Re: How to remove data if I have already removed t...

Lindaiyu · ‎07-04-2016

Hello Splunkers,
I really need your help!
I have a large amount data within one index.
For remove the data, it should
1 Remove the data of this index with command

splunk clean eventdata -index xxx

2 Remove index

splunk remove -index xxx

However, I forgot the first step and do the second step directly.
Now when I run the first command, it show the message"index does not exist"
However, the data still in Splunk.
How could I remove the data after I have removed the index?

Could you please help me with that?
Thank you

Buscatrufas · ‎07-04-2016

You must clean index with the service stopped.

teunlaan · ‎07-04-2016

Did you remove de index from "indexes.conf" or deleted the directory on the server?

If you deleted it on the server, Your data is already gone

Lindaiyu · ‎07-04-2016

I remove with the CLI command "splunk remove index "

oficinasegurida · ‎07-04-2016

You'll find the index data in this location inside the folder where Splunk is installed:

/SplunkFolder/var/lib/splunk

Inside you'll find a folder for each index. Delete the one you want and you're done.

How to remove data if I have already removed the index?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?