Splunk Cloud Platform

Search Reference

metasearch

Description

Retrieves event metadata from indexes based on terms in the <logical-expression>.

Syntax

metasearch [<logical-expression>]

Optional arguments

<logical-expression>
Syntax: <time-opts> | <search-modifier> | [NOT] <logical-expression> | <index-expression> | <comparison-expression> | <logical-expression> [OR <logical-expression>]
Description: Includes time and search modifiers, comparison and index expressions.

Logical expression

<comparison-expression>
Syntax: <field><cmp><value>
Description: Compare a field to a literal value or values of another field.
<index-expression>
Syntax: "<string>" | <term> | <search-modifier>
<time-opts>
Syntax: [<timeformat>] [<time-modifier>]...

Comparison expression

<cmp>
Syntax: = | != | < | <= | > | >=
Description: Comparison operators.
<field>
Syntax: <string>
Description: The name of one of the fields returned by the metasearch command. See Usage.
<lit-value>
Syntax: <string> | <num>
Description: An exact, or literal, value of a field that is used in a comparison expression.
<value>
Syntax: <lit-value> | <field>
Description: In comparison-expressions, the literal value of a field or another field name. The <lit-value> must be a number or a string.

Index expression

<search-modifier>
Syntax: <field-specifier> | <savedsplunk-specifier> | <tag-specifier>

Time options

The search allows many flexible options for searching based on time. For a list of time modifiers, see the topic Time modifiers for search in the Search Manual.

<timeformat>
Syntax: timeformat=<string>
Description: Set the time format for starttime and endtime terms. By default, timestamp is formatted: timeformat=%m/%d/%Y:%H:%M:%S .
<time-modifier>
Syntax: earliest=<time_modifier> | latest=<time_modifier>
Description: Specify start and end times using relative or absolute time. For more about the time modifier index, see Specify time modifiers in your search in the Search Manual.

Usage

The metasearch command is an event-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

The metasearch command returns these fields:

Field Description
host A default field that contains the host name or IP address of the network device that generated an event.
index The repository for data. When the Splunk platform indexes raw data, it transforms the data into searchable events.
source A default field that identifies the source of an event, that is, where the event originated.
sourcetype A default field that identifies the data structure of an event.
splunk_server The name of the instance where Splunk Enterprise is installed.
_time The _time field contains an event's timestamp expressed in UNIX time.

Examples

Example 1:

Return metadata on the default index for events with "404" and from host "webserver1".

| metasearch 404 host="webserver1"

See also

Commands
metadata
search
Last modified on 21 July, 2020
metadata   meventcollect

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters