I wanted to use the metadata command to monitor the last time an IDS sensor fed in our index. Because we are using firesight and therefor estreamer everything feeds in a single host and the source is always "encore". To cheekily resolve that, I tried to alias on the heavy forwarder the sensor field to source (in the estreamer TA), and also on the search head thusly:
FIELDALIAS-estreamer_source = sensor AS source
after restarting the heavy forwarder process, the new data feeding is working as expected and when I |stats count by source now, I see all the sensors, like I wanted, yet when using the metadata command, I only see encore. I am querying for the past hour so I should be seeing the changed data.. but no cookie...
any advice would be much appreciated.
... View more