Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

|metadata - Need results for Custom time range

splunker12er
Motivator
‎07-10-2014 11:08 PM 
|metadata type=hosts earliest=-1d latest=now

This displays the overall eventcounts for the available hosts but not specific to the time range mentioned.
Is there a way to specify the time range for metadata results ?

Reply

somesoni2
Revered Legend
‎02-17-2016 12:48 PM

If you're on version 6.x, the you can use tstats command to generate metadata stats, which is time bound and much faster (then regular search). Following is the equivalent to metadata search

metadata search | metadata type=hosts index=*
tstats search | tstats count as totalCount min(_time) as firstTime max(_time) as lastTime WHERE index=* by host | eval recentTime=lastTime | eval type="hosts"

Reply

Ayn
Legend
‎07-10-2014 11:45 PM

No, not really. Time range for metadata only affects which entries that will be returned based on recentTime and lastTime.

May I suggest another option - use metasearch instead. As a bonus this also enables you to split your stats by multiple fields if you want (so for instance you could do stats count by host,sourcetype). This query should give you something similar to what you get with metadata:

| metasearch earliest=-1d | stats latest(_time) as lastTime,count by host
Reply

mendesjo
Path Finder
‎02-17-2016 12:26 PM

That doesn't seem to work for me anyway. If I put that in, not matter what it's ignored. Rather, whatever I select from the time picker is the time actually queried. Any idea why?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...