Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is my metadata search not returning expect...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my metadata search not returning expected results for hosts reporting in within certain time ranges?
Hi all,
I have written below metadata search to find the hosts which have reported yesterday, but not reporting in the last 1 hour.
| metadata type=hosts |eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where ( recentTime>yesterday AND recentTime<lastHour) | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This search is returning a list of hosts, but after I dig into these hosts, they seems to be reporting to their respective indexes which means the metadata search is giving me wrong results.
I start breaking up the search and excluded the recentTime<lastHour from the where clause. Below is the resulting search:
| metadata type=hosts | eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where recentTime>yesterday | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This gives me a list of only 2 hosts, whereas in my environment, hundreds of hosts are reporting.
Not really sure what is happening.
Please help !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this for specific indexes.
| metadata index=foo index=bar index=baz type=hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want your search to start with:
| metadata index=* type=hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have huge number of indexes so i think i cannot use the metadata command. Could you let me the other approach about going after license logs to get this information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have huge indexes , so cannot afford to use index=*.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you expect this to work? The metadatacommand reads the metadata stored inside the indexes...
If you only have a handfull of indexes you want to check, you can try this:
| metadata (index=foo OR index=bar OR index=baz) type=hosts
The other approach to base it on your license logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is incorrect:
| metadata (index=foo OR index=bar OR index=baz) type=hosts
For some reason, metadata seems to dislike OR. You can use:
| metadata index=this index=that
It works fine. It does mean that I'm unable to use macros that contain multiple indexes separated by OR with metadata.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
