Splunk Search

Purging Extra Source Types & related data?

kholleran
Communicator

Hello,

I have a couple issues. First off, my Splunk server blue screened (yay for Windows!) and now I have a source & sourcetype called recovery-padding-1, recovery-padding-2, recovery-padding-3, recovery-padding-4, & recovery-padding-5.

Also, for some odd reason, I have two sets of sources for my Windows Event logs,

WinEventLog:Security & wineventlog:security WinEventLog:System & wineventlog:system

All new data is being written to the capitalized, for some reason the others showed up some day, have a few hundred thousand events, and when searching, it does not matter (everything shows as WinEventLog:Security regardless of search for WinEventLog:Security or wineventlog:security).

However, all these extra sources & sourcetypes are very annoying on the search summary screen.

Also, I have a host with 3 events because my transforms which modifies the host field didn't work right.

Is there anyway to rid myself of all this extra stuff???

Thanks

Kevin

Tags (1)
0 Karma
1 Solution

jrodman
Splunk Employee
Splunk Employee

The padding entries exist as placeholders for what are essentially missing information problems that can occur with hard crashes.

The padding entries should not show up in the search summary screen. This was a problem that I believe was fixed in a relatively recent release. Are you running 4.1.3 or earlier?

You can hide arbitrary events (such as your mishandled transform events) with the |delete command (USE WITH CARE!) http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete

If you hide all the events with the accidental host, it will vanish from the summary at a later point when the global metadata is rebuilt.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

The padding entries exist as placeholders for what are essentially missing information problems that can occur with hard crashes.

The padding entries should not show up in the search summary screen. This was a problem that I believe was fixed in a relatively recent release. Are you running 4.1.3 or earlier?

You can hide arbitrary events (such as your mishandled transform events) with the |delete command (USE WITH CARE!) http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete

If you hide all the events with the accidental host, it will vanish from the summary at a later point when the global metadata is rebuilt.

kholleran
Communicator

I am running 4.1.3. I will look into running an upgrade.

thanks!

0 Karma

bwooden
Splunk Employee
Splunk Employee

If you have a search that is returning ONLY data you wish to never see again, you may mark it as deleted by piping it to the delete command in the Search app.

By default, no user has this capability so it will have to be added via Access Controls in the Manager (under Roles). Be very careful when using the delete command and it is a good idea to remove the capability as soon as you are finished with it.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...