Hello Team,
Can someone help me figure out how to delete a data source? I went over the limit for the 500MB a day with the free license and would like to remove a couple of data sources to make sure I stay within the daily quota. The screenshot below shows one data source I would like to remove from indexing. I did search Google for ways to do this but did not find anything. Thanks for reading this.
Regards,
rogue carrot
Check the host index/sourcetype.If it is internal data,then that host is not the reason for violation.
And if you still want not to index,then you have an option to send data from 127..... host to null queue:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad
And regarding delete command,if the indexed data is internal for that host then no affect of deleting events.Find the doc for delete command
https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Delete
@rogue_carrot Check the Data Source/Sourcetype from the Host. Since it is the local loopback address. Seems like it is coming from your Splunk Server (indexer) itself. Check the sourcetype and remoce it from server.
Yes this is from the localhost. Do you have a list of steps I can take to delete this from being indexed?
Is this a test system? If so, you may try the delete command. Be careful though. You also want to disable the input once you find it.
This is sort of a test system. Where would I use the delete command? How do I disable inputs?