Re: remove source

illuminato8 · ‎11-17-2019

I added a CSV file (sample1.csv) through "Upload files from my computer" (My host is DESKTOP-7FST5G). I did different search queries with it.
After some time I added second CSV file (sample2.csv)
If I do search now (eg index="main" ) it queries sample1.csv and sample2.csv at the same time. But I want only work with sample2.csv.
I tried to find a solution, but I found only one way:
host=DESKTOP-7FST5G | delete
But this query removes both sample1.csv and sample2.csv.
Can I specify for removal only sample1.csv?

woodcock · ‎11-17-2019

As @sduff said, the easiest/best way is to use the source field, but you can also use the _time field (with earliest= latest=) and the _indextime field (with _index_earliest= _index_latest=).

sduff_splunk · ‎11-17-2019

You can use the source field to be able to distinguish between the 2 sets of data.

If you do host=DESKTOP-7FST5G source="*sample1.csv", check that this returns only your first sample's data. If that true, then you can delete just sample1's data with host=DESKTOP-7FST5G source="*sample1.csv" | delete

remove source

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

remove source

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk