Refine your search:

How to filter out specific sources, sourcetypes, and hosts from displaying on my Search Summary page.

6
2

Currently in the Search App, the Summary page contains the lists of all my sources, sourcetypes, and hosts.

However, their are a few specific sources, sourcetypes, and hosts that I'd like to filter out (i.e. blacklist) and make sure they are not displayed on that page.

Wondering how one might go about accomplishing that goal. Anyone done it before or have any ideas?

asked 14 Jul '10, 14:09

maverick's gravatar image

maverick ♦
2.6k6575
accept rate: 14%

4 Answers:
oldestnewestmost voted
5

You can do this by modifying the dashboard view of the search app. To do so you need to copy the dashboard.xml located at $SPLUNK_HOME/etc/apps/search/default/data/ui/views to $SPLUNK_HOME/etc/apps/search/local/data/ui/views. (You'll probably need to created parts of the directory structure). Then edit the dashboard.xml in .../local/data/ui/views and replace every occurrence of | metadata type=hosts with | metadata type=hosts | search NOT host=host1 NOT host=host2...

Do the same for | metadata type=sourcetypes for the sourcetypes and | metadata type=sources for sources you want to exclude.

link

answered 14 Jul '10, 14:27

ziegfried's gravatar image

ziegfried ♦
7.1k1315
accept rate: 53%

1

WOW! That was the faster answer I've ever seen posted ever! Voted up!

(14 Jul '10, 15:00) maverick ♦
1

That looks like a good solution; how would I eliminate the actual names in the metadata? For instance, I have rss_toptweets as a source for an app that I tried out and deleted.

Also, I have ZIP_CODES.txt which I mistakenly indexed instead of making a lookup.

link

answered 14 Jul '10, 18:47

gbolcer's gravatar image

gbolcer
462
accept rate: 25%

1

If all you want to do is delete old test sources, you may want to just clean out the entire index completely, then start over again and only index the sources you want.

See this page for details:

http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk#Delete_data_from_future_searches_with_the_.22delete.22_operator

link

answered 14 Jul '10, 19:51

maverick's gravatar image

maverick ♦
2.6k6575
accept rate: 14%

1

I have too much other data already indexed in alternate indexes than the default. I've already deleted all the event data from those particular sources, but I just want to delete the sources, sourcetypes, and hosts from being listed.

I want something like this:

metadata type=source source=ZIP_CODES.txt | delete

link

answered 16 Jul '10, 16:45

gbolcer's gravatar image

gbolcer
462
accept rate: 25%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×325
×207
×117
×95
×31

Asked: 14 Jul '10, 14:09

Seen: 1,141 times

Last updated: 16 Jul '10, 16:45

Related questions

How can I easily filter or limit my search down to a specific group of hosts?

Filter events with specific text

blacklist filter not working on fschange when recurse=true

Inputs are all enabled but Search dashboard is showing 0 sources and 0 sourcetypes

Fschange blacklist filter issues

Filter all dashboards in an APP

How to configure a forwarder to filter and send the specific events I want?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.