Splunk Search

How to show index in the table when we use metadata?

karthi2809
Contributor

I have a scenario that i have to trigger alert when splunk forwarder is not running i have query that working fine.in that query i have to add index in the table .now i cant able to view index name in the query
My query:
| metadata type=hosts index=XXX index=YYY index=ZZZ| eval age = now() - recentTime | eval status= case(age < 1800,"Running",age > 1800,"DOWN") | convert ctime(recentTime) AS LastActiveOn
| eval age=tostring(age,"duration") | eval host = upper(host)
| table host age LastActiveOn status
| rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status| where Status= "DOWN"

Tags (3)
0 Karma

HiroshiSatoh
Champion

It can not be displayed directly. Please refer to the link below.

https://answers.splunk.com/answers/69704/how-can-i-list-all-indexes-and-sourcetypes.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...