I put the universal forwarder on my computer to test splunk. Now that we have it up and running, I want to remove all data that came from my computer. Is there a way to remove data from splunk, based on host? I don't want to just hide the data by using "| delete" I want to completely remove the data.
You can completely remove the data by cleaning an index as you see in the link below. This is not something you can do by host however. The delete command will allow you to remove data by host and make in unaccessible from the UI. The indexed data still resides and takes up space on disk however until it is aged out.
You can completely remove the data by cleaning an index as you see in the link below. This is not something you can do by host however. The delete command will allow you to remove data by host and make in unaccessible from the UI. The indexed data still resides and takes up space on disk however until it is aged out.
Great. That is exactly what I needed to know. I went over two days in a row, and I was just cleaning up some stuff. I uninstalled the forwarder but just wanted to clean things up. Thank you for your help.
For the current day, data that you've already ingested, yes. But you do get the ability to go over your daily license limit. If it's splunk free you have 3 times in a 30 day period, if it's a purchased license you have 5 times in 30 days. Data stored does not matter against the license other than the fact that you'll need a little more disk space to hold onto it depending on how much data you are talking about.
Will this still affect the license?