Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

metadata with splunk_server

EricPartington
Communicator
‎11-03-2011 02:27 PM

How can i add a column that contains the splunk server name to the metadata command below?

I can filter based on metadata but i'd like to include that in the table so that I can use that column to split on later.

|metadata type=hosts index=*

I'd like to use this to write a summary index entry every 24 hours with a breakdown of the hosts that have written logs to each index and each splunk server. This will allow me to track the number of hosts that are logging to splunk, the number of hosts that are logging over the last x days and if a host stops logging to splunk we would see the counts change and can drill down into the splunk server and index to determine which host it is.

is there a way to restrict the metadata command to search only non-internal indexes with out specifically listing each index to include?

Reply

wrangler2x
Motivator
‎05-11-2017 10:47 AM

You can do | metadata type=hosts NOT index="_*"

I think it is interesting that you can specify the index and the splunk_server in the search criteria, but you cannot include them in the search results.

I personally wish that I could see the splunk_server in the results.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...