Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How I can delete data from splunk after indexed new file

ngerosa
Path Finder
‎05-05-2017 05:59 AM

Hi,
I have a CSV file in my folder on pc that is updated every day.
I want to use always the most up-to-date csv file.
I tried to use the monitor option but if the next days the csv is updated the old one remain in my splunk data.

Can I use only one csv file and not the sum of old csv?

Thanks in advance

Tags (2)
Reply

ddrillic
Ultra Champion
‎05-05-2017 08:21 AM

You can clear the contents of the old file using something like - index=<index name> source=<source name> | delete and then index the new file. It's doable...

0 Karma
Reply

ngerosa
Path Finder
‎05-05-2017 08:28 AM

I use for every csv the same index. So using monitor option, if my csv file is updated I will have the new csv on my splunk but I will have also the old one that are, in part, similar to the previous one.

I want, using the same index, that every day I work only with the latest up-to-date csv file

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2017 12:31 PM

Consider writing CSV to a KV Store collection every day. Each update will replace the existing date so there will only one day of data in the store. Then your search just needs to do a inputlookup to get the day's data.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2017 07:26 AM

Once data is indexed by Splunk it cannot be deleted or removed until it expires.
You probably should modify your query to search for only the most recent data. Post your query and we may be able to help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ngerosa
Path Finder
‎05-08-2017 07:03 AM

My problem is that if I upload a new file with the same name of the old one, splunk summarize the data so I have many duplicate data.
For example: yesterday I uploaded a csv with 10 events, today I upload the same csv file but with 11 events (10 events equal to the yestarday's file and 1 new events).
I want to see only 11 events and not the sum of the two files (21 events)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-09-2017 10:39 AM

If you're simply adding new events to the same file, rather than completely replacing the CSV, tell Splunk to monitor that file and it will only read the newest events. That should avoid duplicates.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...