https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197464#M39231 <P>I thought that might be the case. We'll be more careful separating out indexes in future</P> Fri, 21 Mar 2014 16:02:39 GMT dc99dc99 2014-03-21T16:02:39Z https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197462#M39229 <P>I know this has been asked before, but I'm hoping that I've misunderstood how deletion works.</P> <P>The situation is that we have a single main index with 500,000,000 items in it, and 300,000,000 of those are the result of someone accidentally writing their windows security logs from their production machines into the index.</P> <P>We're extremely low on disk space and in lieu of getting more provisioned, which is problematic I hoped I might be able to remove those entries out of the index somehow.</P> <P>I know I can run a delete, but I understand this won't remove the data from the index. I also realise I can delete a whole index using the CLI, or delete data from an index based on an expiry strategy.</P> <P>Can i remove data from an index that's mixed with other data from the same time period, or am I completely stuck? Perhaps I can move the data we want to keep to a new index and delete the erroneous data. Am I permanently stuck with those 300,000,000 junk rows?</P> <P>Please help</P> <P>David</P> Fri, 21 Mar 2014 14:27:43 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197462#M39229 dc99dc99 2014-03-21T14:27:43Z https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197463#M39230 <P>The only standard way of removing data other than deleting an index is to cross age- or size-based thresholds per index (default 500GB and several years), and <CODE>delete</CODE> indeed doesn't clear up disk space... but you knew that already <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>In theory you could manually delete single buckets, if and only if that bucket contains nothing but undesired events... however, that's likely a risky procedure and certainly needs working backups to be feasible.</P> <P>Moving data to a new index selectively... I don't know of a way to do that. You could of course re-index from raw data.</P> Fri, 21 Mar 2014 15:18:59 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197463#M39230 martin_mueller 2014-03-21T15:18:59Z https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197464#M39231 <P>I thought that might be the case. We'll be more careful separating out indexes in future</P> Fri, 21 Mar 2014 16:02:39 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197464#M39231 dc99dc99 2014-03-21T16:02:39Z https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197465#M39232 <P>In addition to separating indexes and introducing temporary indexes for testing purposes, I avoid using the default/main index entirely in production environments. That way any data added carelessly without specifying an index can safely be dropped by cleaning the index.</P> Fri, 21 Mar 2014 20:58:03 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-delete-specific-data-from-an-index/m-p/197465#M39232 martin_mueller 2014-03-21T20:58:03Z