Solved: Re: useing metadata commend to display sourcetype ...

samlinsongguo · ‎03-27-2018

HI
I want to use | metadata commend to display sourcetype host and sources at the same time, so far I cant make connection between them.
As we know when I run | metadata type=sourcetypes search it will return me sourcetype information,like below

firstTime   lastTime   recentTime sourcetype totalCount type
151572    1515399    152170     RT2RO   108      sourcetypes

the output I am looking for is

firstTime   lastTime   recentTime sourcetype totalCount source       host
  151572    1515399    152170       RT2RO   108     \var\log\a   rt2.server.com

Can this be done using | metadata command?
The reason I want to use it is just because it give result fast 🙂
Thanks in advance

adonio · ‎03-27-2018

hello there,
not sure how to achieve with | metadata (without | append or | appendcols ) but give ashot to the next search:
|tstats count as event_count min(_time) as firstTime max(_time) as lastTime by host source sourcetype where index=*

hope it helps

View solution in original post

adonio · ‎03-27-2018

hello there,
not sure how to achieve with | metadata (without | append or | appendcols ) but give ashot to the next search:
|tstats count as event_count min(_time) as firstTime max(_time) as lastTime by host source sourcetype where index=*

hope it helps

samlinsongguo · ‎03-28-2018

Thanks Adonio, not very familiar with tstats but it got what I want thanks again.

useing metadata commend to display sourcetype host and sources at the same time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation