Solved: Re: Removing a file from index

shantanuo · ‎11-01-2011

I have added a few files for testing. I will now like to remove these files from the index. I removed the file using "rm" command and it is still showing up in the search.

How do I permanently remove the indexes?

kristian_kolb · ‎11-02-2011

Also, as pointed out by MuS, the | delete does not actually remove anything from the index, and if you clean an index, you clean everything in it.

Therefore, when playing around with new sources/sourcetypes you should always use a test index, where you can test your line-breaking, transforms etc etc, without polluting the 'real' index.

When you're satisfied and everything works fine, you can the set up your real monitor stanzas and direct it to your main index.

hth,

Kristian

View solution in original post

kristian_kolb · ‎11-02-2011

Also, as pointed out by MuS, the | delete does not actually remove anything from the index, and if you clean an index, you clean everything in it.

Therefore, when playing around with new sources/sourcetypes you should always use a test index, where you can test your line-breaking, transforms etc etc, without polluting the 'real' index.

When you're satisfied and everything works fine, you can the set up your real monitor stanzas and direct it to your main index.

hth,

Kristian

MuS · ‎11-01-2011

Hi shantanuo

you cannot delete an indexed file like this from an index, you have to do a search for the

source='WhatEverNameYourFileHad' | delete

this way you are removing the source from future searches events or you do a clean on your index to delete indexed data.

please read the docs about this before you do this 😉

cheers

Removing a file from index

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!