Hi,
I saw multiple junk Windows security events filling up my disk space. I now filtered unnecessary events. How can I delete those existing events? I tried... Delete and it's showing deleted successfully when I do a search with delete command, but I saw the events are not deleted. Could some one help me how to clean up existing indexed events?
Thanks,
Jay
The post here explores a way to "to modify indexed data or prune "deleted" data from the index" might be worth a read 🙂
https://wiki.splunk.com/Community:Modifying_indexed_data_via_export_and_import
"Delete and it's showing deleted successfully when I do a search with delete command".
That isn't a search, its a delete command. You are seeing the status of the delete as it happens.
Those events have been marked as unsearchable and won't be shown in future searches.
Subsequent deletions over the same data won't do anything as they are already gone.
what you should be doing is
Confirm that those are the events you want deleted.
index=blah sourcetype=blah myevent
Delete the same events.
index=blah sourcetype=blah myevent | delete
You'll see it report back how many events it has "deleted" (actually hidden).
Check that no events are in that same search.
index=blah sourcetype=blah myevent
Hi,
Thanks for your answer, I actually want to remove the event completely and empty my disk space. If I use delete, the disk space has no change. If I delete junk events I will get 350gb empty space. Pls let me know how to remove events completely and empty disk space.
Thanks.
Due to internals of how splunk indexers work, selective recovery of disk space is not possible.
Reclaiming space can only be done by fully deleting ALL data inside an index.
WARNING: This is NON-EVENT-SPECIFIC and needs to be done on each search peer/indexer that has your particular index on it.
To do this jump onto your indexer.
./splunk clean eventdata -index myindexblah
This will delete ALL buckets inside that particular index. Make sure this is what you want to do 😉
Thanks for quick reply. So it won't be possible to delete and reclaim disk space for specific junk events in index. Thanks a lot for your answer.
Hi jkponnuri,
From the docs http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Delete
Using the delete command marks all of the events returned by the search as deleted. Subsequent searches do not return the marked events. No user, not even a user with admin permissions, is able to view this data using Splunk Enterprise. The delete command does not reclaim disk space.
There is a complete topic on this in the documentation: Remove indexes and indexed data. It explains the four main options:
Delete events from subsequent searches.
Remove all data from one or more indexes.
Remove or disable an entire index.
Delete older data, based on a retirement policy.
Hope this helps ...
cheers, MuS