Solved: useing metadata commend to display sourcetype host...

samlinsongguo · ‎03-27-2018

HI
I want to use | metadata commend to display sourcetype host and sources at the same time, so far I cant make connection between them.
As we know when I run | metadata type=sourcetypes search it will return me sourcetype information,like below

firstTime   lastTime   recentTime sourcetype totalCount type
151572    1515399    152170     RT2RO   108      sourcetypes

the output I am looking for is

firstTime   lastTime   recentTime sourcetype totalCount source       host
  151572    1515399    152170       RT2RO   108     \var\log\a   rt2.server.com

Can this be done using | metadata command?
The reason I want to use it is just because it give result fast 🙂
Thanks in advance

adonio · ‎03-27-2018

hello there,
not sure how to achieve with | metadata (without | append or | appendcols ) but give ashot to the next search:
|tstats count as event_count min(_time) as firstTime max(_time) as lastTime by host source sourcetype where index=*

hope it helps

View solution in original post

adonio · ‎03-27-2018

hello there,
not sure how to achieve with | metadata (without | append or | appendcols ) but give ashot to the next search:
|tstats count as event_count min(_time) as firstTime max(_time) as lastTime by host source sourcetype where index=*

hope it helps

samlinsongguo · ‎03-28-2018

Thanks Adonio, not very familiar with tstats but it got what I want thanks again.

useing metadata commend to display sourcetype host and sources at the same time

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!