Splunk Enterprise

Remove host with zero events

Explorer

I have a few hosts that i created for temporary log analysis / testing. I have run the host through "| delete" and removed all the events.
But, the host lingers in the hosts list with the previous log count. But, when i open the host, there are no events.

How can i remove it from the list ?

I have Splunk Light version 6.3.3

Tags (1)
0 Karma

Ultra Champion

What do you mean with "the hosts list"?

0 Karma

Explorer

I took a screenshot of it:
https://imgur.com/a/8NQVBcJ

Here's the list of hosts. Some of these hosts have 0 events, even though the count is not.
When i click on the host to search it then i will see that there are 0 events. I just want to remove the host from this list.

0 Karma

SplunkTrust
SplunkTrust

The host list you're mentioning here comes from metadata of all indexes. When you issue a | delete command against a data, it just make the data un-searchables, it doesn't actually removes the data from disk/clears metadata for it. Those hosts will go away once the data is rolled to frozen (archived or deleted). If you were using test indexes, just delete them and re-create them (assuming they don't have any useful data in them).