Getting Data In

How to edit my type=host metadata search to exclude a certain index?

Motivator

I have this search:

| metadata type=hosts index=*a OR index=os index!=aruba

I want to get all the hosts in all the indexes except the aruba index.
The NOT command doesn't work either. How can I user the index-*a and not include the aruba index?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this:

| rest /services/data/indexes 
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" " 

I have also added an index column in case that helps too.

NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.

View solution in original post

Esteemed Legend

It helps to know the metadata command is essentially a macro around tstats. For the clueful, I will translate:
The firstTime field is min(_time).
The "astTime field is max(_time).
The recentTime field is max(_indextime).

Now you can build your own tstats-based search and have full control over what is searched (or not).

I commented about this here:
https://answers.splunk.com/answers/567047/metadata-showing-wrong-last-indexed-time.html?childToView=...

0 Karma

SplunkTrust
SplunkTrust

Try this:

| rest /services/data/indexes 
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" " 

I have also added an index column in case that helps too.

NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.

View solution in original post

Motivator

this was the answer i used. I change the search just a little but this worked thanks

0 Karma

Motivator

I am testing this now. Why is it important to limit the maxsearches? wont this just return only the number of indexes that match the index= criteria?

0 Karma

SplunkTrust
SplunkTrust

If you don't specify maxsearches then it will default to 10 and map will only run for the first 10 indexes returned.
If you have more than 10 indexes then you are going to lose some results.

0 Karma

SplunkTrust
SplunkTrust

I would use tstats for this

| tstats count WHERE index=*a OR index=os index!=aruba by host
0 Karma

Path Finder

I downvoted this post because this doesn't work

0 Karma

Motivator

thanks but I wanted to get the metadata like host, firstTime, lastTime, recentTime, totalCount

I keep all my ORG's in different indexes and was asked to provide states from each index along with metrics on each system

I don't know if i can get this from tstats? Or do I use tstats with the metadata search?

0 Karma

Motivator

I tried the tstats and it is way slower than the metadata as it is actually doing a count

0 Karma

SplunkTrust
SplunkTrust

I would go with @Javiergn if you're looking for other metadata fields.

0 Karma