Re: Question on metadata

misteryuku · ‎03-29-2012

When i retrieved the results as an xml during search from the search app i saw that there are field xml tags with attribute k values with _cd, _si, _time. Are those metadata fields?

I wanted to set the metadata field values such as cd, _indextime etc. I appended the key=value pair of such metadata fields to the receivers endpoint url to add events with cd and _indextime values that are set before indexing. However, when i retrieve the results from the search via search/jobs/{search_id}/results endpoint the _cd, _indextime metadata field values were default.

http://localhost:8089/services/receivers/simple?host=myhost&index=main&source=sexydata&sourcetype=se...

Is it impossible to set those metadata field values? Are those metadata fields extracted during index time?

Drainy · ‎03-30-2012

Yeah please. Misteryuku. Explain what it is you want to do and let people give you advice, you keep jumping in with tiny pieces of the jigsaw which makes it impossible to figure out what you're doing (maybe world domination, starting with Splunk-base?)

Ayn · ‎03-29-2012

While it might be possible, why do you want to set them? As dwaddle points out below, they're for internal use. Not yours to set.

dwaddle · ‎03-29-2012

I don't know if I would (strictly) call these "metadata" fields - but they are Splunk internal fields computed at index time by splunk. You cannot change them, and you should not be attempting to set their values. They are not so much "extracted" as they are derived as part of the indexing process.

The _time and _indextime fields are somewhat obvious to us end user people as to what they are / what they do. Some of the others, like _cd are implementation details of Splunk's "bucket" on-disk index data structure. Like any undocumented implementation detail, it isn't something you should be fooling with lightly. It is subject to change (including possible elimination entirely) in the future.

misteryuku · ‎03-30-2012

Okay. I understand now. I won't ask the question anymore.

Ayn · ‎03-30-2012

These are fields that Splunk sets itself upon indexing. As such you cannot change the actual indexed values. You NEED to read up on how this stuff works, because it's obvious that you don't understand it right now.

misteryuku · ‎03-29-2012

Dear csharp_splunk, I would like to use the changed internal field values and send the changed internal field values to splunk search app to the recievers endpoint. I just want to know how to do that. I'm not interested in changing them at search time. If you have the answer you can tell me. Anyway thanks for the extra info.

csharp_splunk · ‎03-29-2012

As dwaddle points out, those are not metadata, they're internal fields. You can make copies of them and change them at search time if you like. Something like:

| eval mytime=_indextime+somevalue

Etc, would work.

misteryuku · ‎03-29-2012

That mean i cannot change the metadata values right?

Question on metadata

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation