I want to remove the data for a specified period of time from the bucket.
I will be able to delete the data in the command " | delete" of the search query,
I think this method is hidden from the search results, the data in the bucket and not deleted.
One of the ways that I have thought is the following methods.
splunk cmd exporttool <warm_buckets> -et <buckets_earliest_time> -lt <specified_start_time> -csv
splunk cmd exporttool <warm_buckets> -et <specified_end_time> -lt <buckets_latest_time> -csv
.
exsample:
The contains data from 2014/09/01 to 2014/09/30 and I want to remove the data from 2014/09/10 to 2014/09/20.
Execute following command.
splunk cmd exporttool <warm_buckets> ex_1.csv -et 2014/09/01(epochtime) -lt 2014/09/09(epochtime) -csv
splunk cmd exporttool <warm_buckets> ex_2.csv -et 2014/09/21(epochtime) -lt 2014/09/30(epochtime) -csv
.
Delete and import these two csv file.
Although I think you can completely remove the only data for the period is in this way,
Would not the smart way to another?
You need to know what you are doing before deleting any bucket. If you proceed do it at your own risk.
The general steps are the following:
1) To be safe stop splunkd.
2) Select the splunk indexer and index you want to delete a bucket from.
3) From the selected indexer: a) Run the following splunk query with the period of time you may want to delete events from.
|dbinspect index=your_index_name |
4) If you are running 6.x, the returned fields will be these:
bucketId endEpoch eventCount guId hostCount id index modTime path rawSize sizeOnDiskMB sourceCount sourceTypeCount splunk_server startEpoch state
5) endEpoch and startEpoch show the earliest and latest events contained in the bucket. The bucket file system path is found in field "path".
6) Delete the bucket that you need to. For unix run " rm -rf path"
As I said, You need to know what you are doing before deleting any bucket from the file system.
I hope these steps will help.
Use the delete command If the bucket you want to delete has a period from 2014/09/01 to 2014/03/30, but, you only want to delete events from 2014/09/10 to 2014/09/20.
The delete command can't the indexed data.
It's only hidden from search result.
Thank you for your answer.
I'll give you a pretty rough-hewn example.
I have a one bucket per month.
The contains data from 2014/09/01 to 2014/09/30.
But I want to remove the data from 2014/09/10 to 2014/09/20.
If only delete the bucket, It's deleted I don't want to delete.
I want to remain from 2014/09/01 to 2014/09/09 and from 2014/09/21 to 2014/09/30.