I am new to Splunk and I fall into every trap.
I have configured UF on a Linux server to monitor /var/log/sa.
The problem is that it has created more than 1,500 Hosts in Summary -> Hosts. This is coming from binary files in /var/log/sa. I beleaved Splunk not indexing binaries?
I have blacklisted undesirable files in the UF inputs.conf :
[monitor://var/log] disabled=false sourcetype=syslog host=xxx.ovh.net blacklist = (sa|bandwidth|dcpumon|\*.gz$)
Now I want to clean my Hosts list and (if possibly) the data. How to do that?
Since I am still under a learning and trial phase, I could reset all Splunk data, but how to do without loosing all my configuration?
Thanks for help
Go to the directory where the splunk binary (.exe) resides - if you haven't changed it, it should be in
splunk help clean
There you should find out what you need to know. If prompted for a username/password because the session is invalid, type them here. By default the username is 'admin' and the password is 'changeme', unless you changed it of course. More info to be had here;