Re: remove source

illuminato8 · ‎11-17-2019

I added a CSV file (sample1.csv) through "Upload files from my computer" (My host is DESKTOP-7FST5G). I did different search queries with it.
After some time I added second CSV file (sample2.csv)
If I do search now (eg index="main" ) it queries sample1.csv and sample2.csv at the same time. But I want only work with sample2.csv.
I tried to find a solution, but I found only one way:
host=DESKTOP-7FST5G | delete
But this query removes both sample1.csv and sample2.csv.
Can I specify for removal only sample1.csv?

woodcock · ‎11-17-2019

As @sduff said, the easiest/best way is to use the source field, but you can also use the _time field (with earliest= latest=) and the _indextime field (with _index_earliest= _index_latest=).

sduff_splunk · ‎11-17-2019

You can use the source field to be able to distinguish between the 2 sets of data.

If you do host=DESKTOP-7FST5G source="*sample1.csv", check that this returns only your first sample's data. If that true, then you can delete just sample1's data with host=DESKTOP-7FST5G source="*sample1.csv" | delete

remove source

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation