Splunk Search

why can't I search metadata via distributed search?

oliverquick
New Member

A question regarding the search in the CLI.

I need to search the metadata via the CLI - it appears I can not

./splunk search "|metadata type=hosts"

So instead I have saved this search as metadataGUI and validated it is available via

./splunk list saved-search

But when I execute
./splunk search “|savedsearch metadataGUI”
or
./splunk search '|savedsearch "metadataGUI"'
or
./splunk search "|savedsearch 'metadataGUI'"

All I get is “Error in 'savedsearch' command: Usage: [options]”

Any ideas?

thanks!

Tags (3)
0 Karma

sophy
Splunk Employee
Splunk Employee

Hi Oliver, so the issue is that metadata does not give any results in distributed search. This was a bug in 4.1.x that was resolved in 4.2.2.

When the indexers DB paths are configured with the "volume" parameter in indexes.conf, metadata search cannot find the DB path. The workaround is to use the absolute path ("homePath" parameter) instead of using the "volume" parameter. You can also upgrade to 4.2.2.

I hope this helps!

mw
Splunk Employee
Splunk Employee

These should work. I think that your shell is attempting to interpret the pipe symbol or quotes improperly. What happens if you use single quotes instead of double?

oliverquick
New Member

Hey - I tried all permutations of quotes, both single and double...so I don't think it is that...

thanks though!

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...