Knowledge Management

metadata with splunk_server

EricPartington
Communicator

How can i add a column that contains the splunk server name to the metadata command below?

I can filter based on metadata but i'd like to include that in the table so that I can use that column to split on later.

|metadata type=hosts index=*

I'd like to use this to write a summary index entry every 24 hours with a breakdown of the hosts that have written logs to each index and each splunk server. This will allow me to track the number of hosts that are logging to splunk, the number of hosts that are logging over the last x days and if a host stops logging to splunk we would see the counts change and can drill down into the splunk server and index to determine which host it is.

is there a way to restrict the metadata command to search only non-internal indexes with out specifically listing each index to include?

wrangler2x
Motivator

You can do | metadata type=hosts NOT index="_*"

I think it is interesting that you can specify the index and the splunk_server in the search criteria, but you cannot include them in the search results.

I personally wish that I could see the splunk_server in the results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...