Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Purging Extra Source Types & related data?

kholleran
Communicator
‎09-09-2010 06:44 PM

Hello,

I have a couple issues. First off, my Splunk server blue screened (yay for Windows!) and now I have a source & sourcetype called recovery-padding-1, recovery-padding-2, recovery-padding-3, recovery-padding-4, & recovery-padding-5.

Also, for some odd reason, I have two sets of sources for my Windows Event logs,

WinEventLog:Security & wineventlog:security WinEventLog:System & wineventlog:system

All new data is being written to the capitalized, for some reason the others showed up some day, have a few hundred thousand events, and when searching, it does not matter (everything shows as WinEventLog:Security regardless of search for WinEventLog:Security or wineventlog:security).

However, all these extra sources & sourcetypes are very annoying on the search summary screen.

Also, I have a host with 3 events because my transforms which modifies the host field didn't work right.

Is there anyway to rid myself of all this extra stuff???

Thanks

Kevin

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 07:02 PM

The padding entries exist as placeholders for what are essentially missing information problems that can occur with hard crashes.

The padding entries should not show up in the search summary screen. This was a problem that I believe was fixed in a relatively recent release. Are you running 4.1.3 or earlier?

You can hide arbitrary events (such as your mishandled transform events) with the |delete command (USE WITH CARE!) http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete

If you hide all the events with the accidental host, it will vanish from the summary at a later point when the global metadata is rebuilt.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 07:02 PM

The padding entries exist as placeholders for what are essentially missing information problems that can occur with hard crashes.

The padding entries should not show up in the search summary screen. This was a problem that I believe was fixed in a relatively recent release. Are you running 4.1.3 or earlier?

You can hide arbitrary events (such as your mishandled transform events) with the |delete command (USE WITH CARE!) http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete

If you hide all the events with the accidental host, it will vanish from the summary at a later point when the global metadata is rebuilt.

Reply
Solved! Jump to solution

kholleran
Communicator
‎09-24-2010 03:32 PM

I am running 4.1.3. I will look into running an upgrade.

thanks!

0 Karma
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎09-09-2010 06:54 PM

If you have a search that is returning ONLY data you wish to never see again, you may mark it as deleted by piping it to the delete command in the Search app.

By default, no user has this capability so it will have to be added via Access Controls in the Manager (under Roles). Be very careful when using the delete command and it is a good idea to remove the capability as soon as you are finished with it.

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...