partitions

Retrieves metadata about events stored at a node.

partitions [predicate:expr]

Description

The partitions operator shows a summary of candidate partitions at a node.

Show only partitions which would be considered for pipelines of the form export | where <expr> instead of returning all data.

Tenzir emits partition information with the following schema:

Contains detailed information about a partition.

Field	Type	Description
`uuid`	`string`	The unique ID of the partition in the UUIDv4 format.
`memusage`	`uint64`	The memory usage of the partition in bytes.
`diskusage`	`uint64`	The disk usage of the partition in bytes.
`events`	`uint64`	The number of events contained in the partition.
`min_import_time`	`time`	The time at which the first event of the partition arrived at the `import` operator.
`max_import_time`	`time`	The time at which the last event of the partition arrived at the `import` operator.
`version`	`uint64`	The version number of the internal partition storage format.
`schema`	`string`	The schema name of the events contained in the partition.
`schema_id`	`string`	A unique identifier for the physical layout of the partition.
`store`	`record`	Resource information about the partition’s store.
`indexes`	`record`	Resource information about the partition’s indexes.
`sketches`	`record`	Resource information about the partition’s sketches.

The records store, indexes, and sketches have the following schema:

Field	Type	Description
`url`	`string`	The URL of the resource.
`size`	`uint64`	The size of the resource.

partitions
summarize schema,
  events=sum(events),
  diskusage=sum(diskusage),
  memusage=sum(memusage)
sort schema

partitions src_ip == 127.0.0.1
summarize candidates=sum(events)

partitions hostname != null