Archive

How to remove all references to an errant host?

fziegler
New Member

Hi. I'm running a single splunk6 indexer.
It is being fed by approx 20 linux and windows UniversalForwarders.

One of the forwarding machines is named: display1.jdc.op
I'm seeing references to a machine named: display1

I want to start clean, and remove ALL references, in ALL indexes, to any-and-all data from both display1 and display1.jdc.op

Is this easily done?
thanks!

fred.ziegler@alum.mit.edu

Tags (1)
0 Karma

lukejadamec
Super Champion

Yes and no.

You can delete all references to those hosts in the indexes with the delete command, see the doc and read the doc - it's easy, but irreversable.

You cannot, however, delete data from meta data, so meta data searches will still contain references to those host names.

http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/RemovedatafromSplunk

See this post if you need help with reindexing the data.

http://answers.splunk.com/answers/684/after-fixing-propsconf-how-to-re-index-the-same-files-using-th...

0 Karma