Splunk Search

Purging Extra Source Types & related data?

Communicator

Hello,

I have a couple issues. First off, my Splunk server blue screened (yay for Windows!) and now I have a source & sourcetype called recovery-padding-1, recovery-padding-2, recovery-padding-3, recovery-padding-4, & recovery-padding-5.

Also, for some odd reason, I have two sets of sources for my Windows Event logs,

WinEventLog:Security & wineventlog:security WinEventLog:System & wineventlog:system

All new data is being written to the capitalized, for some reason the others showed up some day, have a few hundred thousand events, and when searching, it does not matter (everything shows as WinEventLog:Security regardless of search for WinEventLog:Security or wineventlog:security).

However, all these extra sources & sourcetypes are very annoying on the search summary screen.

Also, I have a host with 3 events because my transforms which modifies the host field didn't work right.

Is there anyway to rid myself of all this extra stuff???

Thanks

Kevin

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

The padding entries exist as placeholders for what are essentially missing information problems that can occur with hard crashes.

The padding entries should not show up in the search summary screen. This was a problem that I believe was fixed in a relatively recent release. Are you running 4.1.3 or earlier?

You can hide arbitrary events (such as your mishandled transform events) with the |delete command (USE WITH CARE!) http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete

If you hide all the events with the accidental host, it will vanish from the summary at a later point when the global metadata is rebuilt.

View solution in original post

Splunk Employee
Splunk Employee

The padding entries exist as placeholders for what are essentially missing information problems that can occur with hard crashes.

The padding entries should not show up in the search summary screen. This was a problem that I believe was fixed in a relatively recent release. Are you running 4.1.3 or earlier?

You can hide arbitrary events (such as your mishandled transform events) with the |delete command (USE WITH CARE!) http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete

If you hide all the events with the accidental host, it will vanish from the summary at a later point when the global metadata is rebuilt.

View solution in original post

Communicator

I am running 4.1.3. I will look into running an upgrade.

thanks!

0 Karma

Splunk Employee
Splunk Employee

If you have a search that is returning ONLY data you wish to never see again, you may mark it as deleted by piping it to the delete command in the Search app.

By default, no user has this capability so it will have to be added via Access Controls in the Manager (under Roles). Be very careful when using the delete command and it is a good idea to remove the capability as soon as you are finished with it.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!