Splunk Enterprise

Remove host with zero events


I have a few hosts that i created for temporary log analysis / testing. I have run the host through "| delete" and removed all the events.
But, the host lingers in the hosts list with the previous log count. But, when i open the host, there are no events.

How can i remove it from the list ?

I have Splunk Light version 6.3.3

Tags (1)
0 Karma

Ultra Champion

What do you mean with "the hosts list"?

0 Karma


I took a screenshot of it:

Here's the list of hosts. Some of these hosts have 0 events, even though the count is not.
When i click on the host to search it then i will see that there are 0 events. I just want to remove the host from this list.

0 Karma

Revered Legend

The host list you're mentioning here comes from metadata of all indexes. When you issue a | delete command against a data, it just make the data un-searchables, it doesn't actually removes the data from disk/clears metadata for it. Those hosts will go away once the data is rolled to frozen (archived or deleted). If you were using test indexes, just delete them and re-create them (assuming they don't have any useful data in them).

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!