Solved: Re: How do you remove remote data with configure f...

aojie654 · ‎04-02-2019

Hi, Splunkers:

Recently, I've migrated my indexer to search head, but I'm not very familiar with configure files. The question is, there are 4 remote inputs in Splunk web, and when I tried to remove them with role of admin, it showed me the following message:

I've used btool to debug the configure file, but it looks like there is no such inputs that I can find and then fix them.

Any idea for this?

skoelpin · ‎04-02-2019

Why do you have conf files in /var/log? All the conf files should be under $SPLUNK_HOME/etc/apps... OR $SPLUNK_HOME/etc/system/... Perhaps you're referring to log files sitting on remote hosts that get picked up by the forwarder? If so, these aren't conf files, and you can easily ssh into the box and remove those log files if you wish

View solution in original post

skoelpin · ‎04-02-2019

Why do you have conf files in /var/log? All the conf files should be under $SPLUNK_HOME/etc/apps... OR $SPLUNK_HOME/etc/system/... Perhaps you're referring to log files sitting on remote hosts that get picked up by the forwarder? If so, these aren't conf files, and you can easily ssh into the box and remove those log files if you wish

aojie654 · ‎04-02-2019

I had tried to configure these remote inputs to another index in splunk web but it looks like no use.

aojie654 · ‎04-02-2019

Hi, skoelpin:

I means that I had configured to collect log files via splunk web but it was in the incorrect index so I want to remove these remote inputs but I can't. So I want to remove these in configure files. ^_^

How do you remove remote data with configure file?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...