- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Universal Forwarder : How to eliminate false h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal Forwarder : How to eliminate false hosts coming from /var/log/sa ?
Hello,
I am new to Splunk and I fall into every trap.
I have configured UF on a Linux server to monitor /var/log/sa.
The problem is that it has created more than 1,500 Hosts in Summary -> Hosts. This is coming from binary files in /var/log/sa. I beleaved Splunk not indexing binaries?
I have blacklisted undesirable files in the UF inputs.conf :
[monitor://var/log]
disabled=false
sourcetype=syslog
host=xxx.ovh.net
blacklist = (sa|bandwidth|dcpumon|\*.gz$)
Now I want to clean my Hosts list and (if possibly) the data. How to do that?
Since I am still under a learning and trial phase, I could reset all Splunk data, but how to do without loosing all my configuration?
Thanks for help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help.
I think that Indexes are Ok know that I have sa blaklisted.
My problem are the 1500+ false Hosts in the Summary -> Hosts section.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to wipe all data, do a splunk clean eventdata on the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go to the directory where the splunk binary (.exe) resides - if you haven't changed it, it should be in
c:\program files\splunk\bin
then type
splunk help clean
There you should find out what you need to know. If prompted for a username/password because the session is invalid, type them here. By default the username is 'admin' and the password is 'changeme', unless you changed it of course. More info to be had here;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/RemovedatafromSplunk
/kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In fact I am not sure to have done it properly. What do you mean exactly by "do a"? My indexer is on a local Windows box. Where should I enter this command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I have done it. But the 1500+ Hosts still remain!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure I understand your question do you just want to clear your indexes or do you want to delete the events?
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
