I have 4 servers in a distributed environment. I use server a to login and do the search.
When I use the search | metadata type=hosts I get all the hosts from all the servers And When I use | metadata type=hosts splunk_server=B I get the hosts from Server B.
But when I use | metadata type=hosts splunk_server!=D I still get all the servers hosts. also it does not allow to have multiple splunk_server in a metadata search. I Also tried | metadata type=hosts NOT splunk_server=D.
Bottonline is I want the metadata hosts only from Server A,B and C and not D.
Currently, the metadata search does not appear to handle multiple splunk_server values and NOT operators.
Perhaps you can use the join command in conjunction with single splunk_server metadata queries
Currently, the metadata search does not appear to handle multiple splunk_server values and NOT operators.