Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you delete old data from an index?

christianubeda
Path Finder
‎01-14-2019 09:59 AM

Hi team!

I am a beginner and I need help.

I did an index. This Index imported all information from a CSV.

The problem is I have repeat information in the index because every time it imports information, it stores all data.

This CSV has IPs, and because of this, I have repeat IPs...

How can I refresh my index and delete old data? I need to import all IPs, not only those that change.

Thank you a lot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ManchitMalik
Explorer
‎01-14-2019 11:54 PM

You have 2 ways-
1. Use clean command in CLI - splunk clean eventdata -index ** , it will delete the indexed data permanently.
2. Use delete command in Splunk Web- **index= | delete , it will make your data non searchable from this particular index.

View solution in original post

Reply
Solved! Jump to solution
Solution

ManchitMalik
Explorer
‎01-14-2019 11:54 PM

You have 2 ways-
1. Use clean command in CLI - splunk clean eventdata -index ** , it will delete the indexed data permanently.
2. Use delete command in Splunk Web- **index= | delete , it will make your data non searchable from this particular index.

Reply
Solved! Jump to solution

Vijeta
Influencer
‎01-14-2019 12:58 PM

you can delete data from your index if you have can_delete role, but not needed unless you can't do without it.

index=<yourindexname>|delete

You need to be very careful with this approach as data deletion will lead to empty searches till the time new lookup is indexed.

Thanks

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-14-2019 12:42 PM

I know that you probably need more information than this but this is the only part of what you wrote that I can understand. You have 2 ways to delete data from Splunk:

1: Create a search that shows the data to delete and then add | delete to the end of that search. You may need to run this as user admin and add the can_delete capability to that user.
2: Run the clean eventdata command (google it) on that index. You must stop splunk to run this.

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎01-14-2019 11:13 AM

You are looking for Remove indexes and indexed data in the Managing Indexers and Clusters of Indexers manual.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...