Documentation > Splunk > Search Reference > metadata

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

metadata

Contents

metadata

Synopsis

Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer.

Syntax

| metadata [type=<metadata-type>] [<index-specifier>] [<server-specifier>]

Optional arguments

type
Syntax: type= hosts | sources | sourcetypes
Description: Specify the type of metadata to return.
index-specifier
Syntax: index=<index_name>
Description: Specify the index from which to return results.
server-specifier
Syntax: splunk_server=<string>
Description: Specify the distributed search peer from which to return results. If used, you can specify only one splunk_server.

Description

The metadata command returns data about a specified index or distributed search peer. It returns information such as a list of the hosts, sources, or source types accumulated over time and when the first, last, and most recent event was seen for each value of the specified metadata type. It does not provide a snapshot of an index over a specific timeframe (such as last 7 days). For example, if you search for:

| metadata type=hosts

Your results will look something like this:

Metadata hostsEx.png

Where:

  • firstTime is the timestamp for the first time that the indexer saw an event from this host.
  • lastTime is the timestamp for the last time that the indexer saw an event from this host.
  • recentTime is the indextime for the most recent time that the index saw an event from this host (that is, the time of the last update).
  • totalcount is the total number of events seen from this host.
  • type is the specified type of metadata to display. Because this search specifies type=hosts, there is also a host column.

In most cases, when the data is streaming live, lastTime and recentTime are equal. However, if the data is historical, then the values of these fields could be different.

Examples

Example 1: Return the values of "host" for events in the "_internal" index.

| metadata type=hosts index=_internal

Example 2:Return values of "sourcetype" for events in the "_audit" index on server foo.

| metadata type=sourcetypes index=_audit splunk_server=foo

See also

dbinspect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Metadata"

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!