Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter out specific sources, sourcetypes, and hosts from displaying on my Search Summary page.

maverick
Splunk Employee
Splunk Employee
‎07-14-2010 02:09 PM

Currently in the Search App, the Summary page contains the lists of all my sources, sourcetypes, and hosts.

However, their are a few specific sources, sourcetypes, and hosts that I'd like to filter out (i.e. blacklist) and make sure they are not displayed on that page.

Wondering how one might go about accomplishing that goal. Anyone done it before or have any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎07-14-2010 02:27 PM

You can do this by modifying the dashboard view of the search app. To do so you need to copy the dashboard.xml located at $SPLUNK_HOME/etc/apps/search/default/data/ui/views to $SPLUNK_HOME/etc/apps/search/local/data/ui/views. (You'll probably need to created parts of the directory structure). Then edit the dashboard.xml in .../local/data/ui/views and replace every occurrence of | metadata type=hosts with | metadata type=hosts | search NOT host=host1 NOT host=host2...

Do the same for | metadata type=sourcetypes for the sourcetypes and | metadata type=sources for sources you want to exclude.

View solution in original post

Reply
Solved! Jump to solution

gbolcer
Explorer
‎07-16-2010 04:45 PM

I have too much other data already indexed in alternate indexes than the default. I've already deleted all the event data from those particular sources, but I just want to delete the sources, sourcetypes, and hosts from being listed.

I want something like this:

metadata type=source source=ZIP_CODES.txt | delete

Reply
Solved! Jump to solution

maverick
Splunk Employee
Splunk Employee
‎07-14-2010 07:51 PM

If all you want to do is delete old test sources, you may want to just clean out the entire index completely, then start over again and only index the sources you want.

See this page for details:

http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk#Delete_data_from_future_s...

Reply
Solved! Jump to solution

gbolcer
Explorer
‎07-14-2010 06:47 PM

That looks like a good solution; how would I eliminate the actual names in the metadata? For instance, I have rss_toptweets as a source for an app that I tried out and deleted.

Also, I have ZIP_CODES.txt which I mistakenly indexed instead of making a lookup.

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎07-14-2010 02:27 PM

You can do this by modifying the dashboard view of the search app. To do so you need to copy the dashboard.xml located at $SPLUNK_HOME/etc/apps/search/default/data/ui/views to $SPLUNK_HOME/etc/apps/search/local/data/ui/views. (You'll probably need to created parts of the directory structure). Then edit the dashboard.xml in .../local/data/ui/views and replace every occurrence of | metadata type=hosts with | metadata type=hosts | search NOT host=host1 NOT host=host2...

Do the same for | metadata type=sourcetypes for the sourcetypes and | metadata type=sources for sources you want to exclude.

Reply
Solved! Jump to solution

maverick
Splunk Employee
Splunk Employee
‎07-14-2010 03:00 PM

WOW! That was the faster answer I've ever seen posted ever! Voted up!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...