Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Remove Hosts w/ Zero Events

mkinner
Explorer
‎05-03-2010 10:38 PM

I recently upgraded to 4.1.2 from 3.4.x. I needed to remove several hosts from our index, so I followed the instructions at http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk. It worked fine, except that now I have several hosts listed on the dashboard with zero events. I also have a saved search that alerts on failed forwarders, and the zero event hosts are triggering this. How can I remove them completely? With version 3.4.x I didn't encounter this problem when using oldsearch to remove events.

Tags (1)
Reply

Simeon
Splunk Employee
Splunk Employee
‎05-04-2010 03:35 PM

They are likely stuck in old metadata, where the bucket needs to be optimized. I suggest you first try to alter your search to workaround the problem. Secondly, when your deleted data gets frozen/deleted, this problem will go away.

The reason why you are probably seeing this, is that the metadata still exists for that host. It's possible it is a bug, but there are ways to check why this is occurring. You may want to run the following search to see if it is a metadata problem:

| metadata type=hosts host=<your_host_with_zero_events>

If your host shows up in the results with a totalCount that is incorrect, then there might be a problem. You should probably log a support case at that point.

Reply

BunnyHop
Contributor
‎05-04-2010 02:15 AM

Mine just went away over time.

0 Karma
Reply
Related Topics
Remove Zero Event Host
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...