I’m seeing a discrepancy between the results from the | metadata type=hosts command and the actual event data in my index. I have an alert that monitors hosts that stop reporting events, and it’s based on | metadata. When I run the metadata query, it shows that the last event for a specific host was about 90 days ago. However, when I search manually using index=<my_index> host=<my_host>, I can see that this host actually reported events as recently as 15 days ago. It seems like the metadata command isn’t picking up the most recent activity for this host. I’d like to understand why this happens — is there a delay or a condition that prevents metadata from updating? Is there any way to force metadata to refresh, or to prevent these discrepancies in the future? Any insights or best practices for keeping metadata accurate would be greatly appreciated. ... View more

In a Splunk dashboard, I’m using the custom visualization "3D Graph Network Topology Viz". The goal is that when clicking on a node, a token is set so another panel can display related details. The issue is: When configuring On Click → Manage tokens on this dashboard, Splunk shows the message: "This custom visualization might not support drilldown behavior." When clicking on a node, the $click.value$ token does not update and literally remains as $click.value$, which confirms that it’s not sending dynamic values. The only token that actually receives data is $click.name$, which returns the node’s name, but not other values I’d like to capture. Has anyone successfully implemented full drilldown support in this visualization or knows how to extend it so that more tokens (like $click.value$) can be populated when clicking on a node? ... View more