What would be the best practice / standard operating procedure when data is imported wrong into Splunk? I imported a webserver server error logs into splunk and did not select the correct date / time.
See this thread - https://answers.splunk.com/answers/771988/time-column-and-event-date-are-different.html
Now that the data has been imported, and I know it is wrong, should the data be removed? I am not even sure how to remove data from splunk?
Or, rename the server error log, reupload, and search only the new error log name?
This is a windows 10 system using free Splunk.
If it is in an index all by itself, just delete the whole index. If not, then use the ... | delete
command to hide it from searches (it will still be there because data in a Splunk index is immutable, but it will not show in any search results). The worst thing that you can do is to do nothing: do not leave junk in Splunk.