Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer.
| metadata [type=<metadata-type>] [<index-specifier>] [<server-specifier>]
- Syntax: type= hosts | sources | sourcetypes
- Description: Specify the type of metadata to return.
- Syntax: index=<index_name>
- Description: Specify the index from which to return results.
- Syntax: splunk_server=<string>
- Description: Specify the distributed search peer from which to return results. If used, you can specify only one
metadata command returns data about a specified index or distributed search peer. It returns information such as a list of the hosts, sources, or source types accumulated over time and when the first, last, and most recent event was seen for each value of the specified metadata type. It does not provide a snapshot of an index over a specific timeframe (such as last 7 days). For example, if you search for:
| metadata type=hosts
Your results will look something like this:
firstTimeis the timestamp for the first time that the indexer saw an event from this host.
lastTimeis the timestamp for the last time that the indexer saw an event from this host.
indextimefor the most recent time that the index saw an event from this host (that is, the time of the last update).
totalcountis the total number of events seen from this host.
typeis the specified type of metadata to display. Because this search specifies
type=hosts, there is also a
In most cases, when the data is streaming live,
recentTime are equal. However, if the data is historical, then the values of these fields could be different.
Example 1: Return the values of "sourcetypes" for events in the "_internal" index.
| metadata type=sourcetypes index=_internal
This returns the following report:
You can also use the fieldformat command to format the results of firstTime, lastTime, and recentTime:
| metadata type=sourcetypes index=_internal | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Now, the results are more readable:
Example 2: Return values of "sourcetype" for events in the "_audit" index on server foo.
| metadata type=sourcetypes index=_audit splunk_server=foo
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18