Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder : How to eliminate false hosts coming from /var/log/sa ?

bdegoy
New Member
‎10-04-2012 07:50 AM

Hello,

I am new to Splunk and I fall into every trap.

I have configured UF on a Linux server to monitor /var/log/sa.
The problem is that it has created more than 1,500 Hosts in Summary -> Hosts. This is coming from binary files in /var/log/sa. I beleaved Splunk not indexing binaries?

I have blacklisted undesirable files in the UF inputs.conf :

[monitor://var/log]
disabled=false
sourcetype=syslog
host=xxx.ovh.net
blacklist = (sa|bandwidth|dcpumon|\*.gz$)

Now I want to clean my Hosts list and (if possibly) the data. How to do that?

Since I am still under a learning and trial phase, I could reset all Splunk data, but how to do without loosing all my configuration?

Thanks for help

Tags (3)
0 Karma
Reply

bdegoy
New Member
‎10-08-2012 09:39 AM

Thanks for your help.
I think that Indexes are Ok know that I have sa blaklisted.
My problem are the 1500+ false Hosts in the Summary -> Hosts section.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 09:23 AM

If you want to wipe all data, do a splunk clean eventdata on the indexer.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-09-2012 12:28 PM

Go to the directory where the splunk binary (.exe) resides - if you haven't changed it, it should be in

c:\program files\splunk\bin

then type

splunk help clean

There you should find out what you need to know. If prompted for a username/password because the session is invalid, type them here. By default the username is 'admin' and the password is 'changeme', unless you changed it of course. More info to be had here;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/RemovedatafromSplunk

/kristian

0 Karma
Reply

bdegoy
New Member
‎10-08-2012 10:08 AM

In fact I am not sure to have done it properly. What do you mean exactly by "do a"? My indexer is on a local Windows box. Where should I enter this command?

0 Karma
Reply

bdegoy
New Member
‎10-08-2012 09:40 AM

Thank you. I have done it. But the 1500+ Hosts still remain!

0 Karma
Reply

bmacias84
Champion
‎10-04-2012 08:55 AM

I am not sure I understand your question do you just want to clear your indexes or do you want to delete the events?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...