Splunk Enterprise

Remove host with zero events


I have a few hosts that i created for temporary log analysis / testing. I have run the host through "| delete" and removed all the events.
But, the host lingers in the hosts list with the previous log count. But, when i open the host, there are no events.

How can i remove it from the list ?

I have Splunk Light version 6.3.3

Tags (1)
0 Karma

Ultra Champion

What do you mean with "the hosts list"?

0 Karma


I took a screenshot of it:

Here's the list of hosts. Some of these hosts have 0 events, even though the count is not.
When i click on the host to search it then i will see that there are 0 events. I just want to remove the host from this list.

0 Karma

Revered Legend

The host list you're mentioning here comes from metadata of all indexes. When you issue a | delete command against a data, it just make the data un-searchables, it doesn't actually removes the data from disk/clears metadata for it. Those hosts will go away once the data is rolled to frozen (archived or deleted). If you were using test indexes, just delete them and re-create them (assuming they don't have any useful data in them).

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.