Splunk Search
Highlighted

How to show index in the table when we use metadata?

Communicator

I have a scenario that i have to trigger alert when splunk forwarder is not running i have query that working fine.in that query i have to add index in the table .now i cant able to view index name in the query
My query:
| metadata type=hosts index=XXX index=YYY index=ZZZ| eval age = now() - recentTime | eval status= case(age < 1800,"Running",age > 1800,"DOWN") | convert ctime(recentTime) AS LastActiveOn
| eval age=tostring(age,"duration") | eval host = upper(host)
| table host age LastActiveOn status
| rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status| where Status= "DOWN"

Tags (3)
0 Karma
Highlighted

Re: How to show index in the table when we use metadata?

Champion

It can not be displayed directly. Please refer to the link below.

https://answers.splunk.com/answers/69704/how-can-i-list-all-indexes-and-sourcetypes.html

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.