Getting Data In

How to edit my type=host metadata search to exclude a certain index?

hartfoml
Motivator

I have this search:

| metadata type=hosts index=*a OR index=os index!=aruba

I want to get all the hosts in all the indexes except the aruba index.
The NOT command doesn't work either. How can I user the index-*a and not include the aruba index?

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Try this:

| rest /services/data/indexes 
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" " 

I have also added an index column in case that helps too.

NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.

View solution in original post

woodcock
Esteemed Legend

It helps to know the metadata command is essentially a macro around tstats. For the clueful, I will translate:
The firstTime field is min(_time).
The "astTime field is max(_time).
The recentTime field is max(_indextime).

Now you can build your own tstats-based search and have full control over what is searched (or not).

I commented about this here:
https://answers.splunk.com/answers/567047/metadata-showing-wrong-last-indexed-time.html?childToView=...

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try this:

| rest /services/data/indexes 
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" " 

I have also added an index column in case that helps too.

NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.

hartfoml
Motivator

this was the answer i used. I change the search just a little but this worked thanks

0 Karma

hartfoml
Motivator

I am testing this now. Why is it important to limit the maxsearches? wont this just return only the number of indexes that match the index= criteria?

0 Karma

javiergn
SplunkTrust
SplunkTrust

If you don't specify maxsearches then it will default to 10 and map will only run for the first 10 indexes returned.
If you have more than 10 indexes then you are going to lose some results.

0 Karma

somesoni2
Revered Legend

I would use tstats for this

| tstats count WHERE index=*a OR index=os index!=aruba by host
0 Karma

moesaidi
Path Finder

I downvoted this post because this doesn't work

0 Karma

hartfoml
Motivator

thanks but I wanted to get the metadata like host, firstTime, lastTime, recentTime, totalCount

I keep all my ORG's in different indexes and was asked to provide states from each index along with metrics on each system

I don't know if i can get this from tstats? Or do I use tstats with the metadata search?

0 Karma

hartfoml
Motivator

I tried the tstats and it is way slower than the metadata as it is actually doing a count

0 Karma

somesoni2
Revered Legend

I would go with @Javiergn if you're looking for other metadata fields.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...