Its so much on slower side does not look feasible for us...any inputs /modifications to enhance performance appreciated

metasearch is a different command from metadata.

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/metasearch

unless i misunderstand when i run metadata type=hosts...index name is not a key value pair returned

is a metadata search not a metasearch ..sorry if i got that wrong

metasearch does output the index.

Thanks ... unless i misundertood something recenttime is indextine for metaseach on hosts ...but metasearch do not output the index names on which they run...i need to be able to read the results to act on it and it needs to have the index name...

Yeah, metasearch with _indextime should be about twice as fast as regular stats... if your forwarders basically send current data then you could get along with using _time as a workaround.

I've filed an ER for metasearch to output _indextime in results. With that, you could quickly grab these stats.

Anything tstats can do with indexes can be done with stats:

index=* | stats latest(_time) latest(_indextime) count by host index

However, that may be slow, very slow, or glacial. You can of course speed things up by running this query regularly over a short timerange and storing the data in a lookup: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

yes on splunk 5.0.4 unfortunately...is there some way we can do the same ? i just need to find the latest time each host has logged using metadata but also output what index it belongs to ...

This runs against indexes... on Splunk 6. Are you still on version 5?

Hmmm...this throws error expecting a namespace ...tsidxstats error...missing "FROM" keyword to specify namespace
does this work against indexes ? above error suggests it runs only against tsidxstats of tscollect