Getting Data In

Is there a way to clean event data from a specific date range?

Splunk Employee
Splunk Employee

is it possible to use ."/splunk clean" and only remove the event data in a date range or simply later than a particular date?

1 Solution

Splunk Employee
Splunk Employee

Unfortunately, "splunk clean" is unable to be that specific when it comes to deleting data from an index. It's all-or-nothing : The entire index has to be wiped, or none of it


$SPLUNK_HOME/bin/splunk help clean

The clean command deletes event data, global data, and user account data 
from your Splunk installation. 

Permanently remove event data from an index by typing, "./splunk clean 
eventdata". Set the index parameter to delete event data from a specific 
index. If you don't set an index, Splunk deletes all event data from all 
indexes.

Remove global data (tags and source type aliases for events you indexed) 
from Splunk by typing, "./splunk clean globaldata".

Remove user data (user accounts you've created) from Splunk by typing, 
"./splunk clean userdata".

** Caution: **
Removing data is irreversible. Use caution when choosing what data to 
remove from your Splunk installation. If you want to get your data back, 
you must re-index the applicable data sources.

** Note: **
Add the -f parameter to force clean to skip its confirmation prompts.


 Syntax: 

    clean  eventdata [-f] [-index <name>]

    clean [globaldata|userdata|all] [-f]

 Objects: 

      eventdata    exported events indexed as raw log files

      globaldata   host tags, source type aliases     

      userdata     user accounts

      all          everything on the server

 Required Parameters: 

     eventdata     if no index specified, the default is to clean all 
                   indexes            

 Optional Parameters:

     eventdata     index   name of index whose eventdata should be cleaned
                   f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     globaldata    f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     userdata      f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

As jrodman mentions, using the "delete" search command (http://www.splunk.com/base/Documentation/latest/SearchReference/Delete) and/or bucket aging control in indexes.conf (see frozenTimePeriodInSecs in indexes.conf.spec : http://www.splunk.com/base/Documentation/latest/Admin/Indexesconf) might be a better solution to surgically hide or delete events based on their age.

View solution in original post

New Member

Don't forget to delete the source file, too, so you don't end up with your license violated after you clean the index up and then splunk considers it empty and starts reindexing the source again.

0 Karma

Splunk Employee
Splunk Employee

|delete should work to hide the data. Bucket size controls and planning can get rid data older than a given date offset.. eventually.

Splunk Employee
Splunk Employee

Unfortunately, "splunk clean" is unable to be that specific when it comes to deleting data from an index. It's all-or-nothing : The entire index has to be wiped, or none of it


$SPLUNK_HOME/bin/splunk help clean

The clean command deletes event data, global data, and user account data 
from your Splunk installation. 

Permanently remove event data from an index by typing, "./splunk clean 
eventdata". Set the index parameter to delete event data from a specific 
index. If you don't set an index, Splunk deletes all event data from all 
indexes.

Remove global data (tags and source type aliases for events you indexed) 
from Splunk by typing, "./splunk clean globaldata".

Remove user data (user accounts you've created) from Splunk by typing, 
"./splunk clean userdata".

** Caution: **
Removing data is irreversible. Use caution when choosing what data to 
remove from your Splunk installation. If you want to get your data back, 
you must re-index the applicable data sources.

** Note: **
Add the -f parameter to force clean to skip its confirmation prompts.


 Syntax: 

    clean  eventdata [-f] [-index <name>]

    clean [globaldata|userdata|all] [-f]

 Objects: 

      eventdata    exported events indexed as raw log files

      globaldata   host tags, source type aliases     

      userdata     user accounts

      all          everything on the server

 Required Parameters: 

     eventdata     if no index specified, the default is to clean all 
                   indexes            

 Optional Parameters:

     eventdata     index   name of index whose eventdata should be cleaned
                   f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     globaldata    f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

     userdata      f       forces clean to skip its confirmation prompt
                           (Cleaning cannot be undone. Use carefully!)

As jrodman mentions, using the "delete" search command (http://www.splunk.com/base/Documentation/latest/SearchReference/Delete) and/or bucket aging control in indexes.conf (see frozenTimePeriodInSecs in indexes.conf.spec : http://www.splunk.com/base/Documentation/latest/Admin/Indexesconf) might be a better solution to surgically hide or delete events based on their age.

View solution in original post

How can I clear/delete a specific event log within SPLUNK so that it does not appear in a search?

0 Karma