Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing a file from index

shantanuo
Engager
‎11-01-2011 09:58 PM

I have added a few files for testing. I will now like to remove these files from the index. I removed the file using "rm" command and it is still showing up in the search.

How do I permanently remove the indexes?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎11-02-2011 01:35 AM

Also, as pointed out by MuS, the | delete does not actually remove anything from the index, and if you clean an index, you clean everything in it.

Therefore, when playing around with new sources/sourcetypes you should always use a test index, where you can test your line-breaking, transforms etc etc, without polluting the 'real' index.

When you're satisfied and everything works fine, you can the set up your real monitor stanzas and direct it to your main index.

hth,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎11-02-2011 01:35 AM

Also, as pointed out by MuS, the | delete does not actually remove anything from the index, and if you clean an index, you clean everything in it.

Therefore, when playing around with new sources/sourcetypes you should always use a test index, where you can test your line-breaking, transforms etc etc, without polluting the 'real' index.

When you're satisfied and everything works fine, you can the set up your real monitor stanzas and direct it to your main index.

hth,

Kristian

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-01-2011 11:38 PM

Hi shantanuo

you cannot delete an indexed file like this from an index, you have to do a search for the 

source='WhatEverNameYourFileHad' | delete

this way you are removing the source from future searches events or you do a clean on your index to delete indexed data.

please read the docs about this before you do this 😉

cheers

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...