Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

dbinspect

Description

Returns information about the buckets in the specified index. If you are using Splunk Enterprise, this command helps you understand where your data resides so you can optimize disk usage as required.

The Splunk index is the repository for data ingested by Splunk software. As incoming data is indexed and transformed into events, Splunk software creates files of rawdata and metadata (index files). The files reside in sets of directories organized by age. These directories are called buckets.

For more information, see Indexes, indexers, and clusters and How the indexer stores indexes in Managing Indexers and Clusters of Indexers.

Syntax

| dbinspect [index=<wc-string>]... [<span> | <timeformat>]

Optional arguments

index
Syntax: index=<wc-string>...
Description: Specifies the name of an index to inspect. This option can be repeated for more indexes, and accepts wildcards such as asterisk ( * ) for all non-internal indexes.
Default: The default index, which is typically main.
<span>
Syntax: span=<int> | span=<int><timescale>
Description: Specifies the span length of the bucket. If using a timescale unit (sec, min, hr, day, month, or subseconds), this is used as a time range. If not, this is an absolute bucket length.
When you invoke the dbinspect command with a bucket span, a table of the spans of each bucket is returned. When span is not specified, information about the buckets in the index is returned. See the table below for detailed descriptions for the information returned when no bucket span is specified.
<timeformat>
Syntax: timeformat=<string>
Description: Sets the time format for the modTime field.
Default: timeformat=%m/%d/%Y:%H:%M:%S

Time scale units

These are options for specifying a timescale as the bucket span.

<timescale>
Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
Description: Time scale units.
Time scale Syntax Description
<sec> s | sec | secs | second | seconds Time scale in seconds.
<min> m | min | mins | minute | minutes Time scale in minutes.
<hr> h | hr | hrs | hour | hours Time scale in hours.
<day> d | day | days Time scale in days.
<month> mon | month | months Time scale in months.
<subseconds> us | ms | cs | ds Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)

Information returned when no span is specified

When you invoke the dbinspect command without the span argument, the following information about the buckets in the index is returned.

Field name Description
bucketId A string comprised of <index>~<id>~<guId>, where the delimiters are tilde characters. For example, summary~2~4491025B-8E6D-48DA-A90E-89AC3CF2CE80.
endEpoch The timestamp for the last event in the bucket, which is the time-edge of the bucket furthest towards the future. Specify the timestamp in the number of seconds from the UNIX epoch.
eventCount The number of events in the bucket.
guId The globally unique identifier (GUID) of the server that hosts the index. This is relevant for index replication.
hostCount The number of unique hosts in the bucket.
id The local ID number of the bucket, generated on the indexer on which the bucket originated.
index The name of the index specified in your search. You can specify index=* to inspect all of the indexes, and the index field will vary accordingly.
modTime The timestamp for the last time the bucket was modified or updated, in a format specified by the timeformat flag.
path The location to the bucket. The naming convention for the bucket path varies slightly, depending on whether the bucket rolled to warm while its indexer was functioning as a cluster peer:
  • For non-clustered buckets: db_<newest_time>_<oldest_time>_<localid>
  • For clustered original bucket copies: db_<newest_time>_<oldest_time>_<localid>_<guid>
  • For clustered replicated bucket copies: rb_<newest_time>_<oldest_time>_<localid>_<guid>

For more information, read "How Splunk stores indexes" and "Basic cluster architecture" in Managing Indexers and Clusters of Indexers.

rawSize The volume in bytes of the raw data files in each bucket. This value represents the volume before compression and the addition of index files.
sizeOnDiskMB The size in MB of disk space that the bucket takes up expressed as a floating point number. This value represents the volume of the compressed raw data files and the index files.
sourceCount The number of unique sources in the bucket.
sourceTypeCount The number of unique sourcetypes in the bucket.
splunk_server The name of the Splunk server that hosts the index in a distributed environment.
startEpoch The timestamp for the first event in the bucket (the time-edge of the bucket furthest towards the past), in number of seconds from the UNIX epoch.
state Whether the bucket is warm, hot, cold.

Usage

The dbinspect command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Accessing data and security

If no data is returned from the index that you specify with the dbinspect command, it is possible that you do not have the authorization to access that index. The ability to access data in the Splunk indexes is controlled by the authorizations given to each role. See Use access control to secure Splunk data in Securing Splunk Enterprise.

Examples

1. CLI use of the dbinspect command

Display a chart with the span size of 1 day, using the command line interface (CLI).

myLaptop $ splunk search "| dbinspect index=_internal span=1d"

           _time            hot-3 warm-1 warm-2
--------------------------- ----- ------ ------
2015-01-17 00:00:00.000 PST            0       
2015-01-17 14:56:39.000 PST            0       
2015-02-19 00:00:00.000 PST            0      1
2015-02-20 00:00:00.000 PST     2             1

2. Default dbinspect output

Default dbinspect output for a local _internal index.

| dbinspect index=_internal

Searchref dbinspect ex2.1.png

This screen shot does not display all of the columns in the output table. On your computer, scroll to the right to see the other columns.

3. Count the number of buckets for each Splunk server

Use this command to verify that the Splunk servers in your distributed environment are included in the dbinspect command. Counts the number of buckets for each server.

| dbinspect index=_internal | stats count by splunk_server

4. Find the index size of buckets in GB

Use dbinspect to find the index size of buckets in GB. For current numbers, run this search over a recent time range.

| dbinspect index=_internal | eval GB=sizeOnDiskMB/1024| stats sum(GB)

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dbinspect command.

PREVIOUS
datamodel
  NEXT
dedup

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


Comments

Brett - Thanks for your comment on roles and authorizations. I added some information about this to the Usage section above.

Lstewart splunk, Splunker
November 9, 2017

Interesting nugget, too... in our environment, we limit the admin role's default indexes to search to default only. Which should always be empty. So, this command was only giving me the default index. We actually don't have a role which can search all indexes by default. More of a control and accountability thing. Though I CAN search with my admin role in indexes which don't belong to me, I SHOULDN'T do that. And if I WERE to do that, I would have to specifically type 'index=<what I shouldn't be looking at>' into a search. Which I could theoretically detect and alert on an admin doing nefarious things. But it's just me. :)

Brettwilliams
October 27, 2017

Thanks Lguinn. Yes, it does work in a distributed environment. You can verify with something like this:

| dbinspect index=_internal | stats count by splunk_server

Lstewart splunk, Splunker
December 2, 2015

Does dbinspect work in a distributed environment? If I run this command on a search head, will it return information about the index from across all the indexers where the buckets reside?

Lguinn, Splunker
November 30, 2015

Thanks, Ncsantucci! We've updated the example.

Andrewb splunk
August 8, 2014

Example 2 above reads<br /><br />dbinspect index=_internal<br /><br />when in point of fact it should read<br /><br />| dbinspect index=_internal

Ncsantucci
August 6, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters