https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90154#M18704 <P>Yes you can, with a userid that has can_delete privilege (admin does not have that by default).<BR /> Construct a search that returns all events you want deleted, make sure the result is what you expect and add "| delete" once you are sure.<BR /> Note that events will not be deleted physically, so if you want to reclaim the disk space immediately, I think you would have to delete and recreate the index and re-index everything.</P> Thu, 11 Apr 2013 00:17:09 GMT stefandagerman 2013-04-11T00:17:09Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90149#M18699 <P>I extracted the host names wrong, and now I have extra names in my Splunk. Example: Server01 vs. Server1 and Server02 vs. Server2, etc.</P> <P>What's the best way to fix this so I only have Server01, Server02, etc.? Delete? Rename? Any suggestions?</P> <P>Thanks!</P> Wed, 10 Apr 2013 18:44:39 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90149#M18699 lain179 2013-04-10T18:44:39Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90150#M18700 <P>You cannot rename the host field, once it's been indexed. However, you can dynamically change it as part of the search for the duration of that search. (say you indexed <CODE>server1.domain.com</CODE>, buy you just wanted the <CODE>server1</CODE>)</P> <P><CODE>... | rex field=host "(?&lt;host&gt;[^.]+)" | ...</CODE></P> <P>Not really neat. Will probably have effects on drill-downs etc, where the new host field value won't match indexed data....Other than that, wait until the data ages out of your index.. or delete and re-index.</P> <P>/K</P> Wed, 10 Apr 2013 20:36:02 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90150#M18700 kristian_kolb 2013-04-10T20:36:02Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90151#M18701 <P>If you don't want to or cannot reindex your data, I would probably use tags or create a new field with an appropriate RegEx that normalizes your server names. You'd then use the tag or new field name in your searches rather than the original server name.</P> Wed, 10 Apr 2013 20:37:13 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90151#M18701 stefandagerman 2013-04-10T20:37:13Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90152#M18702 <P>Note that that new field won't be indexed like the 'host' field is.</P> Wed, 10 Apr 2013 20:38:53 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90152#M18702 stefandagerman 2013-04-10T20:38:53Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90153#M18703 <P>I don't need those logs with wrong host names as I re-import the data with correct host names. So can I just delete them? Is there a way to selectively delete indexed data?</P> Wed, 10 Apr 2013 23:55:02 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90153#M18703 lain179 2013-04-10T23:55:02Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90154#M18704 <P>Yes you can, with a userid that has can_delete privilege (admin does not have that by default).<BR /> Construct a search that returns all events you want deleted, make sure the result is what you expect and add "| delete" once you are sure.<BR /> Note that events will not be deleted physically, so if you want to reclaim the disk space immediately, I think you would have to delete and recreate the index and re-index everything.</P> Thu, 11 Apr 2013 00:17:09 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90154#M18704 stefandagerman 2013-04-11T00:17:09Z https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90155#M18705 <P>Ok, thanks!</P> Fri, 12 Apr 2013 22:15:32 GMT https://community.splunk.com/t5/Getting-Data-In/incorrect-host-names/m-p/90155#M18705 lain179 2013-04-12T22:15:32Z