- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Remove hostname from the metadata.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After initial installation of the forwarder when the Splunk service is started the forwarder reports by Ip Address.After we configure the hostn name to FQDN it starts reporting by FQDN.However in the metadata shows there are two hosts one by IP and the other by FQDN. How do I delete the IP from the metadata or the Summary Index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Removing anything from your metadata rather complicated. To do it correctly you have to re-index your data. Which, like it sounds, is a lot of work.
If your real issue issue with summary indexing, you can always just delete the old events. Then you can modify your saved searches to add a replace command to re-map your ip to the desired hostnames. For example: | replace 172.16.1.1 with server1.example.com 172.16.1.2 with server2.example.com ... in host, and then re-run your summary index searches with the fill_summary_index.py script.
Another variation would be to use the lookup feature rather than replace command, which would make sense if you had a large number of hosts. There's a small gotcha with this approach, see this post for a work around.
Also, make sure you read up on the delete search command before you try this. See Remove indexed data from Splunk in the online docs.
Another really simple way to deal with this is to simply tag your host values. Then you can search with tag::host=tagname.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Removing anything from your metadata rather complicated. To do it correctly you have to re-index your data. Which, like it sounds, is a lot of work.
If your real issue issue with summary indexing, you can always just delete the old events. Then you can modify your saved searches to add a replace command to re-map your ip to the desired hostnames. For example: | replace 172.16.1.1 with server1.example.com 172.16.1.2 with server2.example.com ... in host, and then re-run your summary index searches with the fill_summary_index.py script.
Another variation would be to use the lookup feature rather than replace command, which would make sense if you had a large number of hosts. There's a small gotcha with this approach, see this post for a work around.
Also, make sure you read up on the delete search command before you try this. See Remove indexed data from Splunk in the online docs.
Another really simple way to deal with this is to simply tag your host values. Then you can search with tag::host=tagname.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
