I accidently had a file indexed by placing it in a directory from which splunk inputs in the logs.Is it possible to erase the newly indexed info because it messed up all my searches ?
Can I delete some sort of file or something in order to erase recently indexed data ?
Same goes for the information that was taken into the data model, what can I do to remove or undo what i added.
You can create a search that pull the data you want to get rid of, and ONLY the data you want to get rid of, and then add
delete to the end of the search. This will not actually remove the data from the index, i.e. make the index smaller, but it will make the data unsearchable.
I recommend reading this article first:
Cool, thank you.. now i just need to find out how to get the permission to do so cause i can't seem to use |delete even as admin
Delete is a special feature. Go to Manager > Access Controls > Users > your user > and give yourself "Can Delete" permission under Assign to Roles.
Cool 🙂 thank you.
And one more thing, does deleting also mask the data in a data model or does this only work for indexes ?
can u tell how to remove the data permanently not just hiding it by using delete option?
Any response will be a great help. Thanks in advance:)
speaks about it.
-- To delete indexed data permanently from your disk, use the CLI clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an argument.