Solved: Deletion of indexed logs

attgjh1 · ‎05-24-2012

if i use "| delete"

the data are still stored in the indexers. is there anyway to physically remove them?

sdaniels · ‎05-24-2012

http://docs.splunk.com/Documentation/Splunk/latest/admin/RemovedatafromSplunk

Example

./splunk clean eventdata -index yourindex

View solution in original post

sdaniels · ‎05-24-2012

http://docs.splunk.com/Documentation/Splunk/latest/admin/RemovedatafromSplunk

Example

./splunk clean eventdata -index yourindex

Ayn · ‎05-24-2012

DANGER - I hope you realize that performing a clean eventdata removes ALL events from the index. I know it's fairly obvious from both the command name and the description in the docs, but it's worth repeating.

If you use the delete operator there is no way to physically remove the events, they will however be removed when cold buckets are moved to frozen.

sdaniels · ‎05-24-2012

Yes...command prompt. Those are linux examples. Go to to /bin and run

splunk clean eventdata -index yourindex

attgjh1 · ‎05-24-2012

thanks for quick reply.

i dont quite understand how to use CLI in splunk. im doing everything using websplunk only. currently my data are all local on a pc.

so, just to clarify...
CLI is only accessible via Command prompt on windows.
And then going to the directory $SPLUNKHOME/bin/

then doing the steps shown in ur link?

many thanks!

Deletion of indexed logs

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!