Remove Hosts w/ Zero Events

mkinner · ‎05-03-2010

I recently upgraded to 4.1.2 from 3.4.x. I needed to remove several hosts from our index, so I followed the instructions at http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk. It worked fine, except that now I have several hosts listed on the dashboard with zero events. I also have a saved search that alerts on failed forwarders, and the zero event hosts are triggering this. How can I remove them completely? With version 3.4.x I didn't encounter this problem when using oldsearch to remove events.

Simeon · ‎05-04-2010

They are likely stuck in old metadata, where the bucket needs to be optimized. I suggest you first try to alter your search to workaround the problem. Secondly, when your deleted data gets frozen/deleted, this problem will go away.

The reason why you are probably seeing this, is that the metadata still exists for that host. It's possible it is a bug, but there are ways to check why this is occurring. You may want to run the following search to see if it is a metadata problem:

| metadata type=hosts host=<your_host_with_zero_events>

If your host shows up in the results with a totalCount that is incorrect, then there might be a problem. You should probably log a support case at that point.

BunnyHop · ‎05-04-2010

Mine just went away over time.

Remove Hosts w/ Zero Events

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life