Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to search for index time extracted fields added to metadata

ankithreddy777
Contributor
‎01-30-2017 08:06 AM

I need only fields that are extracted during index_time which are added to _meta. How to search for them so that search is faster

0 Karma
Reply

somesoni2
Revered Legend
‎01-30-2017 08:11 AM

Try something like this. This should give a list of metadata fields available for an index-sourcetype combination.

| metasearch index=YourIndex sourcetype=YourSourceType | head 1 | transpose
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-30-2017 08:10 AM

Hi ankithreddy777,
use | metasearch before your search condition.
see http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Metasearch
Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...