metadata with splunk_server

EricPartington · ‎11-03-2011

How can i add a column that contains the splunk server name to the metadata command below?

I can filter based on metadata but i'd like to include that in the table so that I can use that column to split on later.

|metadata type=hosts index=*

I'd like to use this to write a summary index entry every 24 hours with a breakdown of the hosts that have written logs to each index and each splunk server. This will allow me to track the number of hosts that are logging to splunk, the number of hosts that are logging over the last x days and if a host stops logging to splunk we would see the counts change and can drill down into the splunk server and index to determine which host it is.

is there a way to restrict the metadata command to search only non-internal indexes with out specifically listing each index to include?

wrangler2x · ‎05-11-2017

You can do | metadata type=hosts NOT index="_*"

I think it is interesting that you can specify the index and the splunk_server in the search criteria, but you cannot include them in the search results.

I personally wish that I could see the splunk_server in the results.

metadata with splunk_server

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

metadata with splunk_server

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk