Deleting an index due to index volume exceeded


I have a 1 GB license and I would like to delete an index that causes a inflow of huge syslogs, how do I remove it in the Splunk web interface?

Would removing it enable me to search again?

Splunk Employee

To stop the data to come in, delete the input, not the index.
To figure, look at your inputs, the listening ports or the forwarders.
Another technique is to use index time nullQueue filter to drop some events before the indexing (search for this on answers or the docs)

if you remove the index, the buckets will stay on disk (see indexes.conf for the location).
but splunk will refuse to start if you disable the "main" index.
And if this is not the main index, the events will come and you will see an error for missing index all the time.

Ultra Champion

No it will not. The license does not work that way. If you have violations you can either apply for a reset license through support, upgrade your existing license or wait until the violations age out. This last may not happen if you constantly receive more logs than your license allows for.

If you can live without the data (which I guess you can, since you want to delete it) it's better to turn off the logging at the source. Otherwise you will send useless stuff over the network only to be handled by an application that will throw them away.


