Getting Data In

Remove generic index data.

jviteka
Explorer

Does anyone know how to remove the generic Host-001, ACME-001, etc that shows up in the indexed data? I think this is just like sample data but I dont know how to get rid of it.

Tags (3)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.

http://answers.splunk.com/answers/71540/removing-data-from-splunk-by-host

View solution in original post

0 Karma

Unister
Explorer

I had the same problem. The events are generated by SA-Eventgen. To disable this behavior you can configure the app via GUI or insert this in etc/apps/SA-Eventgen/local/inputs.conf:

[script://./bin/eventgen.py]
disabled = 1

In my case the events are coming from the PCI app with its sub apps.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.

http://answers.splunk.com/answers/71540/removing-data-from-splunk-by-host

0 Karma

jviteka
Explorer

Thank you!

0 Karma

sdaniels
Splunk Employee
Splunk Employee

The online docs have everything you should need. Sounds like you have a script running that is populating data.

http://docs.splunk.com/Documentation/Splunk/6.0/admin/Inputsconf

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

0 Karma

jviteka
Explorer

Thats the thing, I dont know where it is coming from because it is giving me ACME and Host as the name and I do not have this on my network nor do i have any of the usernames and domains it is showing. I believe this to be false data. I will look for the input.conf file but I dont know where it is located. I really appreciate all the help so far!

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You still need to make sure that is not configured to come into Splunk from those hosts. Check inputs.conf to make sure. Search for the data from those hosts over all time and then pipe to delete and it will be removed as long as there isn't new data coming in.

0 Karma

jviteka
Explorer

Thank you! I am still seeing the HOST-001 and ACME-001 showing up though. They are coming from my "ALL" and "main" index. How can I delete the data from these and is it safe to just delete these indexes?

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You could do a search like host=Host-001 | delete. This will bring up all data for that host and delete. You'll need to go into your admin role and temporarily enable the ability for him to delete data (can_delete i think). Then best to remove that capability.

0 Karma

jviteka
Explorer

thank you. Can you tell me where I would input the "splunk stop" commands? I am lost with getting these commands to function properly. Thanks again!

0 Karma
Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...