Yesterday we saw our host count rocket from ~6000 servers to over 24,000 servers and looking at the host list found over 19,000 entries of hosts listed as:
2009-06-16-20.13.18.123644-300
2009-06-16-20.13.18.121862-300
over, and
over, and
over, and...you get the picture.
I was able to get this to stop adding servers by the hundreds each hour after a Splunk Restart.
Now, what I need to do is clean up the "erroneous names" from the index and was trying to do this CLI with the following:
splunk search '| oldsearch startdaysago=2 delete::host=2009-*' -auth admin:passwd
Here is the error I received:
An error occurred during search: Search Execute failed because Unable to find host to delete : host::2009-*
Each host entry is differentiated by the incrementing numbers in the 7th octet, so I tried to use a wildcards " * ", without success.
My question, is there a way to do this CLI to rid our indexing of the 19,000+ erroneous host names listed?
pstein