Page 1 of 1
How to clean-up huge list of "Not Sending" Unique Hosts
Posted: Thu Feb 08, 2024 2:21 am
by Haas07
Hi there,
I got myself in a bit of a mess...
Due to a wrong manipulation of a filter i ended up with a huge list of "Not Sending" Unique Hosts.
Reason is that i (briefly) used 'host' as the field name in a CSV filter.
I understand that this is a 'reserved word' and this mistake somehow made these entries tagged as input hosts.
There a few thousand entries, and I would like to avoid having to manually be clicking/deleting every single entry.
And my question is how i would be able to clean this out in a more convenient way?
Is there any location/file, or is there any command that i could run?
Re: How to clean-up huge list of "Not Sending" Unique Hosts
Posted: Thu Feb 08, 2024 10:18 am
by jmichaelson
I'm not sure that there is an easy way to do what you're doing, that we provide. Could you be a bit more specific as to what you did to create that filter in the first place, and I can try to replicate the scenario and see if I can provide more guidance to easily handle this?
Re: How to clean-up huge list of "Not Sending" Unique Hosts
Posted: Thu Feb 08, 2024 11:07 am
by Haas07
Hey Jason,
Thank you for your response already!
I'm not 100% sure anymore.
But i think i either used "host" as part of the CSV filter
if [host] == '##.##.##.##' {
csv {
columns => ["zs01_time","zs02_login","zs03_protocol","host","zs04_eurl","zs05_action"]
}
}
OR i might have done something like this where i created a new field named host.
#Copy a field
ruby {
code => "
event['host'] = event.get('FQDN15')
"
}
Regards
John
Re: How to clean-up huge list of "Not Sending" Unique Hosts
Posted: Fri Feb 09, 2024 5:29 pm
by jmichaelson
I'm working on what hopefully will resolve this for you. Unfortunately Its going to be Monday before I can verify whether it will work.
Re: How to clean-up huge list of "Not Sending" Unique Hosts
Posted: Mon Feb 12, 2024 11:46 am
by jmichaelson
Good morning! I just had to make sure that what I was going to have you do will regenerate the known hosts list. I'm not sure how long it will take but for me sometime between the time I left on Friday and now it regenerated so I feel safe having you do this. SSH into yout Log Server system, and at the shell prompt type the following:
Code: Select all
curl -X "DELETE http://localhost:9200/nagioslogserver/cf_option/known_hosts"
This will delete the known hosts list, and the system jobs will eventually reset it.
Hope this helps you!
Re: How to clean-up huge list of "Not Sending" Unique Hosts
Posted: Mon Feb 12, 2024 1:44 pm
by Haas07
Hey Jason,
This worked!
Thank you very much man, you saved my mouse and my finger from developing RSI.......
Tiny note: I just had to move the double quote
curl -X DELETE
"http://localhost:9200/nagioslogserver/c ... nown_hosts"
thank you!
John