Why am I getting "Error in '| metadata' " when try...

_smp_ · ‎03-14-2018

I am attempting to determine the earliest event in a particular index by executing the following search over All Time (as instructed by the Metadata command). I am running Splunk Enterprise 7.0.2:
| metadata type=hosts index=vpn

Error in 'metadata': No 'host' key found in results. Cannot merge metadata.

If I choose different time periods, some of them work (previous 30 days, Year to Date) but some do not (previous year). Anyone see this before?

deepashri_123 · ‎03-14-2018

@scottprigge,
You can refer this accepted answer and modify as per your requirement:
https://answers.splunk.com/answers/406967/how-to-use-the-metadata-command-to-search-for-host.html

_smp_ · ‎03-15-2018

Interestingly enough, this search also fails with the same error I mentioned above:
| metadata type=hosts index=vpn | eval age=now()-firstTime | where age<604800

niketn · ‎03-14-2018

@scottprigge, can you try the tstats command and see how it behaves:

| tstats count earliest(_time) as EarliestTime latest(_time) as LatestTime where index="vpn" by host
| fieldformat EarliestTime=strftime(EarliestTime,"%Y-%m-%d %H:%M:%S") 
| fieldformat LatestTime=strftime(LatestTime,"%Y-%m-%d %H:%M:%S")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

_smp_ · ‎03-14-2018

That seems to work. Not sure I would have thought to use tstats. Any idea why metadata doesn't work?

Why am I getting "Error in '| metadata' " when trying to get the earliest event in a particular index?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!