metadata

metadata

Synopsis

Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer.

Syntax

| metadata [type=<metadata-type>] [<index-specifier>] [<server-specifier>]

Optional arguments

type

Syntax: type= hosts | sources | sourcetypes

Description: Specify the type of metadata to return.

index-specifier

Syntax: index=<index_name>

Description: Specify the index from which to return results.

server-specifier

Syntax: splunk_server=<string>

Description: Specify the distributed search peer from which to return results. If used, you can specify only one splunk_server.

Description

The metadata command returns a list of the hosts, sources, or source types from a specified index or distributed search peer. It also returns information about when the first, last, and most recent event was seen for each value of the specified metadata type. For example, if you search for:

Your results will look something like this:

Where:

• firstTime is the timestamp for the first time that the indexer saw an event from this host.
• lastTime is the timestamp for the last time that the indexer saw an event from this host.
• recentTime is the _time for the most recent time that the index saw an event from this host.
• totalcount is the total number of events seen from this host.
• type is the specified type of metadata to display. Because this search specifies type=hosts, there is also a host column.

In most cases, when the data is streaming live, lastTime and recentTime are equal. However, if the data is historical, then the values of these fields could be different.

Examples

Example 1: Return the values of "host" for events in the "_internal" index.

Example 2:Return values of "sourcetype" for events in the "_audit" index on server foo.

See also

dbinspect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.

• Was this topic useful?
• Post a comment