Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to clean event data from a specific date range?

piebob
Splunk Employee
Splunk Employee
‎10-20-2010 11:52 PM

is it possible to use ."/splunk clean" and only remove the event data in a date range or simply later than a particular date?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-20-2010 11:56 PM

Unfortunately, "splunk clean" is unable to be that specific when it comes to deleting data from an index. It's all-or-nothing : The entire index has to be wiped, or none of it


$SPLUNK_HOME/bin/splunk help clean

The clean command deletes event data, global data, and user account data 
from your Splunk installation. 

Permanently remove event data from an index by typing, "./splunk clean 
eventdata". Set the index parameter to delete event data from a specific 
index. If you don't set an index, Splunk deletes all event data from all 
indexes.

Remove global data (tags and source type aliases for events you indexed) 
from Splunk by typing, "./splunk clean globaldata".

Remove user data (user accounts you've created) from Splunk by typing, 
"./splunk clean userdata".

** Caution: **
Removing data is irreversible. Use caution when choosing what data to 
remove from your Splunk installation. If you want to get your data back, 
you must re-index the applicable data sources.

** Note: **
Add the -f parameter to force clean to skip its confirmation prompts.


 Syntax: 

    clean  eventdata [-f] [-index <name>]

    clean [globaldata|userdata|all] [-f]

 Objects: 

      eventdata    exported events indexed as raw log files

      globaldata   host tags, source type aliases     

      userdata     user accounts

      all          everything on the server

 Required Parameters: 

     eventdata     if no index specified, the default is to clean all 
                   indexes            

 Optional Parameters:

     eventdata     index   name of index whose eventdata should be cleaned
                   f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     globaldata    f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     userdata      f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

As jrodman mentions, using the "delete" search command (http://www.splunk.com/base/Documentation/latest/SearchReference/Delete) and/or bucket aging control in indexes.conf (see frozenTimePeriodInSecs in indexes.conf.spec : http://www.splunk.com/base/Documentation/latest/Admin/Indexesconf) might be a better solution to surgically hide or delete events based on their age.

View solution in original post

Reply
Solved! Jump to solution

kotique
New Member
‎02-17-2012 02:06 AM

Don't forget to delete the source file, too, so you don't end up with your license violated after you clean the index up and then splunk considers it empty and starts reindexing the source again.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-20-2010 11:57 PM

|delete should work to hide the data. Bucket size controls and planning can get rid data older than a given date offset.. eventually.

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-20-2010 11:56 PM

Unfortunately, "splunk clean" is unable to be that specific when it comes to deleting data from an index. It's all-or-nothing : The entire index has to be wiped, or none of it


$SPLUNK_HOME/bin/splunk help clean

The clean command deletes event data, global data, and user account data 
from your Splunk installation. 

Permanently remove event data from an index by typing, "./splunk clean 
eventdata". Set the index parameter to delete event data from a specific 
index. If you don't set an index, Splunk deletes all event data from all 
indexes.

Remove global data (tags and source type aliases for events you indexed) 
from Splunk by typing, "./splunk clean globaldata".

Remove user data (user accounts you've created) from Splunk by typing, 
"./splunk clean userdata".

** Caution: **
Removing data is irreversible. Use caution when choosing what data to 
remove from your Splunk installation. If you want to get your data back, 
you must re-index the applicable data sources.

** Note: **
Add the -f parameter to force clean to skip its confirmation prompts.


 Syntax: 

    clean  eventdata [-f] [-index <name>]

    clean [globaldata|userdata|all] [-f]

 Objects: 

      eventdata    exported events indexed as raw log files

      globaldata   host tags, source type aliases     

      userdata     user accounts

      all          everything on the server

 Required Parameters: 

     eventdata     if no index specified, the default is to clean all 
                   indexes            

 Optional Parameters:

     eventdata     index   name of index whose eventdata should be cleaned
                   f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     globaldata    f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     userdata      f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

As jrodman mentions, using the "delete" search command (http://www.splunk.com/base/Documentation/latest/SearchReference/Delete) and/or bucket aging control in indexes.conf (see frozenTimePeriodInSecs in indexes.conf.spec : http://www.splunk.com/base/Documentation/latest/Admin/Indexesconf) might be a better solution to surgically hide or delete events based on their age.

Reply
Solved! Jump to solution

doncrittendon
Engager
‎08-23-2016 07:36 AM

How can I clear/delete a specific event log within SPLUNK so that it does not appear in a search?

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...