Hi. I'm running a single splunk6 indexer.
It is being fed by approx 20 linux and windows UniversalForwarders.
One of the forwarding machines is named: display1.jdc.op
I'm seeing references to a machine named: display1
I want to start clean, and remove ALL references, in ALL indexes, to any-and-all data from both display1 and display1.jdc.op
Is this easily done?
thanks!
Yes and no.
You can delete all references to those hosts in the indexes with the delete command, see the doc and read the doc - it's easy, but irreversable.
You cannot, however, delete data from meta data, so meta data searches will still contain references to those host names.
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/RemovedatafromSplunk
See this post if you need help with reindexing the data.