Hello,
I accidently had a file indexed by placing it in a directory from which splunk inputs in the logs.Is it possible to erase the newly indexed info because it messed up all my searches ?
Can I delete some sort of file or something in order to erase recently indexed data ?
Same goes for the information that was taken into the data model, what can I do to remove or undo what i added.
Thanks,
David
You can create a search that pull the data you want to get rid of, and ONLY the data you want to get rid of, and then add delete
to the end of the search. This will not actually remove the data from the index, i.e. make the index smaller, but it will make the data unsearchable.
I recommend reading this article first:
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Delete
Remove indexes and indexed data
speaks about it.
It says
-- To delete indexed data permanently from your disk, use the CLI clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an argument.
You can create a search that pull the data you want to get rid of, and ONLY the data you want to get rid of, and then add delete
to the end of the search. This will not actually remove the data from the index, i.e. make the index smaller, but it will make the data unsearchable.
I recommend reading this article first:
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Delete
can u tell how to remove the data permanently not just hiding it by using delete option?
Any response will be a great help. Thanks in advance:)
Cool 🙂 thank you.
And one more thing, does deleting also mask the data in a data model or does this only work for indexes ?
Use the check mark to accept the answer, and it will give you 10 more points I think.
Found it ! thanks a lot!
wish i had points to award you 🙂
Delete is a special feature. Go to Manager > Access Controls > Users > your user > and give yourself "Can Delete" permission under Assign to Roles.
Cool, thank you.. now i just need to find out how to get the permission to do so cause i can't seem to use |delete even as admin