How can I remove eventdata even if splunk restarts ?

New Member

Splunk Version: 6.1.2 (Free Edition)
OS: Mac OS X 10.10.2

How can I remove eventdata even if splunk restarts ?

I tried to remove all of indexed event data, with following commands

pollux:splunk ohisa$ pwd
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
Stopping splunk helpers...

pollux:splunk ohisa$ /Applications/Splunk/bin/splunk clean eventdata -f
Cleaning database _audit.
Cleaning database _blocksignature.
Cleaning database _internal.
Cleaning database _introspection.
Cleaning database _thefishbucket.
Cleaning database history.
Cleaning database main.
Cleaning database summary.
Disabled database 'splunklogger': will not clean.
pollux:splunk ohisa$ ls defaultdb/
./ ../

pollux:splunk ohisa$

The directory 'defaultdb' -- index main -- is now empty. But after "splunk start", eventdata that have deleted above are restored as 'hot_v1_7'

pollux:splunk ohisa$ /Applications/Splunk/bin/splunk start

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port []: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Checking filesystem compatibility... Done
Checking conf files for problems...
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Waiting for web server at to be available.. Done

If you get stuck, we're here to help.
Look for answers here:

The Splunk web interface is at http://pollux.local:8000

pollux:splunk ohisa$ ls defaultdb/
./ ../ colddb/ datamodel_summary/ db/ thaweddb/
pollux:splunk ohisa$ ls defaultdb/db
./ ../ .bucketManifest CreationTime GlobalMetaData/ hot_v1_7/
pollux:splunk ohisa$ ls defaultdb/db/hot_v1_7/
./ 1425593484-1425161467-1192398453668579227.tsidx bucket_info.csv
../ rawdata/
1425338835-1425288071-1192398874956226696.tsidx splunk-autogen-params.dat
1425365650-1425358532-1192398817086921380.tsidx splunk-need-optimize.dat

pollux:splunk ohisa$


Tags (2)
0 Karma


Don't delete the "_thefishbucket" index. It keeps track of what has been indexed and what not. By removing it, it will index all data that specified in in inputs.

so use : ./splunk clean eventdata -index -f for all indexes except _thefishbucket

0 Karma


Do you have any active inputs? What's happening here isn't that the data is getting restored. It's that new data is being indexed.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.