https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138347#M37957 <P>No, not really. Time range for metadata only affects which entries that will be returned based on recentTime and lastTime.</P> <P>May I suggest another option - use <CODE>metasearch</CODE> instead. As a bonus this also enables you to split your stats by multiple fields if you want (so for instance you could do stats count by host,sourcetype). This query should give you something similar to what you get with <CODE>metadata</CODE>:</P> <PRE><CODE>| metasearch earliest=-1d | stats latest(_time) as lastTime,count by host </CODE></PRE> Fri, 11 Jul 2014 06:45:34 GMT Ayn 2014-07-11T06:45:34Z https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138346#M37956 <PRE><CODE>|metadata type=hosts earliest=-1d latest=now </CODE></PRE> <P>This displays the overall eventcounts for the available hosts but not specific to the time range mentioned.<BR /> Is there a way to specify the time range for metadata results ?</P> Fri, 11 Jul 2014 06:08:53 GMT https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138346#M37956 splunker12er 2014-07-11T06:08:53Z https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138347#M37957 <P>No, not really. Time range for metadata only affects which entries that will be returned based on recentTime and lastTime.</P> <P>May I suggest another option - use <CODE>metasearch</CODE> instead. As a bonus this also enables you to split your stats by multiple fields if you want (so for instance you could do stats count by host,sourcetype). This query should give you something similar to what you get with <CODE>metadata</CODE>:</P> <PRE><CODE>| metasearch earliest=-1d | stats latest(_time) as lastTime,count by host </CODE></PRE> Fri, 11 Jul 2014 06:45:34 GMT https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138347#M37957 Ayn 2014-07-11T06:45:34Z https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138348#M37958 <P>That doesn't seem to work for me anyway. If I put that in, not matter what it's ignored. Rather, whatever I select from the time picker is the time actually queried. Any idea why?</P> Wed, 17 Feb 2016 20:26:37 GMT https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138348#M37958 mendesjo 2016-02-17T20:26:37Z https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138349#M37959 <P>If you're on version 6.x, the you can use tstats command to generate metadata stats, which is time bound and much faster (then regular search). Following is the equivalent to metadata search</P> <P>metadata search <CODE>| metadata type=hosts index=*</CODE> <BR /> tstats search <CODE>| tstats count as totalCount min(_time) as firstTime max(_time) as lastTime WHERE index=* by host | eval recentTime=lastTime | eval type="hosts"</CODE></P> Wed, 17 Feb 2016 20:48:06 GMT https://community.splunk.com/t5/Splunk-Search/metadata-Need-results-for-Custom-time-range/m-p/138349#M37959 somesoni2 2016-02-17T20:48:06Z