- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is my metadata search not returning expect...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my metadata search not returning expected results for hosts reporting in within certain time ranges?
Hi all,
I have written below metadata search to find the hosts which have reported yesterday, but not reporting in the last 1 hour.
| metadata type=hosts |eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where ( recentTime>yesterday AND recentTime<lastHour) | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This search is returning a list of hosts, but after I dig into these hosts, they seems to be reporting to their respective indexes which means the metadata search is giving me wrong results.
I start breaking up the search and excluded the recentTime<lastHour from the where clause. Below is the resulting search:
| metadata type=hosts | eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where recentTime>yesterday | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This gives me a list of only 2 hosts, whereas in my environment, hundreds of hosts are reporting.
Not really sure what is happening.
Please help !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this for specific indexes.
| metadata index=foo index=bar index=baz type=hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want your search to start with:
| metadata index=* type=hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have huge number of indexes so i think i cannot use the metadata command. Could you let me the other approach about going after license logs to get this information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have huge indexes , so cannot afford to use index=*.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you expect this to work? The metadatacommand reads the metadata stored inside the indexes...
If you only have a handfull of indexes you want to check, you can try this:
| metadata (index=foo OR index=bar OR index=baz) type=hosts
The other approach to base it on your license logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is incorrect:
| metadata (index=foo OR index=bar OR index=baz) type=hosts
For some reason, metadata seems to dislike OR. You can use:
| metadata index=this index=that
It works fine. It does mean that I'm unable to use macros that contain multiple indexes separated by OR with metadata.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
