Solved: Re: How to edit my type=host metadata search to ex...

hartfoml · ‎05-03-2016

I have this search:

| metadata type=hosts index=*a OR index=os index!=aruba

I want to get all the hosts in all the indexes except the aruba index.
The NOT command doesn't work either. How can I user the index-*a and not include the aruba index?

javiergn · ‎05-03-2016

Try this:

| rest /services/data/indexes 
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" "

I have also added an index column in case that helps too.

NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.

View solution in original post

woodcock · ‎02-11-2020

It helps to know the metadata command is essentially a macro around tstats. For the clueful, I will translate:
The firstTime field is min(_time).
The "astTime field is max(_time).
The recentTime field is max(_indextime).

Now you can build your own tstats-based search and have full control over what is searched (or not).

I commented about this here:
https://answers.splunk.com/answers/567047/metadata-showing-wrong-last-indexed-time.html?childToView=...

javiergn · ‎05-03-2016

Try this:

| rest /services/data/indexes 
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" "

I have also added an index column in case that helps too.

NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.

hartfoml · ‎05-04-2016

this was the answer i used. I change the search just a little but this worked thanks

hartfoml · ‎05-03-2016

I am testing this now. Why is it important to limit the maxsearches? wont this just return only the number of indexes that match the index= criteria?

javiergn · ‎05-03-2016

If you don't specify maxsearches then it will default to 10 and map will only run for the first 10 indexes returned.
If you have more than 10 indexes then you are going to lose some results.

somesoni2 · ‎05-03-2016

I would use tstats for this

| tstats count WHERE index=*a OR index=os index!=aruba by host

moesaidi · ‎05-29-2017

I downvoted this post because this doesn't work

hartfoml · ‎05-03-2016

thanks but I wanted to get the metadata like host, firstTime, lastTime, recentTime, totalCount

I keep all my ORG's in different indexes and was asked to provide states from each index along with metrics on each system

I don't know if i can get this from tstats? Or do I use tstats with the metadata search?

hartfoml · ‎05-03-2016

I tried the tstats and it is way slower than the metadata as it is actually doing a count

somesoni2 · ‎05-03-2016

I would go with @Javiergn if you're looking for other metadata fields.

How to edit my type=host metadata search to exclude a certain index?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!