Hello,
I am new to Splunk and I fall into every trap.
I have configured UF on a Linux server to monitor /var/log/sa.
The problem is that it has created more than 1,500 Hosts in Summary -> Hosts. This is coming from binary files in /var/log/sa. I beleaved Splunk not indexing binaries?
I have blacklisted undesirable files in the UF inputs.conf :
[monitor://var/log]
disabled=false
sourcetype=syslog
host=xxx.ovh.net
blacklist = (sa|bandwidth|dcpumon|\*.gz$)
Now I want to clean my Hosts list and (if possibly) the data. How to do that?
Since I am still under a learning and trial phase, I could reset all Splunk data, but how to do without loosing all my configuration?
Thanks for help
Thanks for your help.
I think that Indexes are Ok know that I have sa blaklisted.
My problem are the 1500+ false Hosts in the Summary -> Hosts section.
If you want to wipe all data, do a splunk clean eventdata
on the indexer.
Go to the directory where the splunk binary (.exe) resides - if you haven't changed it, it should be in
c:\program files\splunk\bin
then type
splunk help clean
There you should find out what you need to know. If prompted for a username/password because the session is invalid, type them here. By default the username is 'admin' and the password is 'changeme', unless you changed it of course. More info to be had here;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/RemovedatafromSplunk
/kristian
In fact I am not sure to have done it properly. What do you mean exactly by "do a"? My indexer is on a local Windows box. Where should I enter this command?
Thank you. I have done it. But the 1500+ Hosts still remain!
I am not sure I understand your question do you just want to clear your indexes or do you want to delete the events?