Splunk Search

Question on metadata

misteryuku
Communicator

When i retrieved the results as an xml during search from the search app i saw that there are field xml tags with attribute k values with _cd, _si, _time. Are those metadata fields?

I wanted to set the metadata field values such as cd, _indextime etc. I appended the key=value pair of such metadata fields to the receivers endpoint url to add events with cd and _indextime values that are set before indexing. However, when i retrieve the results from the search via search/jobs/{search_id}/results endpoint the _cd, _indextime metadata field values were default.

http://localhost:8089/services/receivers/simple?host=myhost&index=main&source=sexydata&sourcetype=se...

Is it impossible to set those metadata field values? Are those metadata fields extracted during index time?

0 Karma

Drainy
Champion

Yeah please. Misteryuku. Explain what it is you want to do and let people give you advice, you keep jumping in with tiny pieces of the jigsaw which makes it impossible to figure out what you're doing (maybe world domination, starting with Splunk-base?)

Ayn
Legend

While it might be possible, why do you want to set them? As dwaddle points out below, they're for internal use. Not yours to set.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I don't know if I would (strictly) call these "metadata" fields - but they are Splunk internal fields computed at index time by splunk. You cannot change them, and you should not be attempting to set their values. They are not so much "extracted" as they are derived as part of the indexing process.

The _time and _indextime fields are somewhat obvious to us end user people as to what they are / what they do. Some of the others, like _cd are implementation details of Splunk's "bucket" on-disk index data structure. Like any undocumented implementation detail, it isn't something you should be fooling with lightly. It is subject to change (including possible elimination entirely) in the future.

0 Karma

misteryuku
Communicator

Okay. I understand now. I won't ask the question anymore.

0 Karma

Ayn
Legend

These are fields that Splunk sets itself upon indexing. As such you cannot change the actual indexed values. You NEED to read up on how this stuff works, because it's obvious that you don't understand it right now.

0 Karma

misteryuku
Communicator

Dear csharp_splunk, I would like to use the changed internal field values and send the changed internal field values to splunk search app to the recievers endpoint. I just want to know how to do that. I'm not interested in changing them at search time. If you have the answer you can tell me. Anyway thanks for the extra info.

0 Karma

csharp_splunk
Splunk Employee
Splunk Employee

As dwaddle points out, those are not metadata, they're internal fields. You can make copies of them and change them at search time if you like. Something like:

| eval mytime=_indextime+somevalue

Etc, would work.

0 Karma

misteryuku
Communicator

That mean i cannot change the metadata values right?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...