Archive
Highlighted

index duplication

New Member

is there any way to delete/remove indexed data for a particular time range ? thanks in advance.

Tags (1)
0 Karma
Highlighted

Re: index duplication

Influencer

You can filter you indexes to the events you wish to remove in the standard Splunk search view (i.e. flashtimeline). For example:

 <your filtering search> | delete

As this is "risky", the user will need to be assigned the "can_delete" role.

If it is in specific indexes, and you wish to remove that WHOLE index, you can use the CLI tool, "clean", to delete data from that Index. For example

./splunk clean eventdata ...

These methods should be used with extreme caution as the effects can not be reversed. I would recommend reviewing your filtering search carefully, and also reading the documenatation on this subject first... it should not be taken lightly.

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk

View solution in original post

0 Karma
Highlighted

Re: index duplication

New Member

thank you !!

0 Karma
Highlighted

Re: index duplication

Influencer

no problem... if this answers your question, can you please mark it as accepted to "close" it off.

Highlighted

Re: index duplication

Influencer

... it's the empty tick next to the answer

Highlighted

Re: index duplication

Splunk Employee
Splunk Employee

(i accepted your answer, mhibbin :))

0 Karma