified by the |
|| The location to the bucket. The naming convention for the bucket |
||The volume in bytes of the raw data files in each bucket. This value represents the volume before compression and the addition of index files.|
||The size in MB of disk space that the bucket takes up expressed as a floating point number. This value represents the volume of the compressed raw data files and the index files.|
||The number of unique sources in the bucket.|
||The number of unique sourcetypes in the bucket.|
||The name of the Splunk server that hosts the index in a distributed environment.|
||The timestamp for the first event in the bucket (the time-edge of the bucket furthest towards the past), in number of seconds from the UNIX epoch.|
||Whether the bucket is warm, hot, cold.|
dbinspect command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Accessing data and security
If no data is returned from the index that you specify with the
dbinspect command, it is possible that you do not have the authorization to access that index. The ability to access data in the Splunk indexes is controlled by the authorizations given to each role. See Use access control to secure Splunk data in Securing Splunk Enterprise.
1. CLI use of the
Display a chart with the span size of 1 day, using the command line interface (CLI).
myLaptop $ splunk search "| dbinspect index=_internal span=1d"
_time hot-3 warm-1 warm-2 --------------------------- ----- ------ ------ 2015-01-17 00:00:00.000 PST 0 2015-01-17 14:56:39.000 PST 0 2015-02-19 00:00:00.000 PST 0 1 2015-02-20 00:00:00.000 PST 2 1
2. Default dbinspect output
Default dbinspect output for a local _internal index.
| dbinspect index=_internal
This screen shot does not display all of the columns in the output table. On your computer, scroll to the right to see the other columns.
3. Count the number of buckets for each Splunk server
Use this command to verify that the Splunk servers in your distributed environment are included in the
dbinspect command. Counts the number of buckets for each server.
| dbinspect index=_internal | stats count by splunk_server
4. Find the index size of buckets in GB
Use dbinspect to find the index size of buckets in GB. For current numbers, run this search over a recent time range.
| dbinspect index=_internal | eval GB=sizeOnDiskMB/1024| stats sum(GB)
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dbinspect command.
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10