I put the universal forwarder on my computer to test splunk. Now that we have it up and running, I want to remove all data that came from my computer. Is there a way to remove data from splunk, based on host? I don't want to just hide the data by using "| delete" I want to completely remove the data.
You can completely remove the data by cleaning an index as you see in the link below. This is not something you can do by host however. The delete command will allow you to remove data by host and make in unaccessible from the UI. The indexed data still resides and takes up space on disk however until it is aged out.
remove source and source types 2 Answers