Refine your search:

Remove hostname from the metadata.

2
1

After initial installation of the forwarder when the Splunk service is started the forwarder reports by Ip Address.After we configure the hostn name to FQDN it starts reporting by FQDN.However in the metadata shows there are two hosts one by IP and the other by FQDN. How do I delete the IP from the metadata or the Summary Index.

asked 30 Apr '10, 13:20

sanju005ind's gravatar image

sanju005ind
1596
accept rate: 75%

One Answer:
oldestnewestmost voted
1

Removing anything from your metadata rather complicated. To do it correctly you have to re-index your data. Which, like it sounds, is a lot of work.

If your real issue issue with summary indexing, you can always just delete the old events. Then you can modify your saved searches to add a replace command to re-map your ip to the desired hostnames. For example: | replace 172.16.1.1 with server1.example.com 172.16.1.2 with server2.example.com ... in host, and then re-run your summary index searches with the fill_summary_index.py script.

Another variation would be to use the lookup feature rather than replace command, which would make sense if you had a large number of hosts. There's a small gotcha with this approach, see this post for a work around.

Also, make sure you read up on the delete search command before you try this. See Remove indexed data from Splunk in the online docs.

Another really simple way to deal with this is to simply tag your host values. Then you can search with tag::host=tagname.

link

answered 30 Apr '10, 15:14

Lowell's gravatar image

Lowell ♦
9.6k635
accept rate: 40%

edited 30 Apr '10, 15:35

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×72

Asked: 30 Apr '10, 13:20

Seen: 994 times

Last updated: 30 Apr '10, 15:35

Related questions

metadata with splunk_server

metadata via REST API

Metadata filtered by eventtype

Can you use the metadata command over all indexes?

Question on metadata

Corrupt MetaData?

[closed] Metadata fields

SEDCMD and metadata values

metadata search in a macro doesnt seem to work

Copyright © 2005-2012 Splunk, Inc. All rights reserved.