Allow Splunk to retrieve logs from Server 2008

Issue: Allow the Splunk service through the firewall on Server 2008

Solution:

1. Click Start - type firewall
2. don't select the first one "windows firewall with advanced security"
3. select the second one in the list "windows firewall"
4. click change settings
5. click the exceptions tab
6. Check the box next to "Remote Event Log Management" (appears to allow port 135/tcp)
7. Done, now Splunk can remotely access the box (with the right privileges) and index the event logs 

Flush Splunk Data

Issue: During the initial setup and configuration of Splunk it might be nice to empty the indexes and start over.

Solution: Here are some commands to run to clean out the indexed data.

Note: You must first stop the Splunk service before you can run any of these commands:

./splunk stop

This example tells Splunk to remove event data in all indexes (because no index argument is specified).

./splunk clean eventdata

This example removes indexed event data from the internal index and forces Splunk to skip the confirmation prompt.

./splunk clean eventdata internal -f

Note: It can also be helpful to flush the event logs of the Server as they might refer to the server's previous name which will just add junk to Splunk's indexes.

Other Terms: Purge splunk data – delete data – clear out splunk old data - flush splunk data