Getting Data In

How to remove recently indexed data

DavidHourani
Super Champion

Hello,

I accidently had a file indexed by placing it in a directory from which splunk inputs in the logs.Is it possible to erase the newly indexed info because it messed up all my searches ?

Can I delete some sort of file or something in order to erase recently indexed data ?

Same goes for the information that was taken into the data model, what can I do to remove or undo what i added.

Thanks,
David

0 Karma
1 Solution

lukejadamec
Super Champion

You can create a search that pull the data you want to get rid of, and ONLY the data you want to get rid of, and then add delete to the end of the search. This will not actually remove the data from the index, i.e. make the index smaller, but it will make the data unsearchable.

I recommend reading this article first:

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Delete

View solution in original post

ddrillic
Ultra Champion

Remove indexes and indexed data

speaks about it.

It says
-- To delete indexed data permanently from your disk, use the CLI clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an argument.

0 Karma

lukejadamec
Super Champion

You can create a search that pull the data you want to get rid of, and ONLY the data you want to get rid of, and then add delete to the end of the search. This will not actually remove the data from the index, i.e. make the index smaller, but it will make the data unsearchable.

I recommend reading this article first:

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Delete

sravankr96
Engager

can u tell how to remove the data permanently not just hiding it by using delete option?
Any response will be a great help. Thanks in advance:)

DavidHourani
Super Champion

Cool 🙂 thank you.
And one more thing, does deleting also mask the data in a data model or does this only work for indexes ?

0 Karma

lukejadamec
Super Champion

Use the check mark to accept the answer, and it will give you 10 more points I think.

0 Karma

DavidHourani
Super Champion

Found it ! thanks a lot!

wish i had points to award you 🙂

0 Karma

lukejadamec
Super Champion

Delete is a special feature. Go to Manager > Access Controls > Users > your user > and give yourself "Can Delete" permission under Assign to Roles.

0 Karma

DavidHourani
Super Champion

Cool, thank you.. now i just need to find out how to get the permission to do so cause i can't seem to use |delete even as admin

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...