Getting Data In

How to delete a host and all its data from Splunk so it no longer appears in the Data Summary?


I have a Windows server with the Universal Forwarder installed for testing.

I now want to remove that host and all data it has fed into Splunk, from Splunk.

I've uninstalled the forwarder, but I don't see how to remove it from Splunk itself - the old events are still there and it still shows on the "Data Summary" panel.

I tried hostname | delete from Splunk Web logged in as "admin" and it simply says I don't have rights which seems a bit odd logged in directly as "admin".

Thanks 🙂


So typically, the best practice is to create a new index for testing, then delete the testing index when you are done. This gets rid of all data sent to the index, and everything is clean. The delete command on the other hand is actually only a logical deletion, the data is still on disk (subject to the index's retention policy) but will never be retrieved in a Splunk search. To use it you will need to give your user (even if that's the admin user) the built in "can_delete" role. Once that's done then the delete command will work as expected. And you can then remove the capability again (It's risky to leave that capability on as even though the data is still on disk the only self-service supported way of making it visible again involves re-indexing removed data.

There are a few other nuclear options to removing data from Splunk discussed here:


Thanks, the data is minimal, I simply don't want to client to show up in things like the "Data Summary" pane on the search dashboard - is that doable?

0 Karma


@hutchingsp I am looking for the same thing did you achieve the requirement pls update!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...