topic how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning in Splunk Search

how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning

pavanae — Tue, 29 Sep 2020 15:47:08 GMT

The following is my query

Now, The issue is that I have around 1000 hosts in the csv file but from the above query i can able to see only 400 hosts's information and also seen the below warning on the job.

Now how to modify my current query to overcome that warning and display all the 1000 hosts reporting status ?

Re: how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning

somesoni2 — Thu, 14 Sep 2017 16:34:00 GMT

Seems like you've hit the limit of metadata command. You can try this alternative. You can use timerange for this query as last 24 hrs as you just want to know if the host's have sent data in last 24 hrs or not.
Updated

| tstats max(_time) as lastTime WHERE index=* [| inputlookup hostnames.csv | rename my_hostname as host | eval host=lower(host) | table host | format ] by host 
| inputlookup hostnames.csv append=t | eval lastTime=coalesce(lastTime,0)
| eval timeDiff=now()-lastTime
| eval last_seen_in_24_hours=if(timeDiff>86400,"NO","YES")
| eval lastReported=if(lastTime=0,"never",strftime(lastTime,"%F %T"))
| stats count by last_seen_in_24_hours

Re: how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning

pavanae — Thu, 14 Sep 2017 17:19:48 GMT

Thanks for the response @somesoni2 . The above query ended with the following error

Error in 'TsidxStats': WHERE clause is not an exact query

Re: how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning

somesoni2 — Thu, 14 Sep 2017 17:24:33 GMT

Try the updated answer.

Re: how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning

pavanae — Thu, 14 Sep 2017 17:28:24 GMT

still same error @somesoni2

Re: how to use metadata to find the last reporting time of a list of hosts from a lookuptable without getting the "Metadata results may be incomplete: 100000 entries have been received from all peers" Warning

somesoni2 — Thu, 14 Sep 2017 19:02:58 GMT

That's strange. Similar query just works fine for me. Can you just run below and what result you get?

| inputlookup hostnames.csv | rename my_hostname as host | eval host=lower(host) | table host | format