Getting Data In

Why is my metadata search not returning expected results for hosts reporting in within certain time ranges?

lohit
Path Finder

Hi all,

I have written below metadata search to find the hosts which have reported yesterday, but not reporting in the last 1 hour.

| metadata type=hosts |eval current=now() |eval lastHour=relative_time(current,"-1h")  | eval yesterday=relative_time(now(), "-1d") | where ( recentTime>yesterday AND recentTime<lastHour) | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host

This search is returning a list of hosts, but after I dig into these hosts, they seems to be reporting to their respective indexes which means the metadata search is giving me wrong results.

I start breaking up the search and excluded the recentTime&lt;lastHour from the where clause. Below is the resulting search:

| metadata type=hosts | eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where recentTime>yesterday  | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host

This gives me a list of only 2 hosts, whereas in my environment, hundreds of hosts are reporting.

Not really sure what is happening.

Please help !!

Tags (2)
0 Karma

ss026381
Communicator

try this for specific indexes.

| metadata index=foo  index=bar  index=baz type=hosts
0 Karma

jacobwilkins
Communicator

You want your search to start with:

| metadata index=* type=hosts
0 Karma

lohit
Path Finder

I have huge number of indexes so i think i cannot use the metadata command. Could you let me the other approach about going after license logs to get this information.

0 Karma

lohit
Path Finder

i have huge indexes , so cannot afford to use index=*.

0 Karma

jacobwilkins
Communicator

How do you expect this to work? The metadatacommand reads the metadata stored inside the indexes...

If you only have a handfull of indexes you want to check, you can try this:

| metadata (index=foo OR index=bar OR index=baz) type=hosts

The other approach to base it on your license logs.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!