Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

metadata

Description

The metadata command returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. The metadata command returns information accumulated over time. You can view a snapshot of an index over a specific timeframe, such as the last 7 days.

The command shows the first, last, and most recent events that were seen for each value of the specified metadata type. For example, if you search for:

| metadata type=hosts

Your results should look something like this:

Metadata hostsEx.png

  • The firstTime field is the timestamp for the first time that the indexer saw an event from this host.
  • The lastTime field is the timestamp for the last time that the indexer saw an event from this host.
  • The recentTime field is the indextime for the most recent time that the index saw an event from this host. In other words, this is the time of the last update.
  • The totalcount field is the total number of events seen from this host.
  • The type field is the specified type of metadata to display. Because this search specifies type=hosts, there is also a host column.

In most cases, when the data is streaming live, the lastTime and recentTime field values are equal. If the data is historical, however, the values might be different.

In small testing environments, the data is complete. However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the metadata command to operate within reasonable time and memory usage.

Syntax

| metadata type=<metadata-type> [<index-specifier>]... [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]...

Required arguments

type
Syntax: type= hosts | sources | sourcetypes
Description: Specify the type of metadata to return. This must be one of the three literal strings host, sources, or sourcetypes.

Optional arguments

index-specifier
Syntax: index=<index_name>
Description: Specifies the index from which to return results. You can specify more than one index. Wildcard characters (*) can be used. To match non-internal indexes, use index=*. To match internal indexes, use index=_*.
Example: | metadata type=hosts index=cs* index=na* index=ap* index=eu*
Default: The default index, which is usually the main index.

server-specifier Syntax: splunk_server=<string> Description: Specify the distributed search peer from which to return results. If used, you can specify only one splunk_server.

Usage

The metadata command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Examples

1. Search multiple indexes

metadata type=hosts index=cs* index=na* index=ap* index=eu*

2. Return the values of "sourcetypes" for events in the "_internal" index

| metadata type=sourcetypes index=_internal

This returns the following report.

Searchref metadata ex1.1.png

3. Format the results from the metadata command to be more readable

You can also use the fieldformat command to format the results of firstTime, lastTime, and recentTime.

| metadata type=sourcetypes index=_internal | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

Now, the results are more readable:

Searchref metadata ex1.2.png

4. Return values of "sourcetype" for events in a specific index on a specific server

Return values of "sourcetype" for events in the "_audit" index on server foo.

| metadata type=sourcetypes index=_audit splunk_server=foo

See also

dbinspect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.

PREVIOUS
map 		  NEXT
metasearch

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.13, 6.2.14, 6.2.15

Comments

Can you tell me if there is any possibility wherein recentTime field differs from lastTime field ??

Umang solanki
September 2, 2015

Mcoleman0: If the index isn't specified, the search defaults to index=main.<br /><br />SloshBurch: I believe the difference is that lastTime refers to the last event based on the timestamp of the event (_time), whereas recentTime refers to the last event based on the time that it was indexed (_indextime). I will confirm and update the topic.<br /><br />Thanks!

Sophy
February 12, 2014

It seems that there are a good amount of questions on answers.splunk.com regarding the difference bewteen lastTime and recentTime. Perhaps there's an opportunity to provide additional detail/clarity in this article?

SloshBurch
February 7, 2014

Not clear what happens if 'index=something' is not used. Does this return metadata from all indexes? Or is there a default value?

Mcoleman0
February 6, 2014

It would be great to see an example that uses the metadata command in a subsearch!

Lguinn
November 27, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters