Splunk Enterprise

Remove host with zero events

tsushi
Explorer

I have a few hosts that i created for temporary log analysis / testing. I have run the host through "| delete" and removed all the events.
But, the host lingers in the hosts list with the previous log count. But, when i open the host, there are no events.

How can i remove it from the list ?

I have Splunk Light version 6.3.3

Tags (1)
0 Karma

FrankVl
Ultra Champion

What do you mean with "the hosts list"?

0 Karma

tsushi
Explorer

I took a screenshot of it:
https://imgur.com/a/8NQVBcJ

Here's the list of hosts. Some of these hosts have 0 events, even though the count is not.
When i click on the host to search it then i will see that there are 0 events. I just want to remove the host from this list.

0 Karma

somesoni2
Revered Legend

The host list you're mentioning here comes from metadata of all indexes. When you issue a | delete command against a data, it just make the data un-searchables, it doesn't actually removes the data from disk/clears metadata for it. Those hosts will go away once the data is rolled to frozen (archived or deleted). If you were using test indexes, just delete them and re-create them (assuming they don't have any useful data in them).

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!