Getting Data In

Remove generic index data.

Explorer

Does anyone know how to remove the generic Host-001, ACME-001, etc that shows up in the indexed data? I think this is just like sample data but I dont know how to get rid of it.

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.

http://answers.splunk.com/answers/71540/removing-data-from-splunk-by-host

View solution in original post

0 Karma

Explorer

I had the same problem. The events are generated by SA-Eventgen. To disable this behavior you can configure the app via GUI or insert this in etc/apps/SA-Eventgen/local/inputs.conf:

[script://./bin/eventgen.py]
disabled = 1

In my case the events are coming from the PCI app with its sub apps.

0 Karma

Splunk Employee
Splunk Employee

See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.

http://answers.splunk.com/answers/71540/removing-data-from-splunk-by-host

View solution in original post

0 Karma

Explorer

Thank you!

0 Karma

Splunk Employee
Splunk Employee

The online docs have everything you should need. Sounds like you have a script running that is populating data.

http://docs.splunk.com/Documentation/Splunk/6.0/admin/Inputsconf

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

0 Karma

Explorer

Thats the thing, I dont know where it is coming from because it is giving me ACME and Host as the name and I do not have this on my network nor do i have any of the usernames and domains it is showing. I believe this to be false data. I will look for the input.conf file but I dont know where it is located. I really appreciate all the help so far!

0 Karma

Splunk Employee
Splunk Employee

You still need to make sure that is not configured to come into Splunk from those hosts. Check inputs.conf to make sure. Search for the data from those hosts over all time and then pipe to delete and it will be removed as long as there isn't new data coming in.

0 Karma

Explorer

Thank you! I am still seeing the HOST-001 and ACME-001 showing up though. They are coming from my "ALL" and "main" index. How can I delete the data from these and is it safe to just delete these indexes?

0 Karma

Splunk Employee
Splunk Employee

You could do a search like host=Host-001 | delete. This will bring up all data for that host and delete. You'll need to go into your admin role and temporarily enable the ability for him to delete data (can_delete i think). Then best to remove that capability.

0 Karma

Explorer

thank you. Can you tell me where I would input the "splunk stop" commands? I am lost with getting these commands to function properly. Thanks again!

0 Karma