See this previous answer. You can use the delete command to remove that specific data from the index so you'll no longer see it.
thank you. Can you tell me where I would input the "splunk stop" commands? I am lost with getting these commands to function properly. Thanks again!
You could do a search like host=Host-001 | delete. This will bring up all data for that host and delete. You'll need to go into your admin role and temporarily enable the ability for him to delete data (can_delete i think). Then best to remove that capability.
Thank you! I am still seeing the HOST-001 and ACME-001 showing up though. They are coming from my "ALL" and "main" index. How can I delete the data from these and is it safe to just delete these indexes?
You still need to make sure that is not configured to come into Splunk from those hosts. Check inputs.conf to make sure. Search for the data from those hosts over all time and then pipe to delete and it will be removed as long as there isn't new data coming in.
Thats the thing, I dont know where it is coming from because it is giving me ACME and Host as the name and I do not have this on my network nor do i have any of the usernames and domains it is showing. I believe this to be false data. I will look for the input.conf file but I dont know where it is located. I really appreciate all the help so far!
The online docs have everything you should need. Sounds like you have a script running that is populating data.
I had the same problem. The events are generated by
SA-Eventgen. To disable this behavior you can configure the app via GUI or insert this in
[script://./bin/eventgen.py] disabled = 1
In my case the events are coming from the PCI app with its sub apps.