Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to delete a host and all its data from Splunk ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to delete a host and all its data from Splunk so it no longer appears in the Data Summary?
I have a Windows server with the Universal Forwarder installed for testing.
I now want to remove that host and all data it has fed into Splunk, from Splunk.
I've uninstalled the forwarder, but I don't see how to remove it from Splunk itself - the old events are still there and it still shows on the "Data Summary" panel.
I tried hostname | delete from Splunk Web logged in as "admin" and it simply says I don't have rights which seems a bit odd logged in directly as "admin".
Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So typically, the best practice is to create a new index for testing, then delete the testing index when you are done. This gets rid of all data sent to the index, and everything is clean. The delete command on the other hand is actually only a logical deletion, the data is still on disk (subject to the index's retention policy) but will never be retrieved in a Splunk search. To use it you will need to give your user (even if that's the admin user) the built in "can_delete" role. Once that's done then the delete command will work as expected. And you can then remove the capability again (It's risky to leave that capability on as even though the data is still on disk the only self-service supported way of making it visible again involves re-indexing removed data.
There are a few other nuclear options to removing data from Splunk discussed here: http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/RemovedatafromSplunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the data is minimal, I simply don't want to client to show up in things like the "Data Summary" pane on the search dashboard - is that doable?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hutchingsp I am looking for the same thing did you achieve the requirement pls update!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
