topic Re: how to really delete, NOT HIDE, data from splunk in Getting Data In

how to really delete, NOT HIDE, data from splunk

tvaniderstine — Tue, 06 Sep 2011 07:03:41 GMT

I want to delete everything older than 90 days. I've searched and found several answers to 'how do I delete data...' where the answers have assumed that the word 'delete' equals 'hide'. I don't want to hide data, I don't want to export and reimport data. I want to delete data. I want it to be removed from my system permanantly

Is there an App that will do this or do I really have to delete everything and start over.

Alternatively, I'd be able to live with modifying the system to only store 90 days' worth of data and simply delete everything and start over.

Re: how to really delete, NOT HIDE, data from splunk

Starlette — Tue, 06 Sep 2011 08:03:54 GMT

Take a look at this , you have to configure this per index.
So e.g. in indexes.conf

[main]
frozenTimePeriodInSecs = 7776000

This wil delete data from the main index after 90 days (so its in seconds)

Regarding the delete on demand, you can clean per index as in :

splunk clean evendata -index "indexname"

( splunk has to stopped)

Re: how to really delete, NOT HIDE, data from splunk

mikelanghorst — Tue, 06 Sep 2011 17:12:51 GMT

One item to note, clean eventdata -index will delete all data in that index, no option to selectively delete data in an index.

If you need to keep some data but remove other data at the 90 mark, you'll need to keep that data in separate indexes.

Re: how to really delete, NOT HIDE, data from splunk

beaunewcomb — Wed, 26 Sep 2012 20:14:37 GMT

So say I have an index that's got data in it back 120 Days, then I set this:

[indexname]
frozenTimePeriodInSecs = 7776000

I'm assuming that if I restart splunk, it will automatically go through and start deleting stuff older than 90 days on its own. Is this correct?

Re: how to really delete, NOT HIDE, data from splunk

mikelanghorst — Wed, 26 Sep 2012 20:21:31 GMT

Yes, but with a caveat. It will only delete the buckets with the newest event is older than that.

Re: how to really delete, NOT HIDE, data from splunk

beaunewcomb — Wed, 26 Sep 2012 20:23:47 GMT

Ok... weird... thanks!

Re: how to really delete, NOT HIDE, data from splunk

mnestorc — Sat, 05 Jan 2013 19:35:33 GMT

What do you mean by
[main]
and where would I type that command in?
I'm new to Splunk and have just set it up with 1 cisco firewall inputting syslog data. I've just barely messed with this web GUI interface.

If I want to set an auto delete policy for my data because the disk size I am using is a small 25GB drive, how do you navigate to the area to type in the command above:
frozenTimePeriodInSecs = 7776000