Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Howto remove sources to not show up on the summary page anymore

bshamsian
Path Finder
‎02-07-2013 03:26 PM

We are running Splunk version 5.0.1, build 143156.

We mistakenly indexed thousands of log files with each file having unique name. Now when you look at the list of sources its thousands long and we would like to remove all the ones we added by mistake. I used the delete command but that only removes the data that was loaded from these files and does not remove the files name from the list of sources. Is there anyway to remove the source file names and stop them from displaying since we do not care about them at all.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-08-2013 12:30 AM

Sources that have a count of 0 should already be removed from the display. However, if you want, you can remove the entire Sources panel.

Find the view, which is named dashboard_live, in the Manager. Navigate to Manager » User interface » Views

Before you edit anything, clone the view to make a backup copy, just in case you don't like your edits.

Click the view name to begin editing.

In the editor, look for these lines

<!-- The first list of sources -->
  <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="true">
    <param name="search">| metadata type=sources | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table source Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>

Delete these lines and the following lines, up to and including the 3 closing </module> tags for this section. Check to be sure that the next lines in the view are 

<module name="StaticContentSample" group="All indexed data" layoutPanel="panel_row1_col1">
      <param name="text">This lists all of the data you have loaded into your default indexes. &lt;a href="/manager/search/adddata"&gt; Add more data&lt;/a&gt;.</param>
      <param name="groupLabel">All indexed data</param>
    </module>

Save your view. If you don't like the results, delete it, then clone your backup to the original name "dashboard_live"

0 Karma
Reply

linu1988
Champion
‎07-05-2013 11:13 AM

That's splunk for you. You cant delete the indexed data randomly. The above one is actually a pretty good workaround. The metadata can never be removed until and unless you clean the index.

0 Karma
Reply

juriggs
Path Finder
‎07-05-2013 09:15 AM

why in the world would you want to remove the entire panel? I still want to see the sources I care about. It's unbelievable that you can't remove a source and it's indexed data as simply as you can add a source.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...