metasearch
Description
Retrieves event metadata
from indexes based on terms in the <logical-expression>.
Syntax
metasearch [<logical-expression>]
Optional arguments
- <logical-expression>
- Syntax: <time-opts> | <search-modifier> | [NOT] <logical-expression> | <index-expression> | <comparison-expression> | <logical-expression> [OR <logical-expression>]
- Description: Includes time and search modifiers, comparison and index expressions.
Logical expression
- <comparison-expression>
- Syntax: <field><cmp><value>
- Description: Compare a field to a literal value or values of another field.
- <index-expression>
- Syntax: "<string>" | <term> | <search-modifier>
- <time-opts>
- Syntax: [<timeformat>] [<time-modifier>]...
Comparison expression
- <cmp>
- Syntax: = | != | < | <= | > | >=
- Description: Comparison operators.
- <field>
- Syntax: <string>
- Description: The name of one of the fields returned by the
metasearch
command. See Usage.
- <lit-value>
- Syntax: <string> | <num>
- Description: An exact, or literal, value of a field that is used in a comparison expression.
- <value>
- Syntax: <lit-value> | <field>
- Description: In comparison-expressions, the literal value of a field or another field name. The <lit-value> must be a number or a string.
Index expression
- <search-modifier>
- Syntax: <field-specifier> | <savedsplunk-specifier> | <tag-specifier>
Time options
The search allows many flexible options for searching based on time. For a list of time modifiers, see the topic Time modifiers for search in the Search Manual.
- <timeformat>
- Syntax: timeformat=<string>
- Description: Set the time format for starttime and endtime terms. By default, timestamp is formatted:
timeformat=%m/%d/%Y:%H:%M:%S
.
- <time-modifier>
- Syntax: earliest=<time_modifier> | latest=<time_modifier>
- Description: Specify start and end times using relative or absolute time. For more about the time modifier index, see Specify time modifiers in your search in the Search Manual.
Usage
The metasearch
command is an event-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
The metasearch
command returns these fields:
Field | Description |
---|---|
host | A default field that contains the host name or IP address of the network device that generated an event. |
index | The repository for data. When the Splunk platform indexes raw data, it transforms the data into searchable events. |
source | A default field that identifies the source of an event, that is, where the event originated. |
sourcetype | A default field that identifies the data structure of an event. |
splunk_server | The name of the instance where Splunk Enterprise is installed. |
_time | The _time field contains an event's timestamp expressed in UNIX time. |
Examples
Example 1:
Return metadata on the default index for events with "404" and from host "webserver1".
| metasearch 404 host="webserver1"
See also
metadata | meventcollect |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14
Feedback submitted, thanks!