Solved: host in metadata but has no logs

reswob4 · ‎01-15-2019

I have a search that starts off with

| metadata type=hosts ....

The problem is that the results are pulling back a host that is not sending logs or should be sending logs. A search for the host in Splunk turns up nothing.

So my question is why it's showing up in metadata if no logs are being collected (or have ever been collected) from that host?

MuS · ‎01-15-2019

Hi reswob4,

there could be multiple reasons for this:

Host has been renamed
Wrong timestamp recognition and the events are way in the past or future
Someone used the delete command for this host which makes events not searchable but they are still in your index and therefore in the metadata.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎01-15-2019

Hi reswob4,

there could be multiple reasons for this:

Host has been renamed
Wrong timestamp recognition and the events are way in the past or future
Someone used the delete command for this host which makes events not searchable but they are still in your index and therefore in the metadata.

Hope this helps ...

cheers, MuS

reswob4 · ‎01-17-2019

Thanks.

I'm going to mark this as answered, but if anyone else has suggestions, that would be much appreciated.

host in metadata but has no logs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!