Solved: Re: How do I delete old data for old data inputs, ...

mr_dombat · ‎11-17-2015

I created some remote data inputs which worked well.

The documentation recommended using a universal forwarder for better performance.

I deleted the old data inputs ok, but the data remains.

How do I delete the old data?

(we are doing the free trial, so just trying to work out the best way to do things. The old data is not important).

Sebastian2 · ‎11-18-2015

If you want the clear all data from an index you can use the CLI:

bin/splunk stop
bin/splunk clean eventdata -index <yourindex>
bin/splunk start

View solution in original post

Sebastian2 · ‎11-18-2015

If you want the clear all data from an index you can use the CLI:

bin/splunk stop
bin/splunk clean eventdata -index <yourindex>
bin/splunk start

teunlaan · ‎11-18-2015

Give user the can_delete permissions
Search for the old data (by source or somthing like that). If you found the data (and only the data you want to remove) do the same search, and place " | delete " after it.

Is will "hide" data and NOT remove it from disk

How do I delete old data for old data inputs, and why is our receiver not receiving any data from our universal forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation