Getting Data In

How to delete the uploaded log file?

MS23
Explorer

Hi team, I have uploaded the log file in Splunk via the upload option from settings.

How to delete the uploaded log file from Splunk.

Note I- am not looking at hiding the data, I want to remove the entire local file

Please advise

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not clear to me what it is you wish to delete.  There is no uploaded file on Splunk so there's nothing to delete.  The original file on your workstation is not touched, other than to read it.  Once the data is ingested, you can safely delete the original data.

If you want Splunk to automatically delete a monitored file after it has been indexed, use a batch input.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Inputsconf#:~:text=setting%20also%20exists.... for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Tom_Lundie
Contributor

Hi MS23,

You can read more about data deletion here.

Here's the main points:

To selectively delete data from Splunk you can use the delete command, this command does not truly "delete" the data, but it does mark the events in such a way that nobody (not even an admin) can search and return these events.

If you truly need to delete this data then you will need to clean the entire index that stores the data. This is not selective. There is no way to truly delete data without cleaning the entire index that it belongs to.

Depending on how you decide to tackle this, the above documentation will guide you through each option. Please make sure you understand the risks of either method. You have been warned!

P.S. If you're using an Indexer Cluster then you will not be able to effectively clean an index directly.
You can force the cluster to freeze your data (which in a standard Splunk deployment, will delete your data) using the following frozenTimePeriodInSecs indexes.conf setting. For example:

(On a standard Splunk deployment, this config will delete all of the events within the my_index_example index. You have been warned!)

 

[my_index_example]
frozenTimePeriodInSecs = 10

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...