01 Apr 2024 06:22 PM - last edited on 02 Apr 2024 09:03 AM by MaciejNeumann
Hello, I have the following issue: how can I verify which logs or records are being stored in the buckets and ensure that they are being stored in the correct bucket?
Another question, and to ingest bizevents into another bucket, can I use the same bucket as for the logs, or is it recommended to create a new bucket with a specific rule for this?
Thank you for your help.
Solved! Go to Solution.
01 Apr 2024 07:44 PM
There is dt.system.bucket field for each data record where you can see in which bucket record is. You can just add this field to view it in result of the query
| fieldsAdd dt.system.bucket
or summarize by it to see record counts, like in my example (filtering criteria copied from attached processing rule)
fetch logs
| filter matchesPhrase(dt.host_group.id,"prod-salud") or matchesPhrase(dt.kubernetes.cluster.name,"prod-salud")
| summarize count(), by:{dt.system.bucket}
When you define bucket you specify for which type data it is. So log buckets are for logs only, bizevents buckets are for bizevent only etc. However you can directs log lines from different processing rules to same bucket. You can take a look at "Storage Management" app for clear guidance.
Kris