why can't I search metadata via distributed search...

oliverquick · ‎07-15-2011

A question regarding the search in the CLI.

I need to search the metadata via the CLI - it appears I can not

./splunk search "|metadata type=hosts"

So instead I have saved this search as metadataGUI and validated it is available via

./splunk list saved-search

But when I execute
./splunk search “|savedsearch metadataGUI”
or
./splunk search '|savedsearch "metadataGUI"'
or
./splunk search "|savedsearch 'metadataGUI'"

All I get is “Error in 'savedsearch' command: Usage: [options]”

Any ideas?

thanks!

sophy · ‎07-15-2011

Hi Oliver, so the issue is that metadata does not give any results in distributed search. This was a bug in 4.1.x that was resolved in 4.2.2.

When the indexers DB paths are configured with the "volume" parameter in indexes.conf, metadata search cannot find the DB path. The workaround is to use the absolute path ("homePath" parameter) instead of using the "volume" parameter. You can also upgrade to 4.2.2.

I hope this helps!

mw · ‎07-15-2011

These should work. I think that your shell is attempting to interpret the pipe symbol or quotes improperly. What happens if you use single quotes instead of double?

oliverquick · ‎07-15-2011

Hey - I tried all permutations of quotes, both single and double...so I don't think it is that...

thanks though!

why can't I search metadata via distributed search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms