topic Re: Splunk Hosts metadata correlation with index in Splunk Search

Splunk Hosts metadata correlation with index

Mag2sub — Thu, 03 Jul 2014 08:45:08 GMT

Im using a metadata type=hosts query to output hosts that have not logged data using recenttime
However i dont see the index name being output by this..is there anyway to correlate the host to its index in a query that starts with |metadata type=hosts ?
thanks!

Re: Splunk Hosts metadata correlation with index

martin_mueller — Thu, 03 Jul 2014 09:09:27 GMT

You could use this to emulate metadata:

| tstats latest(_time) latest(_indextime) count where index=* by host index

Re: Splunk Hosts metadata correlation with index

Mag2sub — Thu, 03 Jul 2014 09:36:26 GMT

Hmmm...this throws error expecting a namespace ...tsidxstats error...missing "FROM" keyword to specify namespace
does this work against indexes ? above error suggests it runs only against tsidxstats of tscollect

Re: Splunk Hosts metadata correlation with index

martin_mueller — Thu, 03 Jul 2014 09:49:05 GMT

This runs against indexes... on Splunk 6. Are you still on version 5?

Re: Splunk Hosts metadata correlation with index

Mag2sub — Thu, 03 Jul 2014 11:15:04 GMT

yes on splunk 5.0.4 unfortunately...is there some way we can do the same ? i just need to find the latest time each host has logged using metadata but also output what index it belongs to ...

Re: Splunk Hosts metadata correlation with index

somesoni2 — Thu, 03 Jul 2014 13:41:39 GMT

This works with Splunk 5 but is on slower side

|eventcount summarize=false index=* | table index | map maxsearches=100 search="|metadata type=hosts  index=$index$ | eval index=\"$index$\""

Re: Splunk Hosts metadata correlation with index

Mag2sub — Thu, 03 Jul 2014 13:58:55 GMT

Its so much on slower side does not look feasible for us...any inputs /modifications to enhance performance appreciated

Re: Splunk Hosts metadata correlation with index

martin_mueller — Thu, 03 Jul 2014 16:22:42 GMT

Anything tstats can do with indexes can be done with stats:

index=* | stats latest(_time) latest(_indextime) count by host index

However, that may be slow, very slow, or glacial. You can of course speed things up by running this query regularly over a short timerange and storing the data in a lookup: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

Re: Splunk Hosts metadata correlation with index

Ayn — Thu, 03 Jul 2014 17:12:22 GMT

I've filed an ER for metasearch to output _indextime in results. With that, you could quickly grab these stats.

Re: Splunk Hosts metadata correlation with index

martin_mueller — Thu, 03 Jul 2014 18:20:29 GMT

Yeah, metasearch with _indextime should be about twice as fast as regular stats... if your forwarders basically send current data then you could get along with using _time as a workaround.

Re: Splunk Hosts metadata correlation with index

Mag2sub — Sat, 05 Jul 2014 11:49:22 GMT

Thanks ... unless i misundertood something recenttime is indextine for metaseach on hosts ...but metasearch do not output the index names on which they run...i need to be able to read the results to act on it and it needs to have the index name...

Re: Splunk Hosts metadata correlation with index

martin_mueller — Sat, 05 Jul 2014 13:20:37 GMT

metasearch does output the index.

Re: Splunk Hosts metadata correlation with index

Mag2sub — Mon, 07 Jul 2014 05:16:52 GMT

unless i misunderstand when i run metadata type=hosts...index name is not a key value pair returned

is a metadata search not a metasearch ..sorry if i got that wrong

Re: Splunk Hosts metadata correlation with index

martin_mueller — Mon, 07 Jul 2014 07:54:10 GMT

metasearch is a different command from metadata.

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/metasearch