Related Answers
Download topic as PDF
metasearch
Description
Retrieves event metadata from indexes based on terms in the <logical-expression>. Metadata fields include source, sourcetype, host, _time, index, and splunk_server.
Syntax
metasearch [<logical-expression>]
Optional arguments
- <logical-expression>
- Syntax: <time-opts>|<search-modifier>|((NOT)? <logical-expression>)|<index-expression>|<comparison-expression>|(<logical-expression> (OR)? <logical-expression>)
- Description: Includes time and search modifiers, comparison and index expressions.
Logical expression
- <comparison-expression>
- Syntax: <field><cmp><value>
- Description: Compare a field to a literal value or values of another field.
- <index-expression>
- Syntax: "<string>"|<term>|<search-modifier>
- <time-opts>
- Syntax: (<timeformat>)? (<time-modifier>)*
Comparison expression
- <cmp>
- Syntax: = | != | < | <= | > | >=
- Description: Comparison operators.
- <field>
- Syntax: <string>
- Description: The name of a field. In metasearch, only the fields source, sourcetype, host, _time, index, and splunk_server can be used.
- <lit-value>
- Syntax: <string> | <num>
- Description: An exact, or literal, value of a field that is used in a comparison expression.
- <value>
- Syntax: <lit-value> | <field>
- Description: In comparison-expressions, the literal value of a field or another field name where "literal" means number or string.
Index expression
- <search-modifier>
- Syntax: <field-specifier>|<savedsplunk-specifier>|<tag-specifier>
Time options
The search allows many flexible options for searching based on time. For a list of time modifiers, see the topic "Time modifiers for search" in the Search Manual.
- <timeformat>
- Syntax: timeformat=<string>
- Description: Set the time format for starttime and endtime terms. By default, timestamp is formatted:
timeformat=%m/%d/%Y:%H:%M:%S.
- <time-modifier>
- Syntax: earliest=<time_modifier> | latest=<time_modifier>
- Description: Specify start and end times using relative or absolute time. For more about the time modifier index, see "Specify time modifiers in your search" in the Search Manual.
Examples
Example 1:
Return metadata for events with "404" and from host "webserver1".
... | metasearch 404 host="webserver1"
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the metasearch command.
|
PREVIOUS metadata |
NEXT multikv |
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0
Feedback submitted, thanks!