Deployment Architecture

How to remove something from being indexed?


Hello Team,

Can someone help me figure out how to delete a data source? I went over the limit for the 500MB a day with the free license and would like to remove a couple of data sources to make sure I stay within the daily quota. The screenshot below shows one data source I would like to remove from indexing. I did search Google for ways to do this but did not find anything. Thanks for reading this.

Data Summary screen shot


rogue carrot

Tags (1)
0 Karma


Check the host index/sourcetype.If it is internal data,then that host is not the reason for violation.

And if you still want not to index,then you have an option to send data from 127..... host to null queue:

And regarding delete command,if the indexed data is internal for that host then no affect of deleting events.Find the doc for delete command

0 Karma


@rogue_carrot Check the Data Source/Sourcetype from the Host. Since it is the local loopback address. Seems like it is coming from your Splunk Server (indexer) itself. Check the sourcetype and remoce it from server.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


Yes this is from the localhost. Do you have a list of steps I can take to delete this from being indexed?

0 Karma

Path Finder

Is this a test system? If so, you may try the delete command. Be careful though. You also want to disable the input once you find it.

0 Karma


This is sort of a test system. Where would I use the delete command? How do I disable inputs?

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...