See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.
http://answers.splunk.com/answers/71540/removing-data-from-splunk-by-host
I had the same problem. The events are generated by SA-Eventgen
. To disable this behavior you can configure the app via GUI or insert this in etc/apps/SA-Eventgen/local/inputs.conf
:
[script://./bin/eventgen.py]
disabled = 1
In my case the events are coming from the PCI app with its sub apps.
See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.
http://answers.splunk.com/answers/71540/removing-data-from-splunk-by-host
Thank you!
The online docs have everything you should need. Sounds like you have a script running that is populating data.
http://docs.splunk.com/Documentation/Splunk/6.0/admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
Thats the thing, I dont know where it is coming from because it is giving me ACME and Host as the name and I do not have this on my network nor do i have any of the usernames and domains it is showing. I believe this to be false data. I will look for the input.conf file but I dont know where it is located. I really appreciate all the help so far!
You still need to make sure that is not configured to come into Splunk from those hosts. Check inputs.conf to make sure. Search for the data from those hosts over all time and then pipe to delete and it will be removed as long as there isn't new data coming in.
Thank you! I am still seeing the HOST-001 and ACME-001 showing up though. They are coming from my "ALL" and "main" index. How can I delete the data from these and is it safe to just delete these indexes?
You could do a search like host=Host-001 | delete. This will bring up all data for that host and delete. You'll need to go into your admin role and temporarily enable the ability for him to delete data (can_delete i think). Then best to remove that capability.
thank you. Can you tell me where I would input the "splunk stop" commands? I am lost with getting these commands to function properly. Thanks again!