metadata command returns a list of sources, sourcetypes, or hosts from a specified index or distributed search peer. The
metadata command returns information accumulated over time. You can view a snapshot of an index over a specific timeframe, such as the last 7 days, by using the time range picker.
| metadata type=<metadata-type> [<index-specifier>]... [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]...
- Syntax: type= hosts | sources | sourcetypes
- Description: The type of metadata to return. This must be one of the three literal strings: hosts, sources, or sourcetypes.
- Syntax: index=<index_name>
- Description: Specifies the index from which to return results. You can specify more than one index. Wildcard characters (*) can be used. To match non-internal indexes, use
index=*. To match internal indexes, use
| metadata type=hosts index=cs* index=na* index=ap* index=eu*
- Default: The default index, which is usually the main index.
- Syntax: splunk_server=<wc-string>
- Description: Specifies the distributed search peer from which to return results.
- If you are using Splunk Cloud Platform, omit this parameter.
- If you are using Splunk Enterprise, you can specify only one
splunk_serverargument. However, you can use a wildcard when you specify the server name to indicate multiple servers. For example, you can specify
localto refer to the search head.
- Default: All configured search peers return information
- Syntax: splunk_server_group=<wc-string>...
- Description: Limits the results to one or more server groups. If you are using Splunk Cloud, omit this parameter. You can specify a wildcard character in the string to indicate multiple server groups.
metadata command is a report-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
metadata command fetches data from all peers, any command run after it runs only on the search head.
The command shows the first, last, and most recent events that were seen for each value of the specified
metadata type. For example, if you search for:
| metadata type=hosts
Your results should look something like this:
firstTimefield is the timestamp for the first time that the indexer saw an event from this host.
lastTimefield is the timestamp for the last time that the indexer saw an event from this host.
recentTimefield is the
indextimefor the most recent time that the index saw an event from this host. In other words, this is the time of the last update.
totalcountfield is the total number of events seen from this host.
typefield is the specified type of metadata to display. Because this search specifies
type=hosts, there is also a
In most cases, when the data is streaming live, the
recentTime field values are equal. If the data is historical, however, the values might be different.
In small testing environments, the data is complete. However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the
metadata command to operate within reasonable time and memory usage.
metadata command in a real-time search that returns a large number of results will very quickly consume all the available memory on the Splunk server. Use caution when you use the
metadata command in real-time searches.
Set the time range using the Time Range Picker. You cannot use the
latest time range modifiers in the search string. Time range modifiers must be set before the first piped command and generating commands in general do not allow anything to be specified before the first pipe.
If you specify a time range other than
All Time for your search, the search results might not be precise. The metadata is stored as aggregate numbers for each bucket on the index. A bucket is either included or not included based on the time range you specify.
For example, you run the following search specifying a time range of
Last 7 days. The time range corresponds to January 1st to January 7th.
| metadata type=sourcetypes index=ap
There is a bucket on the index that contains events from both December 31st and January 1st. The metadata from that bucket is included in the information returned from search.
By default, a maximum of 10,000 results are returned. This maximum is controlled by the
maxresultrows setting in the
[metadata] stanza In the limits.conf file.
1. Search multiple indexes
Return the metadata for indexes that represent different regions.
| metadata type=hosts index=cs* index=na* index=ap* index=eu*
2. Search for sourcetypes
Return the values of
sourcetypes for events in the
| metadata type=sourcetypes index=_internal
This returns the following report.
3. Format the results from the metadata command
You can also use the fieldformat command to format the results of the firstTime, lastTime, and recentTime columns to be more readable.
| metadata type=sourcetypes index=_internal | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Click on the Count field label to sort the results and show the highest count first. Now, the results are more readable:
4. Return values of "sourcetype" for events in a specific index on a specific server
Return values of "sourcetype" for events in the "_audit" index on server foo.
| metadata type=sourcetypes index=_audit splunk_server=foo
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.1, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 8.0.0, 8.0.10, 8.0.2
Feedback submitted, thanks!