I created some remote data inputs which worked well.
The documentation recommended using a universal forwarder for better performance.
I deleted the old data inputs ok, but the data remains.
How do I delete the old data?
(we are doing the free trial, so just trying to work out the best way to do things. The old data is not important).
If you want the clear all data from an index you can use the CLI:
bin/splunk stop
bin/splunk clean eventdata -index <yourindex>
bin/splunk start
If you want the clear all data from an index you can use the CLI:
bin/splunk stop
bin/splunk clean eventdata -index <yourindex>
bin/splunk start
Give user the can_delete permissions
Search for the old data (by source or somthing like that). If you found the data (and only the data you want to remove) do the same search, and place " | delete " after it.
Is will "hide" data and NOT remove it from disk