- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there a way to clean event data from a specific...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it possible to use ."/splunk clean" and only remove the event data in a date range or simply later than a particular date?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, "splunk clean" is unable to be that specific when it comes to deleting data from an index. It's all-or-nothing : The entire index has to be wiped, or none of it
$SPLUNK_HOME/bin/splunk help cleanThe clean command deletes event data, global data, and user account data
from your Splunk installation.
Permanently remove event data from an index by typing, "./splunk clean
eventdata". Set the index parameter to delete event data from a specific
index. If you don't set an index, Splunk deletes all event data from all
indexes.
Remove global data (tags and source type aliases for events you indexed)
from Splunk by typing, "./splunk clean globaldata".
Remove user data (user accounts you've created) from Splunk by typing,
"./splunk clean userdata".
** Caution: **
Removing data is irreversible. Use caution when choosing what data to
remove from your Splunk installation. If you want to get your data back,
you must re-index the applicable data sources.
** Note: **
Add the -f parameter to force clean to skip its confirmation prompts.
Syntax:
clean eventdata [-f] [-index <name>]
clean [globaldata|userdata|all] [-f]
Objects:
eventdata exported events indexed as raw log files
globaldata host tags, source type aliases
userdata user accounts
all everything on the server
Required Parameters:
eventdata if no index specified, the default is to clean all
indexes
Optional Parameters:
eventdata index name of index whose eventdata should be cleaned
f forces clean to skip its confirmation prompt
(Cleaning cannot be undone. Use carefully!)
globaldata f forces clean to skip its confirmation prompt
(Cleaning cannot be undone. Use carefully!)
userdata f forces clean to skip its confirmation prompt
(Cleaning cannot be undone. Use carefully!)
As jrodman mentions, using the "delete" search command (http://www.splunk.com/base/Documentation/latest/SearchReference/Delete) and/or bucket aging control in indexes.conf (see frozenTimePeriodInSecs in indexes.conf.spec : http://www.splunk.com/base/Documentation/latest/Admin/Indexesconf) might be a better solution to surgically hide or delete events based on their age.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to delete the source file, too, so you don't end up with your license violated after you clean the index up and then splunk considers it empty and starts reindexing the source again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
|delete should work to hide the data. Bucket size controls and planning can get rid data older than a given date offset.. eventually.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, "splunk clean" is unable to be that specific when it comes to deleting data from an index. It's all-or-nothing : The entire index has to be wiped, or none of it
$SPLUNK_HOME/bin/splunk help cleanThe clean command deletes event data, global data, and user account data
from your Splunk installation.
Permanently remove event data from an index by typing, "./splunk clean
eventdata". Set the index parameter to delete event data from a specific
index. If you don't set an index, Splunk deletes all event data from all
indexes.
Remove global data (tags and source type aliases for events you indexed)
from Splunk by typing, "./splunk clean globaldata".
Remove user data (user accounts you've created) from Splunk by typing,
"./splunk clean userdata".
** Caution: **
Removing data is irreversible. Use caution when choosing what data to
remove from your Splunk installation. If you want to get your data back,
you must re-index the applicable data sources.
** Note: **
Add the -f parameter to force clean to skip its confirmation prompts.
Syntax:
clean eventdata [-f] [-index <name>]
clean [globaldata|userdata|all] [-f]
Objects:
eventdata exported events indexed as raw log files
globaldata host tags, source type aliases
userdata user accounts
all everything on the server
Required Parameters:
eventdata if no index specified, the default is to clean all
indexes
Optional Parameters:
eventdata index name of index whose eventdata should be cleaned
f forces clean to skip its confirmation prompt
(Cleaning cannot be undone. Use carefully!)
globaldata f forces clean to skip its confirmation prompt
(Cleaning cannot be undone. Use carefully!)
userdata f forces clean to skip its confirmation prompt
(Cleaning cannot be undone. Use carefully!)
As jrodman mentions, using the "delete" search command (http://www.splunk.com/base/Documentation/latest/SearchReference/Delete) and/or bucket aging control in indexes.conf (see frozenTimePeriodInSecs in indexes.conf.spec : http://www.splunk.com/base/Documentation/latest/Admin/Indexesconf) might be a better solution to surgically hide or delete events based on their age.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I clear/delete a specific event log within SPLUNK so that it does not appear in a search?
Preparing your Splunk Environment for OpenSSL3
Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
