Archive
Highlighted

How to remove something from being indexed?

Communicator

Hello Team,

Can someone help me figure out how to delete a data source? I went over the limit for the 500MB a day with the free license and would like to remove a couple of data sources to make sure I stay within the daily quota. The screenshot below shows one data source I would like to remove from indexing. I did search Google for ways to do this but did not find anything. Thanks for reading this.

Data Summary screen shot

Regards,

rogue carrot

Tags (1)
0 Karma
Highlighted

Re: How to remove something from being indexed?

Legend

@rogue_carrot Check the Data Source/Sourcetype from the Host. Since it is the local loopback address. Seems like it is coming from your Splunk Server (indexer) itself. Check the sourcetype and remoce it from server.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to remove something from being indexed?

Communicator

Yes this is from the localhost. Do you have a list of steps I can take to delete this from being indexed?

0 Karma
Highlighted

Re: How to remove something from being indexed?

SplunkTrust
SplunkTrust

Is this a test system? If so, you may try the delete command. Be careful though. You also want to disable the input once you find it.

0 Karma
Highlighted

Re: How to remove something from being indexed?

Communicator

This is sort of a test system. Where would I use the delete command? How do I disable inputs?

0 Karma
Highlighted

Re: How to remove something from being indexed?

Motivator

Check the host index/sourcetype.If it is internal data,then that host is not the reason for violation.

And if you still want not to index,then you have an option to send data from 127..... host to null queue:

http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad

And regarding delete command,if the indexed data is internal for that host then no affect of deleting events.Find the doc for delete command

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Delete

0 Karma