Solved: useing metadata commend to display sourcetype host...

samlinsongguo · ‎03-27-2018

HI
I want to use | metadata commend to display sourcetype host and sources at the same time, so far I cant make connection between them.
As we know when I run | metadata type=sourcetypes search it will return me sourcetype information,like below

firstTime   lastTime   recentTime sourcetype totalCount type
151572    1515399    152170     RT2RO   108      sourcetypes

the output I am looking for is

firstTime   lastTime   recentTime sourcetype totalCount source       host
  151572    1515399    152170       RT2RO   108     \var\log\a   rt2.server.com

Can this be done using | metadata command?
The reason I want to use it is just because it give result fast 🙂
Thanks in advance

adonio · ‎03-27-2018

hello there,
not sure how to achieve with | metadata (without | append or | appendcols ) but give ashot to the next search:
|tstats count as event_count min(_time) as firstTime max(_time) as lastTime by host source sourcetype where index=*

hope it helps

View solution in original post

adonio · ‎03-27-2018

hello there,
not sure how to achieve with | metadata (without | append or | appendcols ) but give ashot to the next search:
|tstats count as event_count min(_time) as firstTime max(_time) as lastTime by host source sourcetype where index=*

hope it helps

samlinsongguo · ‎03-28-2018

Thanks Adonio, not very familiar with tstats but it got what I want thanks again.

useing metadata commend to display sourcetype host and sources at the same time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life