Getting Data In

How to remove data from a bucket for a specified period of time?

ts_splunk
Path Finder

I want to remove the data for a specified period of time from the bucket.
I will be able to delete the data in the command " | delete" of the search query,
I think this method is hidden from the search results, the data in the bucket and not deleted.

One of the ways that I have thought is the following methods.

splunk cmd exporttool <warm_buckets> -et <buckets_earliest_time> -lt <specified_start_time> -csv
splunk cmd exporttool <warm_buckets> -et <specified_end_time>    -lt <buckets_latest_time> -csv

.
exsample:
The contains data from 2014/09/01 to 2014/09/30 and I want to remove the data from 2014/09/10 to 2014/09/20.

Execute following command.

splunk cmd exporttool <warm_buckets> ex_1.csv -et 2014/09/01(epochtime) -lt 2014/09/09(epochtime) -csv
splunk cmd exporttool <warm_buckets> ex_2.csv -et 2014/09/21(epochtime) -lt 2014/09/30(epochtime) -csv

.
Delete and import these two csv file.

Although I think you can completely remove the only data for the period is in this way,
Would not the smart way to another?

Tags (3)
0 Karma

lpolo
Motivator

You need to know what you are doing before deleting any bucket. If you proceed do it at your own risk.
The general steps are the following:

1) To be safe stop splunkd.
2) Select the splunk indexer and index you want to delete a bucket from.
3) From the selected indexer: a) Run the following splunk query with the period of time you may want to delete events from.

|dbinspect index=your_index_name |

4) If you are running 6.x, the returned fields will be these:

bucketId    endEpoch    eventCount  guId    hostCount   id  index   modTime path    rawSize sizeOnDiskMB    sourceCount sourceTypeCount splunk_server   startEpoch  state

5) endEpoch and startEpoch show the earliest and latest events contained in the bucket. The bucket file system path is found in field "path".

6) Delete the bucket that you need to. For unix run " rm -rf path"

As I said, You need to know what you are doing before deleting any bucket from the file system.

I hope these steps will help.

lpolo
Motivator

Use the delete command If the bucket you want to delete has a period from 2014/09/01 to 2014/03/30, but, you only want to delete events from 2014/09/10 to 2014/09/20.

0 Karma

ts_splunk
Path Finder

The delete command can't the indexed data.
It's only hidden from search result.

0 Karma

ts_splunk
Path Finder

Thank you for your answer.

I'll give you a pretty rough-hewn example.

I have a one bucket per month.
The contains data from 2014/09/01 to 2014/09/30.

But I want to remove the data from 2014/09/10 to 2014/09/20.
If only delete the bucket, It's deleted I don't want to delete.
I want to remain from 2014/09/01 to 2014/09/09 and from 2014/09/21 to 2014/09/30.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...