Solved: delete command timesout and is very slow

barne_dn · ‎10-15-2012

I have old sources that were indexed in splunk. I'm trying to delete them but the | delete command is very slow and it always times out. I've already deleted the actual files from the disk, but from my understanding I also need to run the | delete command to the remove the indexed data. Is there a way to find out why it's so slow? I've even tried to narrow it down to ranges within in a day by specifying a custom time, but even then it times out.

Not sure if I have too many events in my main index and that's why it's become so slow and unusable. My main index (which is the one we use) is a bit over 250GB and has over 3 billion events.

the_wolverine · ‎10-31-2012

Which version are you running? Sometime in version 3.x there was a bug which exhibited the same symptom that you report (slow to delete.)

One option is to run the same delete command from CLI:

./splunk search "your search terms startdaysago=2 enddaysago=1"

(verify by running search above first before running again with the added delete command)

./splunk search "your search terms | delete"

View solution in original post

the_wolverine · ‎10-31-2012

Which version are you running? Sometime in version 3.x there was a bug which exhibited the same symptom that you report (slow to delete.)

One option is to run the same delete command from CLI:

./splunk search "your search terms startdaysago=2 enddaysago=1"

(verify by running search above first before running again with the added delete command)

./splunk search "your search terms | delete"

delete command timesout and is very slow

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)