How to remove something from being indexed?

rogue_carrot · ‎06-07-2018

Hello Team,

Can someone help me figure out how to delete a data source? I went over the limit for the 500MB a day with the free license and would like to remove a couple of data sources to make sure I stay within the daily quota. The screenshot below shows one data source I would like to remove from indexing. I did search Google for ways to do this but did not find anything. Thanks for reading this.

Regards,

rogue carrot

ansif · ‎06-08-2018

Check the host index/sourcetype.If it is internal data,then that host is not the reason for violation.

And if you still want not to index,then you have an option to send data from 127..... host to null queue:

http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad

And regarding delete command,if the indexed data is internal for that host then no affect of deleting events.Find the doc for delete command

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Delete

niketn · ‎06-07-2018

@rogue_carrot Check the Data Source/Sourcetype from the Host. Since it is the local loopback address. Seems like it is coming from your Splunk Server (indexer) itself. Check the sourcetype and remoce it from server.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rogue_carrot · ‎06-07-2018

Yes this is from the localhost. Do you have a list of steps I can take to delete this from being indexed?

nswondem · ‎06-07-2018

Is this a test system? If so, you may try the delete command. Be careful though. You also want to disable the input once you find it.

rogue_carrot · ‎06-07-2018

This is sort of a test system. Where would I use the delete command? How do I disable inputs?

How to remove something from being indexed?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio