.generate metadata (Deprecated)
The .generate metadata command prescans selected portions of your data to generate metadata.
Deprecated Feature
Cribl is deprecating this feature in preparation for a different solution. We’ll remove it in a future release.
Please continue to report issues through normal Cribl support channels, but assistance for deprecated features might be limited.
// prescan all fields in the cribl_search_sample Dataset
.generate metadata(cribl_search_sample)Purpose
Use .generate metadata to improve search performance for specific
Datasets.
Running .generate metadata on large Datasets can take quite a while, but it can significantly improve performance when
searching the prescanned fields. When the command is running, the results display periodic status updates. If you plan to run .generate metadata on large Datasets, consider adjusting the Running time limit.
To automatically prescan your data on a regular basis, use Dataset Acceleration.
You can use .generate metadata with the following Dataset Provider types:
To see which Datasets already contain Cribl Search metadata, run
dataset=$vt_object_list_summary.
Permissions
| Search Member Type | Permissions |
|---|---|
| Admin | Can generate metadata for all Datasets in their Organization. |
| Editor | Can generate metadata only for those Datasets that they created themselves or that were shared with them. |
| User | Can generate metadata only for those Datasets that were shared with them. |
Syntax
.generate metadata(DatasetID) [on Field[, ...]] [with ([earliest=TimeString] [latest=TimeString] [mode=Mode] [reason=Reason])]
You can also combine this command with operators.
Parameters
| Parameter | Type | Description |
|---|---|---|
DatasetID | string | The ID of the Dataset that you want to prescan. Wildcards * are not supported. |
Field | string | The name of the field to prescan. If not specified, .generate metadata prescans only the _time field in the specified Dataset. Separate multiple fields with a comma ,. |
TimeString | string | A relative or absolute timestamp. See time syntax for details. |
Mode | string | Scan mode. Can be detailed (default) or quick. |
Reason | string | The reason for running the .generate metadata command, which is added to the Cribl Search audit log. |
Returns
Returns a table that lets you track the analysis progress.
When the command finishes running, each prescanned event is enriched with a new nested field: statistics.
For each field specified in the command (and always for the _time field), the statistics field contains the
following metadata:
min: The minimum value of the field in a given Dataset.max: The maximum value of the field in a given Dataset.
Examples
Prescan the cribl_search_sample Dataset for the last 2 weeks. Use human-readable time syntax format for relative timestamps.
.generate metadata(cribl_search_sample)
with (earliest=-2w reason="Analyzing data from the last two weeks")Prescan the cribl_search_sample Dataset for the month of January 2024. Use Unix time for absolute timestamps.
.generate metadata(cribl_search_sample)
with (earliest=1704067200 latest=1706745599 reason="Analyzing January 2024 data")Prescan the bytes field and the _time field in the cribl_search_sample Dataset.
.generate metadata(cribl_search_sample) on bytes