I am getting an error when trying to delete a data source: "Error occurred attempting to remove 10.0.0.81, 10.0.0.82, 172.16.1.18:9997: In handler 'raw': Malformed IP address: 10.0.0.81, 10.0.0.82, 172.16.1.18:9997."
I have seen other post about this same issue and tried to follow the suggestions of deleting the corrupt entry in the inputs.conf file, however, I'm unable to locate the correct file. I have Splunk Light installed on a Win 10 x64 box and i'm looking through the C:\Program Files\Splunk\etc\system\default folder. The inputs.conf file found in that folder doesn't contain anything related to the data source i want to delete. i searched the entire Splunk folder for "9997" and nothing came back. is there somewhere else I should be looking?
Please run this command to get the running config:
./bin/splunk btool inputs list --debug
You can then search the output for the bad stanza. By adding --debug to the end of the command, Splunk will print the path to the config file that the line came from.
If you want to stop indexing data from a source, remove it from inputs.conf but it does not delete data which is already indexed.
inputs.conf can be located in etc/system/default OR /etc/system/local in the main installation or under apps if you have installed one
the inputs.conf in both the /default and /local folders do not contain information about the data source I created.
Please run this command to get the running config:
./bin/splunk btool inputs list --debug
You can then search the output for the bad stanza. By adding --debug to the end of the command, Splunk will print the path to the config file that the line came from.
This is what i got:
C:\Program Files\Splunk\bin>btool inputs list --debug
SPLUNK_HOME must be set. Stopping.
Ok, you'll need to create a Windows environmental variable for $SPLUNK_HOME. Please set the SPLUNK_HOME variable to C:\Program Files\Splunk
I think i've done that but still get the same error message. How can i double check that the variable is set properly?
From the command prompt, type "set", you should see the environmental variable listed.
If you don't see it, follow these instructions to create one: https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysdm_advancd_enviro...
Thank you! That did it. After setting the environmental variable i was able to run the btool utility to see which config file contained the malformed settings. I then deleted the malformed stanza and that removed it from my data inputs. FYI, i found the inputs.config file in C:\Program Files\Splunk\etc\apps\search\local
Thats great to hear. As renjith.nair mentioned below, this will only stop new data from coming in. If you want to delete the old data, you can run a search to pull back the old data and then add | delete to the end of the search.
A couple of things to note about the delete command, by default you won't have the capability to run the command, you'll need to add this to your role under settings>access controls
The delete command also doesn't actually delete the data on disk, it just marks it as deleted so Splunk won't include the data in your results. It won't actually get delete until the underlying bucket rolls off.
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Delete
Thanks for that tip. I don't need to delete anything because the data source was never actually working, hence why i wanted to remove it.