Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my metadata search not returning expected results for hosts reporting in within certain time ranges?

lohit
Path Finder
‎05-28-2015 12:11 AM

Hi all,

I have written below metadata search to find the hosts which have reported yesterday, but not reporting in the last 1 hour.

| metadata type=hosts |eval current=now() |eval lastHour=relative_time(current,"-1h")  | eval yesterday=relative_time(now(), "-1d") | where ( recentTime>yesterday AND recentTime<lastHour) | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host

This search is returning a list of hosts, but after I dig into these hosts, they seems to be reporting to their respective indexes which means the metadata search is giving me wrong results.

I start breaking up the search and excluded the recentTime&lt;lastHour from the where clause. Below is the resulting search:

| metadata type=hosts | eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where recentTime>yesterday  | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host

This gives me a list of only 2 hosts, whereas in my environment, hundreds of hosts are reporting.

Not really sure what is happening.

Please help !!

Tags (2)
0 Karma
Reply

ss026381
Communicator
‎08-30-2017 08:21 AM

try this for specific indexes.

| metadata index=foo  index=bar  index=baz type=hosts
Reply

jacobwilkins
Communicator
‎05-28-2015 03:12 PM

You want your search to start with:

| metadata index=* type=hosts
0 Karma
Reply

lohit
Path Finder
‎05-29-2015 06:17 AM

I have huge number of indexes so i think i cannot use the metadata command. Could you let me the other approach about going after license logs to get this information.

0 Karma
Reply

lohit
Path Finder
‎05-28-2015 10:19 PM

i have huge indexes , so cannot afford to use index=*.

0 Karma
Reply

jacobwilkins
Communicator
‎05-29-2015 05:48 AM

How do you expect this to work? The metadatacommand reads the metadata stored inside the indexes...

If you only have a handfull of indexes you want to check, you can try this:

| metadata (index=foo OR index=bar OR index=baz) type=hosts

The other approach to base it on your license logs.

0 Karma
Reply

securitypaul
Explorer
‎10-24-2022 08:10 AM

This is incorrect:

| metadata (index=foo OR index=bar OR index=baz) type=hosts

For some reason, metadata seems to dislike OR. You can use:

| metadata index=this index=that

It works fine. It does mean that I'm unable to use macros that contain multiple indexes separated by OR with metadata.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...