splunk clean command to do it .
to have help run
splunk clean help command in CLI
go to splunk_home/bin directory to run :
./splunk clean eventdata -index=your_index on linux
splunk clean eventdata -index=your_index on windows.
Doesn't that delete all data in an index? I want to keep my data, just want to delete specific events.
Here is what I'm trying to do:
Piping a search to the delete operator marks all the events returned by that search so that later searches do not return them.
In previous versions, I had to make sure my user account had delete privileges. In the free version, there is no user control.
Here is what you want to know!
The delete operator can only be accessed by a user with the deletebykeyword capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
So you have to create a user and grant him a delete capability. Use that user to delete your events, and let me know if you can still see your events afeter they have been deleted.
I am running the free version and do not have access to make any user changes.
Ha ok. The manual is clear:
Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported with splunk free.
As i said bellow, The delete operator can only be accessed by a user with the deletebykeyword capability. The admin role does not have this capability by default. With splunk free, There is only one role (admin), and it is not configurable.
Then maybe they should change their documentation to say: Users not allowed to delete using Splunk free.
I wonder if the free version simply ignores any local configuration of the admin role, or if it's is possible to change the admin role via the configuration files anyway. It sounds like Splunk Free simply uses the rights used by the default admin role.
Can you try modifying the admin role using a local
authorize.conf? see http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf