| metadata type=sourcetypes index=*will return correctly.
What is necessary for the metadata command to return successfully? Is there a file I need next to the data to dictate the sourcetype info? Can I remove this index from the metadata results without having to manually specify all indexes I want in the command?
01-15-2020 20:57:40.884 ERROR metadata - No 'sourcetype' key found in results. Cannot merge metadata.
01-15-2020 20:57:40.884 INFO PreviewExecutor - Finished preview generation in 0.002741056 seconds.
01-15-2020 20:57:40.901 INFO ReducePhaseExecutor - Ending phase_1
01-15-2020 20:57:40.901 INFO UserManager - Unwound user context: firstname.lastname@example.org -> NULL
01-15-2020 20:57:40.901 ERROR SearchOrchestrator - Phase_1 failed due to : Error in 'metadata': No 'sourcetype' key found in results. Cannot merge metadata.
01-15-2020 20:57:40.901 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=CANCEL
01-15-2020 20:57:40.901 INFO DispatchExecutor - User applied action=CANCEL while status=0
01-15-2020 20:57:40.901 ERROR SearchStatusEnforcer - sid:md_1579121855.178190 Error in 'metadata': No 'sourcetype' key found in results. Cannot merge metadata.
Hadoop cli 2.8.4
AWS EMR emr-5.28.0
The specific issue is internally tracked as ERP-2150, which has the summary | metadata type=sourcetypes index=* fails when you have virtual indexes. Unfortunately I've realized that there's an issue that means it isn't currently in the release notes.
Thanks Jo. Just to confirm, this is currently unresolved even in the latest release of splunk? If so, is there any fix planned that will be applied to the 7.3.x chain in say, 7.3.5? Thanks again.
Or did you mean it was patched, but it never made it in to release notes?