I am looking to remove an index entirely. I ran the search "splunk remove index new_hires" where new_hires is the index name. This command did not remove the index. I have the ability to delete. Why didn't this command work? I am using splunk 6.3.3. I want to remove the entire index and all associated data. Thank you!
Hey @katzr, here's documentation to remove indexes and indexed data. http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/RemovedatafromSplunk#Remove_an_index_entir... It has that CLI command but has a step beforehand directing you make sure no inputs.conf are directing data to the index you plan to delete.
I just noticed that you "ran the search" to remove the index. This is actually a command you would need to run via the CLI. Are you the administrator of the Splunk instance? If this is a single server instance (meaning you downloaded from splunk.com and installed it), then you should be able to remove the index from the GUI. However, if it is a distributed environment (meaning a separate search head, and multiple indexers, then the index would need to be removed from each indexer, via command line, using the command you typed in the search bar it seems.
delete command deletes event data from subsequent searches. It does not remove it from disk.
To remove data permanently from an index, use the CLI
See Remove indexes and indexed data in the Managing Indexers and Clusters of Indexers manual.