Re: Deleted events still showing in search summary

hughroberts · ‎11-30-2013

Hi all

I deleted a large number of events taken through a UniversalForwarder (v5.0.3) using the | delete command.

However these events are still showing up in the event counts on the Search summary page, they don't show up in a regular search only on the summary page.

Is there any way to fix these count totals?

Set up is clustered environment with 2 indexers, one cluster master and one search head, all servers are v5.0.3 running on Windows 2008.

gkanapathy · ‎11-30-2013

It can take some time (as much as an hour or so) for the metadata to be updated after a delete command.

hughroberts · ‎12-01-2013

thanks for the tip, its been that way for 24 hours, think there is a bucket issue, am looking at doing a meta.dirty to force a rebuild of the metsdata.

ShaneNewman · ‎11-30-2013

Is there a chance you have used search optimization? If you have, splunk creates a summary index, meaning the historical data will still be in that summary index.

hughroberts · ‎12-01-2013

hmmmm, should not be on for that specific index but its a possible, thanks for the tip, its give me some things to investigate

Deleted events still showing in search summary

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation