metadata

Description

The metadata command returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. The metadata command returns information accumulated over time. You can view a snapshot of an index over a specific timeframe, such as the last 7 days.

The command shows the first, last, and most recent events that were seen for each value of the specified metadata type. For example, if you search for:

| metadata type=hosts

Your results should look something like this:

• The firstTime field is the timestamp for the first time that the indexer saw an event from this host.
• The lastTime field is the timestamp for the last time that the indexer saw an event from this host.
• The recentTime field is the indextime for the most recent time that the index saw an event from this host. In other words, this is the time of the last update.
• The totalcount field is the total number of events seen from this host.
• The type field is the specified type of metadata to display. Because this search specifies type=hosts, there is also a host column.

In most cases, when the data is streaming live, the lastTime and recentTime field values are equal. If the data is historical, however, the values might be different.

In small testing environments, the data is complete. However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the metadata command to operate within reasonable time and memory usage.

Syntax

| metadata type=<metadata-type> [<index-specifier>]... [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]...

Required arguments

type

Syntax: type= hosts | sources | sourcetypes

Description: Specify the type of metadata to return. This must be one of the three literal strings host, sources, or sourcetypes.

Optional arguments

index-specifier

Syntax: index=<index_name>

Description: Specifies the index from which to return results. You can specify more than one index. Wildcard characters (*) can be used. To match non-internal indexes, use index=*. To match internal indexes, use index=_*.

Example: | metadata type=hosts index=cs* index=na* index=ap* index=eu*

Default: The default index, which is usually the main index.

server-specifier Syntax: splunk_server=<string> Description: Specify the distributed search peer from which to return results. If used, you can specify only one splunk_server.

Usage

The metadata command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Examples

1. Search multiple indexes

metadata type=hosts index=cs* index=na* index=ap* index=eu*

2. Return the values of "sourcetypes" for events in the "_internal" index

| metadata type=sourcetypes index=_internal

This returns the following report.

3. Format the results from the metadata command to be more readable

You can also use the fieldformat command to format the results of firstTime, lastTime, and recentTime.

| metadata type=sourcetypes index=_internal | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

Now, the results are more readable:

4. Return values of "sourcetype" for events in a specific index on a specific server

Return values of "sourcetype" for events in the "_audit" index on server foo.

| metadata type=sourcetypes index=_audit splunk_server=foo

See also

dbinspect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metadata command.