I have a list of computers running splunkweb , I am trying to remove results that are logging to the _internal index which would indicate the servers are part of our main infrastructure.
How can I filter out hosts that have reported to events to the _internal index?
Hi omgwut56k,
if I get you correct, you wants to stop or reconfigure some search heads and have them stop forwarding their _internal
index - right?
There are a few things you should keep in mind tough:
_internal
, since it makes troubleshooting much more complicated._internal
does not count on the license and has a default retention of 30 days.But back to your question; this is pretty easy, login to any search head that has all your indexers are search peer and run:
index=_internal | stats count by host
This will get a table of all splunk server sending their _internal
events to the indexer.
Hope that helps ...
cheers, MuS
Do you perhaps mean main
instead of _index
?
I do not understand; all Splunk servers should log to _index. That is kind of the entire point.