Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF



The metadata command returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. The metadata command returns information accumulated over time. You can view a snapshot of an index over a specific timeframe, such as the last 7 days.

The command shows the first, last, and most recent events that were seen for each value of the specified metadata type. For example, if you search for:

| metadata type=hosts

Your results should look something like this:

Metadata hostsEx.png

  • The firstTime field is the timestamp for the first time that the indexer saw an event from this host.
  • The lastTime field is the timestamp for the last time that the indexer saw an event from this host.
  • The recentTime field is the indextime for the most recent time that the index saw an event from this host. In other words, this is the time of the last update.
  • The totalcount field is the total number of events seen from this host.
  • The type field is the specified type of metadata to display. Because this search specifies type=hosts, there is also a host column.

In most cases, when the data is streaming live, the lastTime and recentTime field values are equal. If the data is historical, however, the values might be different.

In small testing environments, the data is complete. However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the metadata command to operate within reasonable time and memory usage.


| metadata type=<metadata-type> [<index-specifier>]... [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]...

Required arguments

Syntax: type= hosts | sources | sourcetypes
Description: Specify the type of metadata to return. This must be one of the three literal strings host, sources, or sourcetypes.

Optional arguments

Syntax: index=<index_name>
Description: Specifies the index from which to return results. You can specify more than one index. Wildcard characters (*) can be used. To match non-internal indexes, use index=*. To match internal indexes, use index=_*.
Example: | metadata type=hosts index=cs* index=na* index=ap* index=eu*
Default: The default index, which is usually the main index.

server-specifier Syntax: splunk_server=<string> Description: Specify the distributed search peer from which to return results. If used, you can specify only one splunk_server.


The metadata command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.


1. Search multiple indexes

metadata type=hosts index=cs* index=na* index=ap* index=eu*

2. Return the values of "sourcetypes" for events in the "_internal" index

| metadata type=sourcetypes index=_internal

This returns the following report.

Searchref metadata ex1.1.png

3. Format the results from the metadata command to be more readable

You can also use the fieldformat command to format the results of firstTime, lastTime, and recentTime.

| metadata type=sourcetypes index=_internal | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

Now, the results are more readable:

Searchref metadata ex1.2.png

4. Return values of "sourcetype" for events in a specific index on a specific server

Return values of "sourcetype" for events in the "_audit" index on server foo.

| metadata type=sourcetypes index=_audit splunk_server=foo

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.

Last modified on 10 February, 2016

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters