I have this search:
| metadata type=hosts index=*a OR index=os index!=aruba
I want to get all the hosts in all the indexes except the aruba index.
The NOT command doesn't work either. How can I user the index-*a and not include the aruba index?
Try this:
| rest /services/data/indexes
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" "
I have also added an index column in case that helps too.
NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.
It helps to know the metadata command is essentially a macro around tstats
. For the clueful, I will translate:
The firstTime
field is min(_time)
.
The "astTime
field is max(_time)
.
The recentTime
field is max(_indextime)
.
Now you can build your own tstats
-based search and have full control over what is searched (or not).
I commented about this here:
https://answers.splunk.com/answers/567047/metadata-showing-wrong-last-indexed-time.html?childToView=...
Try this:
| rest /services/data/indexes
| rename title as indexname
| search indexname != aruba
| table indexname
| map maxsearches=99 search=" | metadata type=hosts index=\"$indexname$\" | eval index=\"$indexname$\" "
I have also added an index column in case that helps too.
NOTE I have assumed you don't have more than 99 indexes. If so feel free to increase the maxsearches value as it can't be unlimited I'm afraid.
this was the answer i used. I change the search just a little but this worked thanks
I am testing this now. Why is it important to limit the maxsearches? wont this just return only the number of indexes that match the index= criteria?
If you don't specify maxsearches then it will default to 10 and map will only run for the first 10 indexes returned.
If you have more than 10 indexes then you are going to lose some results.
I would use tstats for this
| tstats count WHERE index=*a OR index=os index!=aruba by host
I downvoted this post because this doesn't work
thanks but I wanted to get the metadata like host, firstTime, lastTime, recentTime, totalCount
I keep all my ORG's in different indexes and was asked to provide states from each index along with metrics on each system
I don't know if i can get this from tstats? Or do I use tstats with the metadata search?
I tried the tstats and it is way slower than the metadata as it is actually doing a count
I would go with @Javiergn if you're looking for other metadata fields.