Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

metasearch

Description

Retrieves event metadata from indexes based on terms in the <logical-expression>. Metadata fields include source, sourcetype, host, _time, index, and splunk_server.

Syntax

metasearch [<logical-expression>]

Optional arguments

<logical-expression>
Syntax: <time-opts>|<search-modifier>|((NOT)? <logical-expression>)|<index-expression>|<comparison-expression>|(<logical-expression> (OR)? <logical-expression>)
Description: Includes time and search modifiers, comparison and index expressions.

Logical expression

<comparison-expression>
Syntax: <field><cmp><value>
Description: Compare a field to a literal value or values of another field.
<index-expression>
Syntax: "<string>"|<term>|<search-modifier>
<time-opts>
Syntax: (<timeformat>)? (<time-modifier>)*

Comparison expression

<cmp>
Syntax: = | != | < | <= | > | >=
Description: Comparison operators.
<field>
Syntax: <string>
Description: The name of a field. In metasearch, only the fields source, sourcetype, host, _time, index, and splunk_server can be used.
<lit-value>
Syntax: <string> | <num>
Description: An exact, or literal, value of a field that is used in a comparison expression.
<value>
Syntax: <lit-value> | <field>
Description: In comparison-expressions, the literal value of a field or another field name where "literal" means number or string.

Index expression

<search-modifier>
Syntax: <field-specifier>|<savedsplunk-specifier>|<tag-specifier>

Time options

The search allows many flexible options for searching based on time. For a list of time modifiers, see the topic "Time modifiers for search" in the Search Manual.

<timeformat>
Syntax: timeformat=<string>
Description: Set the time format for starttime and endtime terms. By default, timestamp is formatted: timeformat=%m/%d/%Y:%H:%M:%S .
<time-modifier>
Syntax: earliest=<time_modifier> | latest=<time_modifier>
Description: Specify start and end times using relative or absolute time. For more about the time modifier index, see "Specify time modifiers in your search" in the Search Manual.

Examples

Example 1:

Return metadata for events with "404" and from host "webserver1".

... | metasearch 404 host="webserver1"

See also

metadata, search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metasearch command.

Retrieved from "http://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Metasearch:5.0beta&oldid=768997"
PREVIOUS
metadata 		  NEXT
mstats

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters