Getting Data In

How do you delete old data from an index?

christianubeda
Path Finder

Hi team!

I am a beginner and I need help.

I did an index. This Index imported all information from a CSV.

The problem is I have repeat information in the index because every time it imports information, it stores all data.

This CSV has IPs, and because of this, I have repeat IPs...

How can I refresh my index and delete old data? I need to import all IPs, not only those that change.

Thank you a lot.

0 Karma
1 Solution

ManchitMalik
Explorer

You have 2 ways-
1. Use clean command in CLI - splunk clean eventdata -index ** , it will delete the indexed data permanently.
2. Use delete command in Splunk Web- **index= | delete
, it will make your data non searchable from this particular index.

View solution in original post

ManchitMalik
Explorer

You have 2 ways-
1. Use clean command in CLI - splunk clean eventdata -index ** , it will delete the indexed data permanently.
2. Use delete command in Splunk Web- **index= | delete
, it will make your data non searchable from this particular index.

Vijeta
Influencer

you can delete data from your index if you have can_delete role, but not needed unless you can't do without it.

index=<yourindexname>|delete

You need to be very careful with this approach as data deletion will lead to empty searches till the time new lookup is indexed.

Thanks

woodcock
Esteemed Legend

I know that you probably need more information than this but this is the only part of what you wrote that I can understand. You have 2 ways to delete data from Splunk:

1: Create a search that shows the data to delete and then add | delete to the end of that search. You may need to run this as user admin and add the can_delete capability to that user.
2: Run the clean eventdata command (google it) on that index. You must stop splunk to run this.

ChrisG
Splunk Employee
Splunk Employee

You are looking for Remove indexes and indexed data in the Managing Indexers and Clusters of Indexers manual.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...