How to delete event data from an indexer using the...

juandiaz · ‎07-23-2015

Hi everyone,

I have found similar questions and responses to this type of scenario, but I can’t seem to find a way to create an API version of the Shell commands to remove eventdata under a specific index. The Shell version of the commands would be:

Command 1: splunk stop
Command 2: splunk clean eventdata –<index>
Command 3: splunk start

The end goal is to use API calls to remove a retired index from the main indexer, and then delete the subsequent log event data on the server that falls under that index. I already have the API command to delete the index, I am just having trouble configuring the API call to remove that subsequent data.

Any help would be greatly appreciated. Thank you!

bmacias84 · ‎07-23-2015

The api does not provide facilities to clean the eventdata as Splunk daemon needs to be stopped. You are better off using remote ssh command or powershell command to run the shell commands. You can use the "|delete" command to mark the data as unsearchable via the api by create a search job, but that does not remove the data.

How to delete event data from an indexer using the REST API?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation