topic Re: How to delete existing indexed events? in Getting Data In

How to delete existing indexed events?

jkponnuri — Wed, 09 Dec 2015 00:54:48 GMT

Hi,

I saw multiple junk Windows security events filling up my disk space. I now filtered unnecessary events. How can I delete those existing events? I tried... Delete and it's showing deleted successfully when I do a search with delete command, but I saw the events are not deleted. Could some one help me how to clean up existing indexed events?

Thanks,
Jay

Re: How to delete existing indexed events?

MuS — Wed, 09 Dec 2015 01:30:25 GMT

Hi jkponnuri,

From the docs http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Delete

Using the delete command marks all of the events returned by the search as deleted. Subsequent searches do not return the marked events. No user, not even a user with admin permissions, is able to view this data using Splunk Enterprise. The delete command does not reclaim disk space.

There is a complete topic on this in the documentation: Remove indexes and indexed data. It explains the four main options:

Delete events from subsequent searches.
Remove all data from one or more indexes.
Remove or disable an entire index.
Delete older data, based on a retirement policy.

Hope this helps ...

cheers, MuS

Re: How to delete existing indexed events?

Lucas_K — Wed, 09 Dec 2015 02:10:39 GMT

"Delete and it's showing deleted successfully when I do a search with delete command".

That isn't a search, its a delete command. You are seeing the status of the delete as it happens.
Those events have been marked as unsearchable and won't be shown in future searches.

Subsequent deletions over the same data won't do anything as they are already gone.

what you should be doing is

Confirm that those are the events you want deleted.
index=blah sourcetype=blah myevent

Delete the same events.
index=blah sourcetype=blah myevent | delete

You'll see it report back how many events it has "deleted" (actually hidden).

Check that no events are in that same search.
index=blah sourcetype=blah myevent

Re: How to delete existing indexed events?

jkponnuri — Thu, 10 Dec 2015 00:52:33 GMT

Hi,

Thanks for your answer, I actually want to remove the event completely and empty my disk space. If I use delete, the disk space has no change. If I delete junk events I will get 350gb empty space. Pls let me know how to remove events completely and empty disk space.

Thanks.

Re: How to delete existing indexed events?

Lucas_K — Thu, 10 Dec 2015 00:59:54 GMT

Due to internals of how splunk indexers work, selective recovery of disk space is not possible.
Reclaiming space can only be done by fully deleting ALL data inside an index.

WARNING: This is NON-EVENT-SPECIFIC and needs to be done on each search peer/indexer that has your particular index on it.

To do this jump onto your indexer.

./splunk clean eventdata -index myindexblah

This will delete ALL buckets inside that particular index. Make sure this is what you want to do 😉

Re: How to delete existing indexed events?

jkponnuri — Thu, 10 Dec 2015 01:05:33 GMT

Thanks for quick reply. So it won't be possible to delete and reclaim disk space for specific junk events in index. Thanks a lot for your answer.

Re: How to delete existing indexed events?

murikadan — Thu, 10 Dec 2015 07:18:02 GMT

The post here explores a way to "to modify indexed data or prune "deleted" data from the index" might be worth a read 🙂

https://wiki.splunk.com/Community:Modifying_indexed_data_via_export_and_import