Splunk Enterprise

unable to delete data source

yschiff
New Member

I am getting an error when trying to delete a data source: "Error occurred attempting to remove 10.0.0.81, 10.0.0.82, 172.16.1.18:9997: In handler 'raw': Malformed IP address: 10.0.0.81, 10.0.0.82, 172.16.1.18:9997."

I have seen other post about this same issue and tried to follow the suggestions of deleting the corrupt entry in the inputs.conf file, however, I'm unable to locate the correct file. I have Splunk Light installed on a Win 10 x64 box and i'm looking through the C:\Program Files\Splunk\etc\system\default folder. The inputs.conf file found in that folder doesn't contain anything related to the data source i want to delete. i searched the entire Splunk folder for "9997" and nothing came back. is there somewhere else I should be looking?

0 Karma
1 Solution

jchampagne_splu
Splunk Employee
Splunk Employee

Please run this command to get the running config:
./bin/splunk btool inputs list --debug
You can then search the output for the bad stanza. By adding --debug to the end of the command, Splunk will print the path to the config file that the line came from.

View solution in original post

0 Karma

renjith_nair
Legend

If you want to stop indexing data from a source, remove it from inputs.conf but it does not delete data which is already indexed.

inputs.conf can be located in etc/system/default OR /etc/system/local in the main installation or under apps if you have installed one

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

yschiff
New Member

the inputs.conf in both the /default and /local folders do not contain information about the data source I created.

0 Karma

jchampagne_splu
Splunk Employee
Splunk Employee

Please run this command to get the running config:
./bin/splunk btool inputs list --debug
You can then search the output for the bad stanza. By adding --debug to the end of the command, Splunk will print the path to the config file that the line came from.

0 Karma

yschiff
New Member

This is what i got:
C:\Program Files\Splunk\bin>btool inputs list --debug
SPLUNK_HOME must be set. Stopping.

0 Karma

jchampagne_splu
Splunk Employee
Splunk Employee

Ok, you'll need to create a Windows environmental variable for $SPLUNK_HOME. Please set the SPLUNK_HOME variable to C:\Program Files\Splunk

0 Karma

yschiff
New Member

I think i've done that but still get the same error message. How can i double check that the variable is set properly?

0 Karma

jchampagne_splu
Splunk Employee
Splunk Employee

From the command prompt, type "set", you should see the environmental variable listed.
If you don't see it, follow these instructions to create one: https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysdm_advancd_enviro...

yschiff
New Member

Thank you! That did it. After setting the environmental variable i was able to run the btool utility to see which config file contained the malformed settings. I then deleted the malformed stanza and that removed it from my data inputs. FYI, i found the inputs.config file in C:\Program Files\Splunk\etc\apps\search\local

0 Karma

jchampagne_splu
Splunk Employee
Splunk Employee

Thats great to hear. As renjith.nair mentioned below, this will only stop new data from coming in. If you want to delete the old data, you can run a search to pull back the old data and then add | delete to the end of the search.

A couple of things to note about the delete command, by default you won't have the capability to run the command, you'll need to add this to your role under settings>access controls

The delete command also doesn't actually delete the data on disk, it just marks it as deleted so Splunk won't include the data in your results. It won't actually get delete until the underlying bucket rolls off.

http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Delete

0 Karma

yschiff
New Member

Thanks for that tip. I don't need to delete anything because the data source was never actually working, hence why i wanted to remove it.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...