Archive Summary By Index

Splunk Archiver Splunk archiver overview Archive Summary By Index index=_internal source=*splunk_archiver.log* finished | eval last_bucket_time=strftime(latest_bucket_time_secs, "%F %T %z")| eval transfered_mb=remote_bucket_bytes/1000000 | rename splunk_index AS "Splunk Index", virtual_index AS "Archive Index" | stats max(last_bucket_time) as "Latest Archive Bucket Time" sum(transfered_mb) as "Total Transfered MB" sum(buckets_copied) as "Total Buckets Copied" by "Splunk Index", "Archive Index" 0

Archiving Errors in the Last Day index=_internal source=*splunk_archiver.log* earliest=-1d | rex max_match=1000 "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d+ -\d{4} (?<severity>\w+) " | where severity="ERROR" [] Select a time range: -7d@h now Select a splunk index: splunk_index=" " * ALL index=_internal source=*splunk_archiver.log* committed | stats count by splunk_index 0 splunk_index splunk_index Buckets Copied index=_internal source=*splunk_archiver.log* committed $splunk_idx1$ | timechart count by splunk_index $field1.earliest$ $field1.latest$ ["host","source","sourcetype"] Select a time range: -7d@h now Select a splunk index: splunk_index=" " * ALL index=_internal source=*splunk_archiver.log* committed | stats count by splunk_index 0 splunk_index splunk_index Total MB Transferred index=_internal source=*splunk_archiver.log* committed "$splunk_idx2$" | eval mb = remote_bucket_bytes/1000000 | timechart sum(mb) by splunk_index $field2.earliest$ $field2.latest$ Select a time range: -7d@h now Buckets Update index=_internal source=*splunk_archiver.log* committed | rename bucket_name AS "Archived Bucket", splunk_index AS "Splunk Index" | eval mb=round(remote_bucket_bytes/1000000,2) | stats sum(mb) as "Archived Bucket MB" by "Splunk Index", "Archived Bucket" $field4.earliest$ $field4.latest$

Select a time range: -7d@h now Errors index=_internal source=*splunk_archiver.log* | rex max_match=1000 "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d+ -\d{4} (?<severity>\w+) " | where severity="ERROR" | timechart count AS errors $field3.earliest$ $field3.latest$ Archiving via coldToFrozen Select a time range: -7d@h now Select a splunk index: splunk_index=" " * ALL index=_internal source=*splunk_archiver.log* report: buckets_to_freeze_remaining_count buckets_to_freeze_deleted | stats count by splunk_index 0 splunk_index splunk_index Archives via coldToFrozen by index index=_internal source=*splunk_archiver.log* buckets_to_freeze_remaining_count buckets_to_freeze_deleted report: $splunk_idx3$ | timechart sum(buckets_to_freeze_remaining_count) as "Buckets to freeze", sum(buckets_to_freeze_deleted) as "Buckets frozen" by splunk_index $field3.earliest$ $field3.latest$ MB transfered via coldToFrozen by index index=_internal source=*splunk_archiver.log* buckets_to_freeze_size_bytes buckets_to_freeze_deleted_size_bytes report: $splunk_idx3$ | timechart sum(buckets_to_freeze_size_bytes) as "to_freeze", sum(buckets_to_freeze_deleted_size_bytes) as "frozen", by splunk_index | eval "to_freeze_mb"=to_freeze/1000000 | eval frozen_mb=frozen/1000000 | rename to_freeze_mb AS "Remaning diskspace to free (MB)", frozen_mb AS "Frozen transfered (MB)", splunk_index AS "Splunk index" | fields - to_freeze, frozen $field3.earliest$ $field3.latest$ Archiving by host Select a time range: -7d@h now Time spent by host index=_internal source=*splunk_archiver.log* Report: | eval secs = total_elapsed_ms/1000 | timechart sum(secs) as "Seconds spent archiving" by host $time_field5.earliest$ $time_field5.latest$ Data transferred by host index=_internal source=*splunk_archiver.log* Report: | eval mb = remote_bucket_bytes/1000000 | timechart sum(mb) as "Data transferred" by host $time_field5.earliest$ $time_field5.latest$