Documentation > Splunk > Search Reference > metasearch

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

metasearch

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

metasearch

Synopsis

Retrieves event metadata from indexes based on terms in the <logical-expression>.

Syntax

metasearch [<logical-expression>]

Optional arguments

<logical-expression>
Syntax: <time-opts>|<search-modifier>|((NOT)? <logical-expression>)|<index-expression>|<comparison-expression>|(<logical-expression> (OR)? <logical-expression>)
Description: Includes time and search modifiers; comparison and index expressions.

Logical expression

<comparison-expression>
Syntax: <field><cmp><value>
Description: Compare a field to a literal value or values of another field.
<index-expression>
Syntax: "<string>"|<term>|<search-modifier>
<time-opts>
Syntax: (<timeformat>)? (<time-modifier>)*

Comparison expression

<cmp>
Syntax: = | != | < | <= | > | >=
Description: Comparison operators.
<field>
Syntax: <string>
Description: The name of a field.
<lit-value>
Syntax: <string> | <num>
Description: An exact, or literal, value of a field; used in a comparison expression.
<value>
Syntax: <lit-value> | <field>
Description: In comparison-expressions, the literal (number or string) value of a field or another field name.

Index expression

<search-modifier>
Syntax: <field-specifier>|<savedsplunk-specifier>|<tag-specifier>

Time options

Splunk allows many flexible options for searching based on time. For a list of time modifiers, see the topic "Time modifiers for search"

<timeformat>
Syntax: timeformat=<string>
Description: Set the time format for starttime and endtime terms. By default, the timestamp is formatted: timeformat=%m/%d/%Y:%H:%M:%S .
<time-modifier>
Syntax: earliest=<time_modifier> | latest=<time_modifier>
Description: Specify start and end times using relative or absolute time. Read more about time modifier syntax in "Change the time range of your search"

Description

Retrieves event metadata from indexes based on terms in the <logical-expression>. Metadata fields include source, sourcetype, host, _time, index, and splunk_server.

Examples

Example 1: Return metadata for events with "404" and from host "webserver1".

404 host="webserver1"

See also

metadata, search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metasearch command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Metasearch"

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!