Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to delete the uploaded log file?

MS23
Explorer
‎03-07-2023 06:23 AM

Hi team, I have uploaded the log file in Splunk via the upload option from settings.

How to delete the uploaded log file from Splunk.

Note I- am not looking at hiding the data, I want to remove the entire local file

Please advise

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2023 09:36 AM

It's not clear to me what it is you wish to delete.  There is no uploaded file on Splunk so there's nothing to delete.  The original file on your workstation is not touched, other than to read it.  Once the data is ingested, you can safely delete the original data.

If you want Splunk to automatically delete a monitored file after it has been indexed, use a batch input.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Inputsconf#:~:text=setting%20also%20exists.... for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Tom_Lundie
Contributor
‎03-07-2023 08:03 AM

Hi MS23,

You can read more about data deletion here.

Here's the main points:

To selectively delete data from Splunk you can use the delete command, this command does not truly "delete" the data, but it does mark the events in such a way that nobody (not even an admin) can search and return these events.

If you truly need to delete this data then you will need to clean the entire index that stores the data. This is not selective. There is no way to truly delete data without cleaning the entire index that it belongs to.

Depending on how you decide to tackle this, the above documentation will guide you through each option. Please make sure you understand the risks of either method. You have been warned!

P.S. If you're using an Indexer Cluster then you will not be able to effectively clean an index directly.
You can force the cluster to freeze your data (which in a standard Splunk deployment, will delete your data) using the following frozenTimePeriodInSecs indexes.conf setting. For example:

(On a standard Splunk deployment, this config will delete all of the events within the my_index_example index. You have been warned!)

 

[my_index_example]
frozenTimePeriodInSecs = 10

 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...