Googling for "splunk delete index" turns up
http://www.splunk.com/base/Documentation/3.3/User/DeleteAnIndex
Which gives this error when I use it in CLI
Command error: This command has been removed.
How do we delete an index in 4.1.3?
edit: I'm not referring to cleaning eventdata from an index, for which Lowell's and Nicholas' answers would be correct. (Thanks though!) I'm referring to actually deleting an index from Splunk, so that it actually is removed from the indexes list in the Manager.
rayfoo,
go to Manager » Indexes and find your index there. Go ahead and Disable this index. Make sure you have removed all input.conf stanzas that monitor data and send it to this particular index.
Once finished, restart splunk. Check to make sure that the index got disabled. Then to completely delete/remove the index go to $SPLUNK_DB/INDEX_NAME/ and either delete or move this index to a different folder.
Then, go and find where the stanza for the particular index that you want to delete got saved in your indexes.conf.
You can check /etc/system/local or /etc/apps/search/local/ or even /etc/apps/launcher/local/ Find and remove the stanza that is relevant to your index (the one you want to delete) Should look something like this:
[test]
coldPath = $SPLUNK_DB/test/colddb
homePath = $SPLUNK_DB/test/db
thawedPath = $SPLUNK_DB/test/thaweddb
disabled = 1
Then restart splunk again. I believe this should be enough for you to "delete" the index and not have it show up in the indexes list on your manager page.
Cheers,
.gz
This would be help!!
http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk
Just ready carefully... and always backup your files!!
Regards
Cris
Hi bmnguyen,
Even i have been facing this issue (on Splunk 4.1.6) but have found only few links useful, sharing them here, hope they might help:
Tells how to delete an index in 4.2 and above versions: http://www.splunk.com/base/Documentation/4.2.1/Admin/RemovedatafromSplunk
indexes.conf file - good to know how the indexes are listed there. Link: http://www.splunk.com/base/Documentation/4.2.1/admin/Indexesconf
Hope these two links help. Do let me know if these helped you in resolving your issue or not.
Regards,
Mohit Vohra.
Never mind! I found the instructions for Splunk 4.2.1 to remove indexed data and completely delete the index.
Follow the links below:
Remove indexed data from Splunk
Completely delete an index (and not just the data contained in it)
It seems to be obvious once you know it, but before then, general instructions were so vague.
Thanks
It is now May 7, 2011, and I am using Splunk 4.2 build 96430. Does anyone have the answer? I am new to Splunk and learning how to develop apps and to manage the system.
I have followed the instruction above to remove an index. (Well, sort of! The instruction doesn't explictly spell out the "relevant index.conf" and the "all input.conf"). I located and viewed ALL index.conf and input.conf files under the $SPLUNK_HOME directory tree, but I found no trace of related stanzas or settings. Regardless of all my effords, the web screen at Splunk >> Manager >> Indexes still lists the index. Uh!
On the other hand, I used the CLI to remove, but it returned a message, "Command error: This command has been removed."
I wonder why the "splunk remove index {Index_Name}" command has been removed and why this version of Splunk has made a step backward, compared to the previous versions.
The system seems to be OK with the disabled index, but I want to tidy up my system.
I greatly appreciate any help I can get.
Thanks
I'm sorry to revive this thread, but as of 4.2.1, it still seems like it is still not possible to remove/delete an index using the UI or CLI.
I find it somewhat bizarre that such feature just does not exist. I'm quite curious about it, as surely there must be a good reason for that.
Anyone knows why?
thx
Yeps, refer to Genti's answer which I chose, right at the top of this section.
Not sure why the debate is still ongoing, Genti's answer above contains all the information you need to remove an index
There is no feature to completely remove an index via the UI or the CLI
Has this question been answered?
How do you delete and index (completelly) from Splunk 4.1.3 (not just clear events).
Raj, did you get an answer to the question? I tried the old procedure, but the index is still visible (although disabled).
rayfoo,
go to Manager » Indexes and find your index there. Go ahead and Disable this index. Make sure you have removed all input.conf stanzas that monitor data and send it to this particular index.
Once finished, restart splunk. Check to make sure that the index got disabled. Then to completely delete/remove the index go to $SPLUNK_DB/INDEX_NAME/ and either delete or move this index to a different folder.
Then, go and find where the stanza for the particular index that you want to delete got saved in your indexes.conf.
You can check /etc/system/local or /etc/apps/search/local/ or even /etc/apps/launcher/local/ Find and remove the stanza that is relevant to your index (the one you want to delete) Should look something like this:
[test]
coldPath = $SPLUNK_DB/test/colddb
homePath = $SPLUNK_DB/test/db
thawedPath = $SPLUNK_DB/test/thaweddb
disabled = 1
Then restart splunk again. I believe this should be enough for you to "delete" the index and not have it show up in the indexes list on your manager page.
Cheers,
.gz
try this rayfoo:
./splunk clean eventdata <indexName> -f
or this:
./splunk clean eventdata -index <indexName> -f
By the way, are you trying to remove the events from that particular index? Or are you trying to moving the index to another directory?
Thanks, but I'm not referring to cleaning eventdata (pls ref to my edit in the qn above)
Your doc is pointing to the 3.3 release of splunk, which is not relevant to 4.1. Use this link instead:
http://docs.splunk.com/Documentation/Splunk/4.1/Admin/RemovedatafromSplunk
Thanks, but I'm not referring to cleaning eventdata (pls ref to my edit in the qn above)
yeap, Lowell is right: * To permanently remove event data from a single index, type:
./splunk clean eventdata <index_name>
where <index_name> is the name of the targeted index.