|metadata - Need results for Custom time range

splunker12er · ‎07-10-2014

|metadata type=hosts earliest=-1d latest=now

This displays the overall eventcounts for the available hosts but not specific to the time range mentioned.
Is there a way to specify the time range for metadata results ?

somesoni2 · ‎02-17-2016

If you're on version 6.x, the you can use tstats command to generate metadata stats, which is time bound and much faster (then regular search). Following is the equivalent to metadata search

metadata search | metadata type=hosts index=*
tstats search | tstats count as totalCount min(_time) as firstTime max(_time) as lastTime WHERE index=* by host | eval recentTime=lastTime | eval type="hosts"

Ayn · ‎07-10-2014

No, not really. Time range for metadata only affects which entries that will be returned based on recentTime and lastTime.

May I suggest another option - use metasearch instead. As a bonus this also enables you to split your stats by multiple fields if you want (so for instance you could do stats count by host,sourcetype). This query should give you something similar to what you get with metadata:

| metasearch earliest=-1d | stats latest(_time) as lastTime,count by host

mendesjo · ‎02-17-2016

That doesn't seem to work for me anyway. If I put that in, not matter what it's ignored. Rather, whatever I select from the time picker is the time actually queried. Any idea why?

|metadata - Need results for Custom time range

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!