Splunk search for Buckets frozen by index
Copy
index=_internal sourcetype=splunkd earliest=-7d latest=now component=BucketMover | rex field=bkt "/opt/splunk/var/lib/splunk/cold/(?<frozen_index>[^/]+)" | stats count by frozen_index
This search will show a count of all buckets that were rolled to frozen (either deleted or archived) within the past week. Note: if your data is not stored in the standard /opt/splunk/var/lib/splunk directory then you will want to modify that portion of the rex command.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment