Currently, there is not really a good way to do this as cleaning the event data from an index will just get replicated back from another cluster node.
That being said, there are two not quite so nice ways of doing it.
- With a user that has the can_delete permissions, pipe all the event data to be removed to the delete command. Naturally, this means that all the caveats for using the delete command apply. (Data is not removed from disk, etc.)
- Make sure you stop indexing data to the index your are about to clean and alter your data retention policy to be extremely short. This will roll all the buckets to frozen and hence clear out the index. Once all the data has been removed from the index on all the peers, the retention policy can be set back to its original settings in order to allow for new data to be indexed.
For the 1st option, you may find the following link useful:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/RemovedatafromSplunk#How_to_delete
For the 2nd options, take a look at the documentation here:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy
