Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you delete old data from an index?

christianubeda
Path Finder
‎01-14-2019 09:59 AM

Hi team!

I am a beginner and I need help.

I did an index. This Index imported all information from a CSV.

The problem is I have repeat information in the index because every time it imports information, it stores all data.

This CSV has IPs, and because of this, I have repeat IPs...

How can I refresh my index and delete old data? I need to import all IPs, not only those that change.

Thank you a lot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ManchitMalik
Explorer
‎01-14-2019 11:54 PM

You have 2 ways-
1. Use clean command in CLI - splunk clean eventdata -index ** , it will delete the indexed data permanently.
2. Use delete command in Splunk Web- **index= | delete , it will make your data non searchable from this particular index.

View solution in original post

Reply
Solved! Jump to solution
Solution

ManchitMalik
Explorer
‎01-14-2019 11:54 PM

You have 2 ways-
1. Use clean command in CLI - splunk clean eventdata -index ** , it will delete the indexed data permanently.
2. Use delete command in Splunk Web- **index= | delete , it will make your data non searchable from this particular index.

Reply
Solved! Jump to solution

Vijeta
Influencer
‎01-14-2019 12:58 PM

you can delete data from your index if you have can_delete role, but not needed unless you can't do without it.

index=<yourindexname>|delete

You need to be very careful with this approach as data deletion will lead to empty searches till the time new lookup is indexed.

Thanks

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-14-2019 12:42 PM

I know that you probably need more information than this but this is the only part of what you wrote that I can understand. You have 2 ways to delete data from Splunk:

1: Create a search that shows the data to delete and then add | delete to the end of that search. You may need to run this as user admin and add the can_delete capability to that user.
2: Run the clean eventdata command (google it) on that index. You must stop splunk to run this.

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎01-14-2019 11:13 AM

You are looking for Remove indexes and indexed data in the Managing Indexers and Clusters of Indexers manual.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...