Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Delete/clean all the contents of splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
How to delete/clear all the indexed events,saved searches.How to make it brand new as it was after installing for the first time.
Any Suggestions are Appreciated,
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) The below command will not delete the indexed data from the Splunk , instead it doesn't show the results in splunk search.
index=* | delete
2) Below is the purge script - copt it to your splunk server and save as (script.sh). Specify your app names if you would like to delete your local configurations.
Execute with command : sh purge.sh
This will cleanup all the indexed data and your app local configurations
#!/bin/bash
clear
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean eventdata
rm -rf /opt/splunk/etc/apps/Your_app_name1/local/*
rm -rf /opt/splunk/etc/apps/your_app_name2/local/*
/opt/splunk/bin/splunk start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) The below command will not delete the indexed data from the Splunk , instead it doesn't show the results in splunk search.
index=* | delete
2) Below is the purge script - copt it to your splunk server and save as (script.sh). Specify your app names if you would like to delete your local configurations.
Execute with command : sh purge.sh
This will cleanup all the indexed data and your app local configurations
#!/bin/bash
clear
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean eventdata
rm -rf /opt/splunk/etc/apps/Your_app_name1/local/*
rm -rf /opt/splunk/etc/apps/your_app_name2/local/*
/opt/splunk/bin/splunk start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.I just stopped splunk & deleted the folder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stop splunk
cd splunk\bin\
splunk clean eventdata -index <index_name>
easiest way, stop splunk. Delete the index store folders. restart splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi i have installed Splunk on windows, how to delete the indexed data.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
