Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

metadata

Synopsis

Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer.

Syntax

| metadata [type=<metadata-type>] [<index-specifier>] [<server-specifier>]

Optional arguments

type
Syntax: type= hosts | sources | sourcetypes
Description: Specify the type of metadata to return.
index-specifier
Syntax: index=<index_name>
Description: Specify the index from which to return results.
server-specifier
Syntax: splunk_server=<string>
Description: Specify the distributed search peer from which to return results. If used, you can specify only one splunk_server.

Description

The metadata command returns data about a specified index or distributed search peer. It returns information such as a list of the hosts, sources, or source types accumulated over time and when the first, last, and most recent event was seen for each value of the specified metadata type. It does not provide a snapshot of an index over a specific timeframe (such as last 7 days). For example, if you search for:

| metadata type=hosts

Your results will look something like this:

Metadata hostsEx.png

Where:

  • firstTime is the timestamp for the first time that the indexer saw an event from this host.
  • lastTime is the timestamp for the last time that the indexer saw an event from this host.
  • recentTime is the indextime for the most recent time that the index saw an event from this host (that is, the time of the last update).
  • totalcount is the total number of events seen from this host.
  • type is the specified type of metadata to display. Because this search specifies type=hosts, there is also a host column.

In most cases, when the data is streaming live, lastTime and recentTime are equal. However, if the data is historical, then the values of these fields could be different.

Examples

Example 1: Return the values of "sourcetypes" for events in the "_internal" index.

| metadata type=sourcetypes index=_internal

This returns the following report:

Searchref metadata ex1.1.png

You can also use the fieldformat command to format the results of firstTime, lastTime, and recentTime:

| metadata type=sourcetypes index=_internal | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

Now, the results are more readable:

Searchref metadata ex1.2.png

Example 2: Return values of "sourcetype" for events in the "_audit" index on server foo.

| metadata type=sourcetypes index=_audit splunk_server=foo

See also

dbinspect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.

PREVIOUS
map
  NEXT
metasearch

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters