Metadata Vs Metasearch
In this post we are going to cover two Splunk’s lesser known commands “metadata” and “metasearch” and also try to have a comparison between them.
Metadata : The metadata command is a generating command, returns the host, source or sourcetype based on the index(es), search peers . It respects the time range picker.
Syntax for metadata:
| metadata type=<metadata-type> [<index-specifier>]
[splunk_server=<wc-string>] [splunk_server_group=<wc-string>]
While using the “metadata” command you must specify the value for the “type” argument (hosts, sources or sourcetypes).
The screenshot below shows an example metadata query,
In the above query, we have used “index=*”, so it returns corresponding fields from all the indexes.
If you don’t specify “index” in your metadata query, it searches the default (main, by default) index only.
The metadata command returns the following fields (depending on the “type”),
firstTime – shows the timestamp(in epoch) when any data was indexed to the splunk platform from the corresponding host/source/sourcetype. host/source/sourcetype – shows the host,source or sourcetype. lastTime – shows the timestamp(in epoch) of the last time the indexer received an event from this host/source/sourcetype. recentTime – shows the “indextime” timestamp(in epoch) of the event that the indexer received from this host/source/sourcetype. totalCount – count of the events from the host/source/sourcetype. type – this field shows the value you specified with the argument “type” i.e. hosts,sources,sourcetypes.
Metasearch: This command returns the metadata based on index(es), allows to use search terms and logical expressions, is an event-generating command, respects time range picker and also allows time-modifiers.
Syntax for metasearch:
| metasearch [<logical-expression>]
Below is a screenshot showing the output of the “metasearch” command,
Clearly, the “metasearch” command returns the following metadata/default fields,(since we didn’t specify any index it only searches the default index.)
_time – the event timestamp. host – host of the event (IP_address,host name of the device sending the events) index – index in which this event is stored. source – source of the event (origin of the data, generally files) sourcetype – sourcetype of the event. splunk_server – shows the search peer associated with the event.
NOTE: You can specify logical expressions/ search terms after the “metasearch” command.
Here is one more example for you,
The query shown in the screen shot below filters out the events based on the search term “disconnect*” from the index “main”, and returns only the default fields.
metadata vs metasearch
The metadata command doesn’t search the events, in fact it works on the aggregation that splunk has built over time, on the values of specific fields(returned by this command) and thus is faster of the two. Also, since it works on aggregated data the results may not be that precise if you are searching for any time frame less than “All time”.
While the metasearch command has association with the events, although it pivots around the metadata/default fields, it can come handy if you are working on the metadata/default fields associated with specific events, in other words when you want to have the metadata/default fields based on specific filters on your events.
In a nutshell, the metadata command works with only some specific fields and has very limited scope/limited usage, while the metasearch command allows you to search using terms/logical expressions and returns the default fields from the events, instead of returning the event(s) itself or the other fields.
Hope!! You enjoyed the post.
Happy Splunking!!
