Currently in the Search App, the Summary page contains the lists of all my sources, sourcetypes, and hosts.
However, their are a few specific sources, sourcetypes, and hosts that I'd like to filter out (i.e. blacklist) and make sure they are not displayed on that page.
Wondering how one might go about accomplishing that goal. Anyone done it before or have any ideas?
You can do this by modifying the dashboard view of the search app. To do so you need to copy the dashboard.xml located at $SPLUNK_HOME/etc/apps/search/default/data/ui/views
to $SPLUNK_HOME/etc/apps/search/local/data/ui/views
. (You'll probably need to created parts of the directory structure). Then edit the dashboard.xml in .../local/data/ui/views and replace every occurrence of | metadata type=hosts
with | metadata type=hosts | search NOT host=host1 NOT host=host2
...
Do the same for | metadata type=sourcetypes
for the sourcetypes and | metadata type=sources
for sources you want to exclude.
I have too much other data already indexed in alternate indexes than the default. I've already deleted all the event data from those particular sources, but I just want to delete the sources, sourcetypes, and hosts from being listed.
I want something like this:
metadata type=source source=ZIP_CODES.txt | delete
If all you want to do is delete old test sources, you may want to just clean out the entire index completely, then start over again and only index the sources you want.
See this page for details:
That looks like a good solution; how would I eliminate the actual names in the metadata? For instance, I have rss_toptweets as a source for an app that I tried out and deleted.
Also, I have ZIP_CODES.txt which I mistakenly indexed instead of making a lookup.
You can do this by modifying the dashboard view of the search app. To do so you need to copy the dashboard.xml located at $SPLUNK_HOME/etc/apps/search/default/data/ui/views
to $SPLUNK_HOME/etc/apps/search/local/data/ui/views
. (You'll probably need to created parts of the directory structure). Then edit the dashboard.xml in .../local/data/ui/views and replace every occurrence of | metadata type=hosts
with | metadata type=hosts | search NOT host=host1 NOT host=host2
...
Do the same for | metadata type=sourcetypes
for the sourcetypes and | metadata type=sources
for sources you want to exclude.
WOW! That was the faster answer I've ever seen posted ever! Voted up!