From UI it seems easy to add data but I don't see an option to delete existing data from index. I need the quick an dirty steps to remove existing data/index so we can experiment different types of logs to import/indexed. Trial/Error pilot...
There isn't any great way to do this from the UI. However, there is a really simple way to do this from the command line:
splunk stop splunk clean eventdata -index yourindex splunk start
It cleans very fast, since it is just deleting all the files. If you want to clean ALL indexes, just leave off the
Thank you for quick response, however did what you recommended without -index...
I still see Events Index data from UI?
splunk clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be und
Are you sure you want to continue [y/n]? y
Disabled database 'splunklogger': will not clean.
All preliminary checks passed.
If you did this on the indexer, then all the indexes were cleaned. If you have multiple indexers, you will need to do this on each indexer.
splunklogger is used by Splunk for internal info - it will never "clean" and that's okay.
If you clean an index, the fishbucket on the indexer will be appropriately updated so that the data will be reindexed - if that data came from the indexer.
However, if the data came from a forwarder, then you need to clean the _fishbucket on the forwarder to force the forwarder to resend data that it already sent once. (Because the forwarder doesn't know that you cleaned the indexer...)
So wherever the
inputs.conf lives, that's where you need to reset the fishbucket to get the data re-indexed. If you don't want to reset the entire fishbucket, lookup
btprobe which will let you reindex a single source.
Good point Mitesh
So there is no way to reset the index , I still see previous log/data imported into index. I only had 1 log imported and basically want to start from scratch for testing purposes (test import options). I guess I will have to re-install the application every time it seems?
If you still see previous data, then something didn't work. I use the clean command every week and it works, I assure you.
That said - if you reset the index, then IF you have an input defined in inputs.conf, the data will be re-indexed. If you don't want the data re-indexed, then disable the stanza in inputs.conf!